Reputation: 1415
ASP.NET: Is there a way to serve static html files without programming comments?
I'm serving static html, and I want them to be sent to the client without the <!-- comment --> comments, as they can compromise security.
Is there any way to do this?
Something similar to Razor's @* comment *@ but for html...
Upvotes: 0
Views: 150
Answers (2)
Reputation: 52290
If you are talking about removing the comments from the HTML files themselves, you can of course open them in NotePad and remove the comments manually. But I think you are talking about removing them in real time when the page is sent to the browser. You want the comments to remain in the static files.
If you are running IIS in classic mode, you will not be able to remove the comments in real time with ASP.NET code. But if you are running IIS in integrated pipeline mode, you can hook into the request/response pipeline and postprocess the HTML file, and do whatever you want to it, e.g. in the EndRequest event handler.
Not sure of the specifics of parsing a page and finding the HTML comments to remove them-- could be tricky-- looks like someone else asked this question and there are a couple answers in there you could explore.
Upvotes: 2
Reputation: 2549
You could write the comments in between Razor's comment tags instead of the html comment tags. Those won't be visible on the front-end.
Besides this, you are printing anything you put in an html file as text (server-side scripts like Razor and PHP excluded). There is no way to take comments out of static html unless you minify them on the server through a tool. But since you state they are static html pages, I'm guessing you aren't using any tools at all?
You could use tools like http://www.willpeavy.com/minifier/ , for example.
The security risks of leaving comments in shouldn't be all that bad. You shouldn't be putting valuable information in HTML comments in the first place. They are nowadays mostly used for showing where an element starts and/or ends for when other programmers take over.
Your javascript is visible on the website as well. Let's say you work with ajax calls and a database. This would create much more risk than some HTML comments. Obviously, you just have to make sure you don't share important information that would cause security issues in client-side comments.
If it is an automated system serving the html and you can remove the comments before giving it out, you could use a function like this:
You could use the Html Agility Pack .NET library. Here is an article that explains how to use it on SO: How to use HTML Agility pack
This is the C# code to remove comments:
HtmlDocument doc = new HtmlDocument();
doc.Load("yourFile.htm");
// get all comment nodes using XPATH
foreach (HtmlNode comment in doc.DocumentNode.SelectNodes("//comment()"))
{
comment.ParentNode.RemoveChild(comment);
}
doc.Save(Console.Out); // displays doc w/o comments on console
Source: Removing HTML Comments (You can find lots more options here)
It'll be a simple matter of triggering such a function before saving the html to a static file, or editing the existing file to filter out the comments.
Upvotes: 0
Related Questions
- Including static html file from ~/Content into ASP.NET MVC view
- Render HTML file in ASP.NET MVC view?
- How to render static html file in MVC Core?
- ASP MVC allow static html files
- Use razor/asp.net mvc3 to generate static html pages?
- ASP.NET MVC: Serve .cshtml files "as is"
- Prevent MVC from serving static files like .js, .css, etc
- Load static Html file in MVC View
- In ASP.NET MVC, how do I serve pure static content?
- ASP.NET MVC: How to use static HTML pages in MVC applications?