We have a really big web-application.
About 120.000 lines in total.
In this application the user has plenty possibilities to enter text.
In the user information, folders, groups and so on.
Some of the users want to name different objects like Age < 20.
There was a problem because ASP.NET blocks such input because of the "<" to prevent javascript-injections.
We found a way to shut those safety-mechanisms down but now our application is unsafe.
So the question is:
Is there any setting or property or whatever that can be set global (at one point for the whole application) that the application handles such input as plain text?
So when a user for example wants to name a folder <script>alert("ALERT");</script> it should be named that way and is shown just as <script>alert("ALERT");</script> but the script will not execute.
The same for HTML: if its named Folder<br>One it should look like: Folder<br>One and not like:
Folder
One
Of course i could use HTML-Encode/-Decode but i dont want to go through the whole project and add an Encoding/Decoding wherever an input is made or shown...
Also would a global solution pretent mistakes in the future development.
So again the Question: is there any way to handle every text just as text? And all that as global as possible?
Hope you could understand my problem and know any possibilities.
If you are using JQuery, whenever you set your value to any span or div,
Use:
$('#myDiv').text('<script>alert("a")</script>');
And Don't use:
$('#myDiv').html('<script>alert("a")</script>');
or
$('#myDiv').innerHTML='<script>alert("a")</script>';
if you dont want to use HTML encode decode than try ValidateRequest="false" You can do it like in code bellow:
<%# Page Language="VB" AutoEventWireup="false" CodeFile="Default.aspx.vb" ValidateRequest="false" Inherits="_Default" %>
Another technique you may want to use is as following..
<script>
function Encode() {
var value = (document.getElementById('TextBox1').value);
value = value.replace('<', "<");
value = value.replace('>', ">");
document.getElementById('TextBox1').value = value;
}
</script>
</head>
<body>
<form id="form1" runat="server">
<asp:TextBox ID="TextBox1" runat="server"></asp:TextBox>
<asp:Button ID="Button1" runat="server" Text="Button" OnClientClick="Encode()" />
</form>
Server-Side
protected void Page_Load(object sender, EventArgs e)
{
this.TextBox1.Text = Server.HtmlDecode(this.TextBox1.Text);
}
Related
I am using ASP.NET for a web page in order to make some server calls that involve looking up user organization information. Based on that information, we need to either hide or display a div. In the header I have a C# function that definitely runs. I have tried the following lines to hide the div.
divID.Style.Add("display","none");
and
divID.Visible = false;
In the body, I am currently using an asp:Panel that runs at server and contains the id "divID". No matter what I do, I can't get the div to hide (without manually putting the styling in). I tried putting the scripts before and after the body, and it didn't make a difference. Any suggestions on the best way to do this would be appreciated.
EDIT:
Here is the C# initiating code.
<script runat="server" language="C#">
void getUserInfo(Object sender, EventArgs ev){
The rest of the C# code is irrelevant, but the relevant line shown above is definitely being run.
The HTML portion looks something like this.
<asp:Panel runat="server" id="divID" style="width:200px; height:130px; ">
<div style="text-align:center">Test Data</div>
</asp:Panel>
C# code is always compiled and run from the server-side, and so cannot impact the state of a page once rendered unless you use postbacks or callbacks. If you want to change the visible state of a control on the client-side, you will need to use Javascript on the client side (possibly triggered by a button click) to show and hide the control.
As an example, check out the solution at the link below.
https://forums.asp.net/t/1603211.aspx?Show+hide+div+on+button+click+without+postback
<script type="text/javascript">
function ToggleDiv(Flag) {
if (Flag == "first") {
document.getElementById('dvFirstDiv').style.display = 'block';
document.getElementById('dvSecondDiv').style.display = 'none';
}
else {
document.getElementById('dvFirstDiv').style.display = 'none';
document.getElementById('dvSecondDiv').style.display = 'block';
}
}
</script>
<asp:Button ID="btn" runat="server" Text="Show First Div"
OnClientClick="ToggleDiv('first');return false;" />
<asp:Button ID="Button1" runat="server" Text="Show Second Div"
OnClientClick="ToggleDiv('second');return false;" />
<br />
<div id="dvFirstDiv" style="display: none;">
First Div
</div>
<div id="dvSecondDiv" style="display: none;">
Second Div
</div>
In the header I have a C# function that definitely runs.
