So I got this new site to take care of: http://www.kineformeconcept.com/mtl/index.shtml
The menu does not display anymore ever since the client moved is hosting location.
I've never used the #include file="whatever.html" directive.
I now it's an ASP directive, but I've never worked with ASP. Where should I start?
If anybody want to check out the code, it's at line 66:
<td align="center" valign="top" bgcolor="#ededee"><!--#include file="menu.html" --></td>
The #include directive is not a part of ASP per-se - it is a server directive, part of the web server itself and independent of the scripting language you are using.
If it worked on one server, and stopped working on the new server, then the most likely culprit is a mis-configured server.*
If you are hosting it yourself, where to look to fix it will depend
on the server software you are using and which version of that
software you are using.
If you are not hosting it yourself, you may need to contact your host
about enabling the appropriate features.
The assumption so far has been that you are using ASP-Classic because that is what the question is tagged as, and you mention ASP in the question itself... but your link is to an .shtml page and the content of the question leads me to believe it's just static HTML with some #include statements.
Semi-random aside - it shouldn't matter, but if you've moved to a more ...particular... server software, it may just be fussing about the lack of space between the <!-- and the #include. Instead of:
<td align="center" valign="top" bgcolor="#ededee"><!--#include file="menu.html" --></td>
Put:
<td align="center" valign="top" bgcolor="#ededee"><!-- #include file="menu.html" --></td>
The filename of your page is .shtml
It should be .asp, then #include file or #include virtual should work.
Your new host is not supporting classic ASP. However, for such a simple thing you don't really need the power of classic ASP. You can use jQuery to easily load the menu into the table cell.
First, give unique id to the cell:
<td id="MenuCell" align="center" valign="top" bgcolor="#ededee">
Now include jQuery library in your code:
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/1/jquery.min.js"></script>
And finally add this code to your page:
<script type="text/javascript">
$(document).ready(function() {
$("#MenuCell").load("menu.html");
});
</script>
Done, you'll now see the menu in place, no server side code needed.
Related
For example, I have two sibling pages Index.aspx and Orders.aspx in one folder. On the page Index.aspx I have the link to Orders.aspx. What is the correct way to implement this:
<a runat="server" href="~/Orders.aspx">
or
<a href="Orders.aspx">
I know what runat="server" does (server-control, performance impact etc.).
You really never need to run markup with a run at server tag if it's never used in code behind, if it is then you should use a ASP.NET control for it.
So just a hyperlink without runat=server would be fine.
It's always best to use ASP.NET controls on your page though if an upgrade in the future could require language translations, or have some logic assigned to them in the future. So always plan ahead on your designs.
If both views are in the same folder, than the second one:
<a href="Orders.aspx">
I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.
I did some research on the subject, but I didn't find an answer to my problem. It's the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven't been into web design for about 2 years now, so I am very very rusty.
So for example, I have this form
<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
<TR valign="top">
<TR>
<TD align="center">Input something here
<input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
</TD>
</TR>
</TR>
</TABLE>
</form>
If I manually input the URL (which contains this form) as
http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22
the page will load and then it will throw a javascript alert and display an error image.
My goal is to stop scripts from running when opening the page.
I read about Server.HTMLEncode but can't find a way to use it to stop the script from running at page load.
Thanks in advance!
EDIT: Will I be able, at least partially, to work around it if I replace the input's value with:
"<%= Server.HTMLEncode(Request("input_something"))%>"
I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)
i do not think that has anything to do with the browser?
you obviously write the content of a querystring parameter directly on your page like so:
<%=Request.QueryString("1")%>
that is bad.
as you already have found out you should use
server.htmlencode( Request.QueryString("1") )
everywhere on your pages where you write user input directly on the page.
that should do the trick
also have a look here
(I do not know much about ASP) You may be able get an easy fix by enabling ASP request validation. As with any behaviour changes, a number of things can break on other pages (although this would be surprising), so test the the change first. See Step 1 in http://msdn.microsoft.com/en-us/library/bb355989.aspx
Your server is filling in all tags on the page, including the hidden "srv" input, from URL parameters, with no filtering for HTML tags, which then get pasted into the page. You can limit this form to respond to POST only, not GET method, then your example attack will not work. This is probably the easiest and most harmless fix.
Finally, look if you can set cookie attribute for whatever cookie is used to track sessions to HTTPOnly.
