I'm using the asp:CreateUserWizard control and have read on MSDN:
User input in a Web page can potentially contain malicious client
script. By default, ASP.NET Web pages validate user input to ensure
that the input does not contain HTML elements or script. As long as
this validation is enabled
This is the code I'm using:
<asp:Label runat="server" AssociatedControlID="UserName">User name</asp:Label>
<asp:TextBox runat="server" ID="UserName" CausesValidation="true"/>
<asp:RequiredFieldValidator runat="server" ControlToValidate="UserName"
CssClass="field-validation-error" ErrorMessage="User name is required." />
<asp:RegularExpressionValidator runat="server" ControlToValidate="UserName"
CssClass="field-validation-error" ErrorMessage="User name must not contain \ (backslashes)."
ValidationExpression="[^\\]*" />
Now if I try and create a user with a name like <script>alert('hello')</script> my app then crashes with a 500 internal error.
I've tried code in all these events to see if I can trap the error but the code never gets hit:
RegisterUser_CreateUserError()
RegisterUser_CreatingUser()
So my 2 questions are, why is the input not being validated and where could I trap this error when it is thrown (the 2nd question maybe less important once I know how to do the first part)?
I must be missing something really simple here.
Related
I have the following regular expressions, used to pick up a specific domain name and email address type:
(?i:^domain\\[a-z0-9]+$)
(?i:([;]|^)([a-z0-9.]+#(dom\.net|part1\.part2\.uk))(?=[;]|$))
I'm using them in a pair of RegularExpressionValidator controls on an ASP.NET page to do the obvious.
The two expressions have been tested (first, second), and work fine. I've even tested them on regexstorm.net/tester, and they work fine there, too, or rather, it didn't complain at all.
I've tried entering data correctly and incorrectly into the text boxes, which does produce the desired result (i.e. showing and hiding the validator messages).
When I come to submit the changes for the data to be saved away, though, nothing happens.
This thread in the ASP.NET forums showed me that the issue could be related to an incorrectly defined expression. After testing and pulling the results from the developer tools with Chrome, sure enough I did find an exception listed, quoting an incorrect group expression (e.g:):
Uncaught SyntaxError: Invalid regular expression:
/(?i:([;]|^)([a-z0-9.]+#(dom\.net|part1\.part2\.uk))(?=[;]|$))/:
Invalid group
at new RegExp (<anonymous>)
at HTMLSpanElement.RegularExpressionValidatorEvaluateIsValid [as evaluationfunction] (ScriptResource.axd?d=nv7asgRUU0tRmHNR2D6t1I81CZYvhDRBNs2fZ336VJmjaWUtfpNHyosZQUxZ0B5WPXmV97rd4uGrASTweyiB-WOW1uyNsuPtZ3w36cKlE-LnO2_rZ0xo0PpdoCQY_z4Id3GA-_iewMRfjN0CNhHZOQ2&t=26028d1e:458)
at ValidatorValidate (ScriptResource.axd?d=nv7asgRUU0tRmHNR2D6t1I81CZYvhDRBNs2fZ336VJmjaWUtfpNHyosZQUxZ0B5WPXmV97rd4uGrASTweyiB-WOW1uyNsuPtZ3w36cKlE-LnO2_rZ0xo0PpdoCQY_z4Id3GA-_iewMRfjN0CNhHZOQ2&t=26028d1e:200)
at ValidatorOnChange (ScriptResource.axd?d=nv7asgRUU0tRmHNR2D6t1I81CZYvhDRBNs2fZ336VJmjaWUtfpNHyosZQUxZ0B5WPXmV97rd4uGrASTweyiB-WOW1uyNsuPtZ3w36cKlE-LnO2_rZ0xo0PpdoCQY_z4Id3GA-_iewMRfjN0CNhHZOQ2&t=26028d1e:162)
at HTMLInputElement.eval (eval at ValidatorHookupEvent (ScriptResource.axd?d=nv7asgRUU0tRmHNR2D6t1I81CZYvhDRBNs2fZ336VJmjaWUtfpNHyosZQUxZ0B5WPXmV97rd4uGrASTweyiB-WOW1uyNsuPtZ3w36cKlE-LnO2_rZ0xo0PpdoCQY_z4Id3GA-_iewMRfjN0CNhHZOQ2&t=26028d1e:90), <anonymous>:3:1)
Unfortunately, I simply don't know enough about regex to be able to figure out just where the expression is breaking down - I would really appreciate some pointers.
