We have an ASP.Net Webforms (.Net 4.7.2) site. We've enabled the built-in XSS protection by adding to web.config:
<httpRuntime encoderType="System.Web.Security.AntiXss.AntiXssEncoder" ... />
This works fine, apart from in one place: we have some code that generates a small image, and embeds it within the page using a Data URI:
(aspx)
<asp:Image ID="image1" runat="server">
(C#)
image1.ImageUrl = dataURI;
and dataURI is normally something like:
data:image/png;base64,iVBORw0KGgoAAAANSUhEUgAAAMMAAADDAQMAAAA ...
This works fine without the AntiXssEncoder, but with that in place the rendered HTML turns into:
<img id="image1" src="data%3Aimage/png%3Bbase64%2CiVBORw0KGgoAAAANSUhEUgAAAA ...
... so the unsafe characters in the "header" of the src has been encoded, and the image doesn't display on the browser.
How can I disable the AntiXssEncoder for this one image object, or otherwise force the Data URI to get to the browser without being re-encoded? There is no user input on this particular page.
One way is to "do it yourself". Reference: https://stackoverflow.com/a/7406983/11534
Bascially
Declare a public property in your code-behind file with the image data. Let's say "ImageData" (public string ImageData {get;set;}) and set it to hold the base64 data.
Replace <asp:Image ID="image1" runat="server"> with <img src="<% =ImageData %>" />
Related
Ok, I didn't know how to phrase this differently. Basically, I have an issue on my website, where writing pagename.aspx/anything will open the page pagename.aspx but with no styles or images cause they have relative paths. It's not possible to rewrite them to have absolute paths. Is there any way I could make it work somehow (like for example, redirecting it)? Thanks in advance.
For converting any application root relative URL (which is the most common format) to the appropriate URL on the client in a Web Forms page, you can use this code:
<%# ResolveClientUrl("~/path/to/file.css") %>
Example:
<script src='<%# ResolveClientUrl("~/Scripts/jquery-2.1.0.min.js") %>' type="text/javascript"></script>
However, in cases where you're using server side controls (for example, asp:Image instead of plain img element) then you can use the application root relatively URL without needing to resolve it.
<asp:Image runat="server" ImageUrl="~/images/myimage.jpg" />
is equivalent to
<img src='<%# ResolveClientUrl("~/images/myimage.jpg") %>' />
I have a ASP.net MVC project, which utilizes resource entries (.resx) through out the project.
Few the resources fed, have HTML in it
example: Hello <b>World!</b>
With paragraphs href and more. As the resources are stored in an XML, the entries are HTMLEncoded
i.e the above example looks like this
eg: Hello <b>World!</b>
Due to this, wherever the resources are displayed, the HTML formatting does not render, and instead the HTML is displayed as visible text.
I tried to use HttpUtility.HTMLDecode and Server.HTMLDecode, but both wont work.
What is wrong? Any other work around resources?
Both of the following work fine for me:
<%= Resource.MyResource %><br />
<asp:Label runat="server" Text="<%$ Resources:Resource, MyResource %>" /><br />
A Resource entry such as <b>Text</b> is displayed in bold by the browser.
Some Controls do automatic HTML encoding of their inputs. Could that be what's happening for you?
I know this may be a basic question, but it is driving me crazy. I have an asp.net (4.0 framework) application that I have been working on. I have a masterpage in the root directory, and a secondary masterpage in a subdirectory. The secondary masterpage inherits the site master.
The issue is that even though I used ~/ to describe the location of the resource ("<img src="~/Images/myImage.jpg" />) they are not loading.
Using the console on firebug, I get this error: "NetworkError: 404 Not Found - http://localhost:4601/Account/~/Images/myImage.jpg"
What do I need to do to correctly translate resources from masterpage to masterpage across subfolders? And what is it that I am misunderstanding about '~/'?
Using
<img src="~/Images/myImage.jpg" />
Is mixing HTML code with .Net ASP code. The tilde (~) is not something of the HTML markup and this is why it does not produce what you want.
To make it works, you need to change the source with the <% %> tag that will let you add ASP code that will be translated into HTML code when processing.
<img src="<%= Page.ResolveUrl("~/Images/myImage.jpg") %>" />
Inside ASP.NET tag, you should use the ResolveURL that will transform the URL into something that the HTML will be able to understand.