If you're talking about the HTML page header - no, it definitely not running. C# code is executed only server side.
Based on your post, I'm assuming we're talking WebForms here and yo have a script block in your aspx file. While this is fine, I recommend placing the server-side code into a code behind file.
So all you need to do is to add a handler for the PreRender phase of the page life cycle and place your logic for showing/hiding the div in there.
public void Page_Prerender(object sender, EventArgs e)
{
divID.Visible = false;
' OR
'divID.Style.Add("display","none");
}
Note that setting the Visible property of a WebForms control excludes the control from rendering to the page, whilst setting display: none renders it as HTML but it isn't displayed on the page.
Try in backcode: divID.Controls.clear();
This worked for me.
I have a asp label that I need to be able to change according to the code behind. How can I do this?
ASPX: (The first part works correctly only for "TestA#abc.com" and the second part dynamically changes the label (EmailLabel) according to the "if" statement in the code behind. How can I integrate these two so the label is mailto? Thanks.
<p>Email at TestA#abc.com.</p>
<p>Email at <asp:Label ID="EmailLabel" runat="server"></asp:Label>.</p>
Code Behind:
public changeLabel()
{
if (//Some Condition Here)
{
this.EmailLabel.Text = "TestA#abc.com";
}
else
{
this.EmailLabel.Text = "TestB#abc.com";
}
}
What you are trying to do there won't work. Label's render out as <span> tags, so it will never be "clickable". You want to do something more like this:
<p>Email at TestA#abc.com.</p>
<p>Email at <asp:LinkButton ID="EmailLabel" runat="server"></asp:LinkButton>.</p>
And then instead of changing the Text property, change the NavigateUrl property.
You could also use an HtmlControl, which is basically a standard HTML tag that you add the runat="server" attribute to.
<p>Email at <a id="EmailLabel" runat="server" href=""></a>.</p>
You would then be able to modify this <a> tag via server side code, the properties will be slightly different, but now you've got a real live anchor tag to work with.
This other SO question might also be helpful: How to launching email client on LinkButton click event?
<html>
<body>
<span id="foo"
onclick="document.getElementById('foo').innerHTML = 'never say never'"
>
Click Me!
</span>
</body>
</html>
For your Label, just remember that .Text is the server equivalent of .innerHTML so you can put whatever HTML you want right into the asp:Label when setting .Text. Just watch out for cross-site-scripting exploits.
In a simple ASP page, TextBox AutoPostBack events will prevent Button click events (except where button is tapped very quickly) and AutoPostBack events for other controls (like ListBox).
There's a similar question here, but I wasn't happy with being forced to use client side or AJAX solutions: Have to click button twice in asp.net (after autopostback textbox)
Example ASPX page:
<%# Page Language="C#" AutoEventWireup="true" CodeFile="temp.aspx.cs" Inherits="temp" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title>Untitled Page</title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server" AutoPostBack="True" OnTextChanged="PostBack"></asp:TextBox>
<asp:Button ID="Button1" runat="server" OnClick="PostBack" Text="Button" /><br />
<asp:ListBox ID="ListBox1" runat="server" AutoPostBack="True" OnSelectedIndexChanged="PostBack">
<asp:ListItem>value1</asp:ListItem>
<asp:ListItem>value2</asp:ListItem>
</asp:ListBox><br />
<br />
Events Fired:<br />
<asp:TextBox ID="TextBox2" runat="server" Height="159px" TextMode="MultiLine" Width="338px"></asp:TextBox></div>
</form>
</body>
</html>
C# code behind:
public partial class temp : System.Web.UI.Page
{
protected void PostBack(object sender, System.EventArgs e)
{
this.TextBox2.Text += string.Format("PostBack for - {0}\n", ((System.Web.UI.Control)sender).ID);
}
}
I've been able to partially solve this problem for buttons by using mousedown instead of click events to submit the form (I also blocked extra AutoPostBack events client-side and handled any extra field changes during button click events server side)
However, this means my buttons aren't quite behaving in the standard (click on release) way.
Is there a better solution to this problem that doesn't require trying to do everything in javascript client-side? (I'm writing a lot of code that reads server data during these postbacks, so javascript isn't an ideal solution.)
