I am rendering page layout inside javascript but I would like to use there some CMS helpers. Rendering works well but helpers doesn't work (I obtained "NaN" instead of text I wanted). How can I add helpers to javascript variable?
var detailsTemplate =
'<table cellspacing="0" cellpadding="0">' +
'<tr>' +
'<th class="info">' +
<%# CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %> +
'</th>' +
'</tr>' +
'<tbody>' +
'{0}' +
'</tbody>' +
'</table>'
Set single quotation marks around the ASP tags:
'<th class="info">' +
'<%# CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %>' +
'</th>'
Look at the code generated and you will see, without the quotes you will have something like '<th>' + foo + '</th>' which will cause your current error. With the quotation marks you will have '<th>' + 'foo' + '</th>' which will run fine.
It works, I just add:
<span runat="server"> <js code..> </span>
and changed helper to (without single quotes):
<%= CMS.GlobalHelper.ResHelper.GetString("ReceiptsList.ProductName") %>
Related
I'm trying to replace a bunch of consecutive
var: $("#var").val()
lines in my JS script with a simple loop in c# like this:
#foreach(var q in myList){
#(q.var + ": $('#" + q.var + "').val()," + Environment.NewLine);
}
But any symbol I try to pass (', \" or "") generates the html entity (&-#39; or &-quot;).
var: $("#var").val()
and JS errors.
With a view only solution, is it possible to fix this?
To have an official answer in this post (or for futur readers) I will put my comment as an answer, which seems to have resolved the issue.
What you should use is Html.Raw to print raw content.
#(q.var + Html.Raw(": $(\"#") + q.var + Html.Raw("\").val(),") + Environment.NewLine);
I would like for C# to detect the variables in my mailbody and replace them with the values each of them already has in my method.
I'm saving my mails in a TEXT datatype in mysql
This is what i save into my Text:
<html>
<h1>
<span style='text-decoration: underline;'>
<strong>Solicitud</strong>
</span>
</h1>
<br/>" + "<body>Blabla" + user.Nombre + " " + user.Apellido + " p<br/>La razón a que: <br />"+ razon+ ".</body>
</html>
I want it to replace user.Nombre user.Apellido and razon which are variables already available in the method
For example if my method has:
user.Nombre = "MATT";
user.Apellido ="CASA";
razon = "why not?";
Then detecting the variables i would have:
<html>
<h1>
<span style='text-decoration: underline;'>
<strong>Solicitud</strong>
</span>
</h1>
<br/>" + "<body>Blabla" + "MATT"+ " " + "CASA" + " p<br/>La razón a que: <br />"+ "Why not?"+ ".</body>
</html>
The problem is making C# detect that the string already has variables inside of it.
If I understand your question correctly, which is pretty hard given then English you have used.
You want to replace a parts of a string you retrieved from a database?
You can perform string replacements like the below example.
string email = emailAsString.Replace("+ user.Nombre +", variable1);
You can read more on this here, if you so wish.
String Replace - https://www.dotnetperls.com/replace
Well searched far and wide in the web, there is a method to compile manually but its highly dangerous so I decided to use String.Format , and the templates of my mails swap the "+ variable +" to {#}
Interpolating a string stored in a database
After retrieving use:
var formatedString= String.Format(string , variables);
I have the following code snippet, but I'm banging my head up against the wall trying to get the errors out of it.
I'm getting the following design time compile errors:
; expected
The name button does not exist in the current context.
Those same two messages also repeat for the DisplayReceipt.
Here is my code snippet being assigned in my code behind for html.
Can somebody please help me out?
Image_ID = "<input id='" + fuelticket.Image_ID + "' type="button" onclick='" + DisplayReceipt(fuelticket.Image_ID)"'>";
You just need to escape the quotes:
Image_ID = "<input id='" + fuelticket.Image_ID + "' type=\"button\" onclick='DisplayReceipt(" + fuelticket.Image_ID + ")'>";
Or use string.Format() to make things a bit cleaner:
Image_ID = string.Format("<input id='{0}' type=\"button\" onclick='DisplayReceipt({0})'>", fuelticket.Image_ID);
To make it work use the below code:
Image_ID = String.Format("<input id=\"{0}\" type=\"button\" onclick=\"{1}\">", fuelticket.Image_ID, DisplayReceipt(fuelticket.Image_ID));
The above looks more clear and optionally you can also use # for the string so you don't have to escape any special characters.