If you do not want to use this trick, you can also use instead of the HTML img tag the ASP.NET image control. This will automatically execute the ResolveUrl
<asp:Image runat="server" ID="imgHelp" ImageUrl="~/Images/myImage.jpg" />
<img src="<%= Page.ResolveUrl("~/Images/myImage.jpg") %>" />
or
<img src="<%= Control.ResolveUrl("~/Images/myImage.jpg") %>" />
I have an ASP.NET site which uses a 3rd party activeX control. I have to pass a few parameters to the OBJECT tag in the HTML page. If i hardcode these parameters into the HTML everything works.
I would like to place the parameters in my web.config with app settings "key/value" pairs.
My problem is i cannot read the app key setting in the HTML markup to succesfully pass them in as parameters. I can read them fine from server side code behind.
What's the correct way to read these settings in the client side HTML markup ?
Thanks
In addition to using <%=ConfigurationManager.AppSettings["MyAttribute"]%>, as others have noted, you can also use expression builders. The syntax is a little different. Instead of <%=...%> you use <%$ AppSettings: MyAttribute %>, like so:
<object id="myObjectID attr="<%$ AppSettings: MyAttribute %>" ...>
If you are just dumping an appSettings value directly into static HTML (as I presume you are in this example), these two approaches are identical for all practical purposes.
What is nice about expression builders, though, is that you can use them to declaratively assign appSettings values to Web control properties, something you cannot do with the <%=...%> syntax. That is, with expression builders you can do something like:
<asp:Label runat="server" ... Text="<%$ AppSettings: MyAttribute %>" />
Whereas you could not do:
<asp:Label runat="server" ... Text="<%=ConfigurationManager.AppSettings["MyAttribute"]%>" />
The following code:
<%$ AppSettings: MyAttribute %>
is not compatible with general HTML markup and JavaScript function! It's good for asp tag.
Whereas
<%=ConfigurationManager.AppSettings("MyAttribute")%>
really work in general HTML markup.
so
<%=ConfigurationManager.AppSettings("MyAttribute")%>
is my recommendation!
You can use the ConfigurationManager in you ASPX page. Then you can add in your OBJECT tag parameters:
Web.Config
</configuration>
<appSettings>
<add key="Setting" value="Value"/>
<appSettings>
</configuration>
ASPX
<object>
<param name="Setting" value="<%= System.Configuration.ConfigurationManager.AppSettings["Setting"] %>" />
</object>
I suggest you generate your OBJECT tag dynamically at run-time from the server. This way you can inject whatever parameters you read from the web.config file.
You have a few options. If you add the runat="server" attribute to your object tag, you can access it from your codebehind using its ID, and add attributes that way:
myObjectID.Attributes.Add("attrName", "value")
If you don't want to do that, you could use inline literals:
<object id="myObjectID attr="<%= ConfigurationManager.AppSettings("MyAttribute") %>" ...>
Either way should get the job done.
In my custom aspx page in WSS I am using a DataFormWebPart with an XSL file to render some data. In order to pass values to the XSL I use parameter bindings. Specifically, I need to pass in the server host URL like this:
<ParameterBinding
Name="HttpHost"
Location="CAMLVariable"
DefaultValue="http://hardcoded.com" />
This works fine, but the next thing I want to do is to get the host name dynamically. So figuring out how to get that from SharePoint I added the following binding:
<ParameterBinding
Name="HttpHost"
Location="CAMLVariable"
DefaultValue='<%# SPContext.Current.Site.Url.Replace
(SPContext.Current.Site.ServerRelativeUrl, "") %>' />
Now to the problem. The code works as expected if used some other place in the page, but with the above code SharePoint reports:
Web Part Error: The 'ParameterBindings' property of 'WebPartPages:DataFormWebPart'
does not allow child objects.
Anyone have a take on this?
I have enabled server side code according to SharePoint 2007: using ASP.NET server side code in your pages
After trying various methods of manipulating the ParameterBindings property without success I thought of how I could get the dynamic value in there using the Location attribute.
The ParameterBinding Location attribute refers to where to fetch the value from. Articles like this hints of the "Control()" option. So changing the parameter binding to:
<ParameterBinding
Name="HttpHost"
Location="Control(MyHttpHost, Text)"
DefaultValue="" />
and adding the following code to my page:
<asp:TextBox ID="MyHttpHost" runat="server" Visible="false" />
<script runat="server">
protected void Page_Load()
{
MyHttpHost.Text =
SPContext.Current.Site.Url.Replace(SPContext.Current.Site.ServerRelativeUrl, "");
}
</script>
...actually did the trick!
To get to the parameter values from within the accompanying XSL file I put param elements in the root element. The param name attribute must match that of the ParameterBinding:
<xsl:stylesheet ...>
...
<xsl:param name="HttpHost"/>
The parameter can then be referenced as any other XSL variable.