I'm also trying to avoid switching to an AJAX library for these pages since every new library I add has to go through security auditing etc.
Note: I'm currently working with ASP.Net 2.0/VS 2005, but if this type of problem is fixed in a later release that would be a compelling argument to upgrade. (As far as I understand it, the same problem seems to happen in ASP.Net 4/VS 2010)
The reason to set AutoPostBack="true" on a field (or other input control) is because you want the page to postback when that control's data changes - without requiring that the user click a button. It sounds like that is exactly what is happening: when the field loses focus, the page does a postback.
Perhaps I'm misunderstanding the question? Can you provide some more information about how you need the page/form to behave?
Edit: more info, based on comment from OP.
I think I understand: the "normal" case is they select something from a DropDownList1, and you autopostback to set the values of DropDownList2, based on the selected item in DropDownList1. However, the user may not care about the second list; if they click "search", you want the button-click to essentially abort the autopostback (already in progress), and initiate a new postback.
Unfortunately, I don't think there's any functionality in any version of ASP.NET to "abort" a postback already in progress (not from the client-side code, anyway). Therefore, in order to implement the above behavior, you're going to have to do something outside the standard ASP.NET postback behavior. Here's a few ideas, though by no means is it an exhaustive list:
Use AJAX and JS to retrieve the contents of DropDownList2. If the user clicks search while that ajax call is in progress, the page should postback right away.
Store all possible DropDownList2 data in JSON format in your page; use purely client-side JS to populate List2 when List1 changes. Again, if the user clicks "search", the page will postback right away. Depending on how big the pool of possible List2 entries is, this may bloat the page size too much to be workable.
Use client-side JS to disable your search button when List1 changes selection. The user won't be able to click "search" until the autopostback (to fill List2) completes.
Hope this helps!
To make the client side be more interactive and reduce sending all that viewstate and redrawing the page, I add a little jquery into the mix. It makes things like what you are proposing possible. jquery even ships with the asp.net MVC framework so there is no shame in using it with asp.net.
Here is a simple example that uses jquery that demonstrates what I think you want.
First, in the aspx file, add in a reference to the jquery library. I use the
Google content delivery network so you don't even have add this file to your VS project.
Then take the auto postback references out of all your server controls except the button. I left that one to continue doing a postback because I suspect at some point you want a regular post back, all the other controls use ajax to get your server side response.
I started by using your example page with these modifications:
<%# Page Language="C#" AutoEventWireup="true" CodeBehind="temp.aspx.cs" Inherits="temp" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
<title>Untitled Page</title>
<script src="https://ajax.googleapis.com/ajax/libs/jquery/1.4.2/jquery.min.js" type="text/javascript"></script>
</head>
<body>
<script type="text/javascript">
$(document).ready(function () {
// Establish where the output goes.
var outputObject = $("#<%=TextBox2.ClientID %>");
// create a function to do an ajax postback
function doAjaxPostback(sender, value) {
$.ajax({
type: "POST",
url: "temp2.aspx",
data: "id=" + sender.attr("id") + "&value=" + value,
success: function (data) { outputObject.append("<br />" + data) }
});
}
// Use jquery to wire up the event handler. We use the ClientID property in case these
// elements get embeded in some other server control container later.
$("#<%=TextBox1.ClientID %>").keyup(function (event) { doAjaxPostback($(this), $(this).val()); });
$("#<%=TextBox1.ClientID %>").change(function (event) { doAjaxPostback($(this), $(this).val()); });
$("#<%=ListBox1.ClientID %>").change(function (event) { doAjaxPostback($(this), $(this).val()); });
// Use a plain html button tag for ajax only. The server control button gets rendered as
// a submit button which requires it to be handled a little differently.