A very long read on all possible measures you can use is at http://msdn.microsoft.com/en-us/library/ms998274.aspx
Is it posible to convert an ASP app to ASP.NET? I prefer to work with Visual Studio, in ASP.NET rather than just ASP. I need to do this because I'm stuck trying to watch an ASP page, as I don´t know how to work with ASP, I'm trying to see the code of ASP (classic ASP) in Visual Studio, maybe I need to make some changes, but I don´t know what the changes are. I did several changes in my app, like put a button to select and unselect checkboxes, but I can´t see any change or image, this way to works is different that the way I'm use to it, well,it's supossed this code works, (the problem is I can´t see any change):
<td align="center" colspan="3">
<input type="button" name="btn_seleccionar_todo" value="Seleccionar todo" onclick="javascript:marcar(this.form);">
</td>
<td align="center" colspan="3">
<input type="button" name="btn_desseleccionar_todo" value="Seleccionar todo" onclick="javascript:desmarcar(this.form);">
</td>
function marcar()
{
for (i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=true;
}
}
function desmarcar()
{
for(i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=false;
}
}
Switching fundamental technologies is a huge undertaking and not to be taken lightly. You definitely shouldn't approach it as a simple translation of VBScript into C#... you need to rewrite the entire thing using the newly selected technology idiomatically. Its like using Google translate to communicate via email or chat with someone who speaks a different language - it could work, but not really very well.
When I use built-in controls in asp.net I can see many tab characters added at start of each line of the generated html output. Is it possible to 'turn of' these? I'd like to get rid of this waste.
For example when I use GridView control, it generates <table> tag which looks like this:
<div>
<table>
<tr>
<th>...</th>
</tr>
<tr>
<td>...</td>
</tr>
...
</table>
</div>
But I want to see this:
<div>
<table>
<tr>
<th>...</th>
</tr>
<tr>
<td>...</td>
</tr>
...
</table>
</div>
I wonder who designed this silly stuff. Although it is "just a few bytes", it sends many unneeded waste over internet if you look at it from a long time period point of view. (I understand that indentation makes it more readable, but still at least those inner <th> and <td> tags are a bit too much indented.)
Or do you think I am completely wrong? [Are those tabs important for The World?]
I wonder who designed this silly stuff
Microsoft Corporation.
Or do you think I am completely wrong?
I think you are completely wrong. HTML is to be read and interpreted by browsers. You, as a developer, could use developer tools such as FireBug to inspect the actual DOM tree in a nice way. Humans/users don't give a s..t about how your HTML is indented. They look at the final product rendered by the browser and this is what you should be focusing on. Actually in production in order to optimize bandwidth you should compress your HTML and remove all white-spaces. Could be done with custom response filters.
Personally, when I write a page (I use the Repeater control, so there's a bit of a difference), I always indent my HTML. Yes, even the content within the <th> and <td> tags.
I can understand your point (especially when we talk about using gzipped and minified copies of JavaScript libraries) when you're talking about a production application that's never debugged. However, without HTML indentation, it would be incredibly difficult for me to unwind problems in my layout or errors I made when I wrote CSS or HTML properties.
If I have a strongly typed view e.g. Inherits="System.Web.Mvc.ViewPage>" %>
And i want to output the list of items in the model, when I use "Add view" within visual studio i get the following html code generated below.
Is there anyway to eliminate the Magic string "Version" when outputting the table column headers?
<table>
<tr>
<th>
Version
</th>
</tr>
<% foreach (var item in Model) { %>
<tr>
<td>
<%= Html.Encode(item.Version) %>
</td>
<tr/>
<% } %>
</table>
What would you like to have instead?
You could use resource files so they are translated or something..
Or if it has to be the name of the item.Version variable you can probably look into some reflection.
I think you'll have to use reflection. This question looks like it will help you:
How do you get a C# property name as a string with reflection?
If you have your controllers and views in the web project, just add Resource Files (.resx) to App_GlobalResources (or App_LocalResources relative to the view, though I'm not a fan of that) and then reference the resources from yoru views.
I personally create a "Resources" project that contains a bunch of Resource Files (.resx). Each resx is set to public (dropdown at the top of the designer). This way they can be accessed from Views in the web project or controllers/application services in my other projects.
Having said that, unless sharing copy or translation is a major concern to you, it's ok to leave the copy in the views as a "magic string".