Image_ID = String.Format(#"<input id="{0}" type="button" onclick="DisplayReceipt({0})">", fuelticket.Image_ID));
I have an ajax control that returns user comments. Its served by a c# ajax handler page and the c# matches a timespan that a user can leave in the comments:
commmentToDisplay = Regex.Replace(c.CommentText, timeSpanRegex, "<a href=\'\' onclick=\'alert(\'Flash Required\');\'>" + actualTimeSpan + "</a>");
This produces the following json:
({
"numOfPages":"1",
"pageIndex":"1",
"comments": [
{
"user":"hmladmin",
"created":"29/03/2011 16:41:20",
"id":"1",
"comment":"<a href='' onclick='alert('Flash Required');'>00:00:21</a>",
"editable":"true",
"reportable":"true"
}
]
})
Confusingly when I look at the html in firebug it comes out as:
<a );="" required="" flash="" onclick="alert(" href="">00:00:21</a>
Ive tried:
commmentToDisplay = Regex.Replace(c.CommentText, timeSpanRegex, "<a href=\'\' onclick=\'alert(\"Flash Required\");\'>" + actualTimeSpan + "</a>");
and
commmentToDisplay = Regex.Replace(c.CommentText, timeSpanRegex, "" + actualTimeSpan + "");
And multiple permutations of I just cannot work out how to get the json and c# to return an anchor tag with an alert message in the onclick event.
Can someone help me to work out how I escape this properly so this problem doesnt happen.
The problem is when you create the string of HTML and has nothing to do with JSON:
"<a href=\'\' onclick=\'alert(\'Flash Required\');\'>" + actualTimeSpan + "</a>"
should probably be:
'' + actualTimeSpan + ''
You've got nested single quotes in 'alert('Flash Required');' which won't work. You need to change one set to double-quotes then escape them (\") for JSON. e.g. 'alert(\"Flash Required\");'
I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
EDIT. Here is an example of the stringbuilder. when the page gets loaded the xss vulnerability occurs right after the javascript is generated.
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate(\"product_productpage_rec{0}\",", i+1);
sb.Append("\"entity.id=" + _prodID + "\",");
sb.Append("\"entity.categoryId=" + _categoryID + "\",");
sb.Append("\"entity.name=" + _prod.ActiveProductItemCollection[i].Title + "\",");
sb.Append("\"entity.pageURL=" + Request.Url.ToString() + "\",");
//The following value has been taken from the productImageControl code behind.
//Might have to refactor in future as a property of the image control.
string filename = AppSettingsManager.Current.ProductImagePathLarge + _prod.ActiveProductItemCollection[i].Sku
+ AppSettingsManager.Current.ProductImageExtension;
sb.Append("\"entity.thumbnailURL=" + filename + "\",");
sb.Append("\"entity.inventory=" + _prod.ActiveProductItemCollection.Count + "\",");
sb.Append("\"entity.value=" + _prod.ActiveProductItemCollection[i].ActualPrice + "\",");
sb.Append("\"entity.ProductItemID=" + _prod.ActiveProductItemCollection[i].Sku + "\",");
sb.Append("\"entity.addToCartImg=~/Images/Buttons/btn_AddToCartFlat.gif\");<");
//The last line has to be /script. < inserted on prev line. do not change it or bad things will happen.
sb.Append("/script>");
}
this.LiteralMBoxScript.Text = sb.ToString();
You need to properly encode any user-generated data that you're putting into the Javascript.
In ASP.Net 4.0, you can call HttpUtility.JavaScriptStringEncode.
In earlier versions, you can use the Web Protection Library.
To prevent XSS you could HTML encode the value.
Alternately, you could write your javascript to read the user supplied data off of the page. This will result in less javascript code, and a faster page load.
If you are using JQuery for example, you can use the $.Parent() and $.Children() selectors to traverse the DOM to the appropriate form controls to reference information about that particular record in the loop.
Here is a relatively simple sample
function doSomething(context) {
var IDInput = $(context).parent('td').parent('tr').children('td.id').children('.hidden');
//Do something with the value
IDInput.val();
}
This would work with the following html example:
<table>
<tr>
<td><input type="button" onclick="doSomething(this)" value="Do Something"/></td>
<td class="id">Hidden ID Value <input type="hidden" value="1"/></td>
</tr>
<tr>
<td><input type="button" onclick="doSomething(this)" value="Do Something"/></td>
<td class="id">Hidden ID Value <input class="hidden" type="hidden" value="2"/></td>
</tr>
</table>
The advantage of doing it this way is that you no longer have to write javascript functions that take the ID as a parameter, meaning you don't need to dynamically generate the functions on the button, and can load them in the header in a separate JS file.
Well, if it is just your own script being written to the literal, you are no more open to attacks than if you simply included a js file on your site. If on the otherhand your script is interspersed with user supplied data of any kind, then you need to sanitize that data before you write it to the page.
If you are using .NET 4.0, you could output the value using the <%: theText %> syntax.