$("#PlainButton").click(function (event) { doAjaxPostback($(this), $(this).attr("value")); event.preventDefault(); });
});
</script>
<form id="form1" runat="server">
<div>
<asp:TextBox ID="TextBox1" runat="server" ></asp:TextBox>
<asp:Button ID="Button1" runat="server" OnClick="PostBack" Text="Button" /><br />
<button id="PlainButton" value="Plain Old Button">Ajax Only, No postback</button>
<br />
<asp:ListBox ID="ListBox1" runat="server" >
<asp:ListItem>value1</asp:ListItem>
<asp:ListItem>value2</asp:ListItem>
</asp:ListBox>
<br />
<br />
Events Fired:<br />
<asp:TextBox ID="TextBox2" runat="server" Height="159px" TextMode="MultiLine" Width="438px"></asp:TextBox>
</div>
</form>
</body>
</html>
Then for the code behind I just made a tiny change so we can report when we get a regular postback versus the ajax kind:
protected void PostBack(object sender, System.EventArgs e)
{
this.TextBox2.Text += "\n\nGot an asp.net postback\n\n"
+ string.Format("PostBack for - {0}\n", ((System.Web.UI.Control)sender).ID);
}
Okay, so I was trying not to get too fancy but I wanted to demonstrate how easy this is so I made a second page, temp2.aspx but left the aspx file alone as i only needed what is in the code behind:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.UI;
using System.Web.UI.WebControls;
namespace WebApplication1
{
public partial class temp2 : System.Web.UI.Page
{
protected void Page_Load(object sender, EventArgs e)
{
string id = string.Empty;
string value = string.Empty;
Response.Clear();
if (Request.Form == null || Request.Form.Count < 1)
{
Response.Write("I got nothin'");
Response.Flush();
Response.End();
return;
}
id = Request.Form["id"];
value = Request.Form["value"];
Response.Write(string.Format("\nevent from: {0}; value={1}",id,value));
Response.Flush();
Response.End();
}
}
}
Notice that what I did was clear, write, flush and end the response so only the text we want is sent back to the caller. We could have done some fancy stuff in the page_load of the original temp page to check if it is a call from the ajax function that will not clear or flush the response if the incoming Request.Form does not contain a certain field, etc. But by doing it as a separate page, I hoped to simplify the code. This also opens up possibilities.
Say you have a country drop down that has Canada and USA in it and when it changes, you want to sent back data to populate a State/Province dropdown with the appropriate values. By putting the lookup code on its own page the way I did with temp2.aspx, you can then call it from all the pages in your app that have a need for such a service.
Good luck, let me know if you have any trouble understanding my code.
I need to initialize the text attribute of the text box element with a property from some where else when actually I can simply do this from code but it will be much more convenient if it possible to do it like this:
<asp:TextBox runat="server" Text="<%= new ContextItem("title").Value %>" />
Unfortunately the above can't be done..
The issue is that this text box element repeats it self several times in the page and my question is:
Are there any suggestions how to make it cleaner then to write it again and again in the code behind?
Thank,
Adler
OK so the basic problem here is that if you use an inline expression you can NOT use it to set a property of a server-side control outside of a binding context (using a binding expression). I have inferred that this is probably because of the timing of the evaluation of these inline expressions. You can, however, render client-side markup in this way. If you want to keep the functionality purely in your aspx file, this is the way to do it.
Edit: Based on input from Justin Keyes, it appears it IS possible to use a binding expression to set the property. You need to manually invoke Page.DataBind() to trigger the textbox to evaluate the expression (see answer below).
For instance this:
<asp:Label ID="lbl" runat="server" Text="<%= Now.ToShortDateString() %>" />
Will produce this output:
<%= Now.ToShortDateString() %>
On the other hand this:
<%= "<span>" & Now.ToShortDateString() & "</span>"%>
Will produce this output:
7/27/2011
The "normal" way to solve this problem is just to set the Label.Text properties in a Page.Load event handler or another appropriate event handler depending on your needs, as below. This is the way I believe most people would prefer to do it, and is most easily understandable in my opinion.
Markup:
<asp:Label ID="lbl" runat="server" />
Code:
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
lbl.Text = Now.ToShortDateString()
End Sub
Option 1: don't use server controls
If you aren't accessing the value on the server, just use plain HTML instead of an ASP.NET server control:
<input ID="Textbox1" Type="Text"
Value='<%= new ContextItem("title").Value %>' />
Option 2: use Page.DataBind()
If you change your code to use <%# instead of <%= (as below) and call Page.DataBind(), it will work (I've tested it). Change your markup to this:
<asp:TextBox runat="server" Text="<%# new ContextItem("title").Value %>" />
And in your logic, call Page.DataBind() in the Load event like this:
protected void Page_Load(object sender, EventArgs e) {
Page.DataBind();
}
Even though the TextBox is not contained in a typical "data bound" control such as a Repeater or GridView, calling DataBind() on a control will force it to evaluate <%# ... %> statements.
The Moof's comment (below) is correct. This post also mentions Page.DataBind().
You can set the text on a page in a similar way.
<asp:TextBox id="TextBox1" runat="server" Text='<%#GetValue('Title)%>' />
But in order for this to work, you will need to DataBind the control on Page_Load. For multiple TextBox controls you could just loop through each and databind them so that you do not have to hard code the databinding of each.
I am not sure what your ContextItem is though, so you would have to modify my code.
The short answer is NO, you can only use this kind of code with databindings, that means inside a GridView for example. But you can use this in the head section.
I use it to prefix my urls sometimes with something predefined. Example
<script src="<%=Utils.GetGeneralPrefix()%>/Scripts/jquery-1.4.1.min.js" type="text/javascript"></script>
In that case it works.
Hope it helps.
90% of the time when I try this I have to use single quotes ('') instead of double quotes ("") around the <%%>. Give that a try before you spend too much time on anything else.
I'm using some of the typical ASP.NET's Validation Controls in my website. Now I'm trying to disable the JavaScript in my browser to test my application and of course the Validation Controls no longer works. I think it's best to try to make them work using one of the suggested solutions down here instead of reinvesting the wheel and build a validation layer for the page or my objects -Am I thinking right?-
What do you think of these options and why:
Include in clicked button's event a code to check if the page is valid and if not explicitly call the Page.Validate(); method
Check if whether the JavaScript is enabled and if not I should call Page.Validate();
If you there's a better way to do it please let me know.
Javascript form validation is purely for user convenience. This stops them from submitting a form with an invalid phone number or whatever.
All inputs should actually be validated on the server when whatever request is being made is received. Here's the ideal flow, and you'll see that a browser not having javascript enabled is no big deal:
browser -> javascript validation (optional) -> server validation (if this fails, go back to initial page with errors)
So even if they have no JS, the page still submits the data, then you can return an error from the server. This is a poorer user experience typically (full page reload, potential retyping of inputs unless you repopulate the forms) which is why JS is often included in validation schemes.
The validation controls are designed to validate primarily on the server side. The client-side validation is optional (see the EnableClientScript property). So if they aren't working with Javascript disabled, then you're probably missing a little boilerplate code in your page, such as this snippet from the MSDN documentation on Page.IsValid:
private void ValidateBtn_Click(Object Sender, EventArgs E)
{
Page.Validate();
if (Page.IsValid == true) // yes, it is written this way in the MSDN documentation
lblOutput.Text = "Page is Valid!";
else
lblOutput.Text = "Some required fields are empty.";
}
You can also call Page.Validate and check Page.IsValid in your Page's OnLoad event, so that you can prevent a postback from proceeding to the next step when the form needs to be re-submitted. You probably don't even need to call Validate() explicitly — Button.CausesValidation is true by default.
You will need to do custom Server Side validation... http://msdn.microsoft.com/en-us/library/aa479013.aspx (information toward the bottom)
Something like this:
<%# Page Language="C#" %>
<script runat="server">
void Button1_Click(Object sender, EventArgs e) {
if (Page.IsValid) {
Label1.Text = "VALID ENTRY!";
}
}
void ValidateNumber(object source, ServerValidateEventArgs args)
{
try
{
int num = int.Parse(args.Value);
args.IsValid = ((num%5) == 0);
}
catch(Exception ex)
{
args.IsValid = false;
}
}
</script>
<html>
<head>
</head>
<body>
<form runat="server">
<p>
Number:
<asp:TextBox id="TextBox1"
runat="server"></asp:TextBox>
<asp:CustomValidator id="CustomValidator1"
runat="server" ControlToValidate="TextBox1"
ErrorMessage="Number must be even"
OnServerValidate="ValidateNumber"></asp:CustomValidator>
</p>
<p>
<asp:Button id="Button1" onclick="Button1_Click"
runat="server" Text="Button"></asp:Button>
</p>
<p>
<asp:Label id="Label1" runat="server"></asp:Label>
</p>
</form>
</body>
</html>