The ASP.NET page code for the related text boxes and validators...
<asp:Label runat="server" ID="labelDomainUsername"
Text="Your domain username..." AssociatedControlID="textDomainUsername"
ClientIDMode="Predictable" />
<span class="help">
This is your Windows login, and usually appears as <strong>DOMAIN\asurname</strong>.
</span>
<asp:TextBox runat="server" ID="textDomainUsername"
Text='<%# Bind("domain_username")%>'
CssClass="mandatory w2Eighths noBlock"
PlaceHolder="DOMAIN\AUsername" TabIndex="0" />
<asp:RegularExpressionValidator runat="server" ID="rexDomainUser"
ControlToValidate="textDomainUsername"
ValidationExpression='<%$ appSettings:rexDomainAccount %>'
Text="Please supply a valid domain username."
CssClass="validBalloon" Display="Dynamic" />
<asp:Label runat="server" ID="labelEmail"
Text="Your email address..." AssociatedControlID="textEmail" />
<span class="help">
Your email address can be an <strong>dom.net</strong> or <strong>part1.part2.uk</strong>
account. If you have a secretary, or wish to include another email address separate them with a
semi-colon.
</span>
<asp:TextBox runat="server" ID="textEmail" Text='<%# Bind("email")%>'
CssClass="mandatory w3Eighths noBlock" AutoCompleteType="Email"
PlaceHolder="any.username#dom.net" TabIndex="1" />
<asp:RegularExpressionValidator runat="server" ID="rexEmail"
ControlToValidate="textEmail"
ValidationExpression='<%$ appSettings:rexEmailAddress %>'
Text="Please supply a valid email address."
CssClass="validBalloon" Display="Dynamic" />
As pointed out, there are certain issues with utilising the RegularExpressionValidator. There are multiple ways around the issue, but all I've done is replace it with a CustomValidator and validate the parts of the string that I needed too.
I'm writing an application with multiple validators (date, required, regexp for format) on the same page. They validate correctly, but they turn up in the same place. That is, they don't turn up next to the validated field, they are appended to another validation error message next to a completely other field.
Here goes example code snippets:
Number:
<asp:RegularExpressionValidator class="IMSIValidators" runat="server" ErrorMessage="Enter digits only, no other characters" ControlToValidate="IMSIRangeTextBox" Display="Dynamic" ValidationGroup="AllValidators" ValidationExpression="[0-9]+"></asp:RegularExpressionValidator>
<p class="IMSIEditLabels">Operator: <asp:TextBox ID="OperatorTextBox" runat="server"></asp:TextBox></p>
<asp:RequiredFieldValidator runat="server" class="IMSIValidators" Text="Enter the customer" ControlToValidate="OperatorTextBox" Display="Dynamic" ValidationGroup="AllValidators"></asp:RequiredFieldValidator>
<p class="IMSIEditLabels">Requested by:<asp:TextBox ID="RequestedTextBox" class="IMSIEditInputItems" runat="server" ValidationGroup="AllValidators"></asp:TextBox></p>
<asp:RequiredFieldValidator runat="server" Text="Enter a full name" ControlToValidate="RequestedTextBox" Display="Dynamic"></asp:RequiredFieldValidator>
I've tried all ways that I can think of, such as setting Display="Dynamic" and ValidationGroup="AllValidators". No combination works for me.
I've tried to set their position in a CSS class, but then they came up on top of each other (which is logical).
Any input is greatly appreciated. I'm getting SO frustrated :)
//Eva-Lotta
I'm new to all this and trying to only allow numeric values to be entered into an existing TextBox in ASP.Net. I've got the code for this, but can't figure out where to put it in. If I do it like the below, it creates an additional box in the textbox (that works). How can I apply this limitation to the current textbox?
<asp:TableCell>
<asp:TextBox ID="txtS2" runat="server" Width="95%" AutoPostBack="true" OnTextChanged="WerklikChanged"></asp:TextBox>
<input type="text" onkeypress="filterDigits(event)"/>
</asp:TableCell>
Update:
I ended up using the below, which is not really what I wanted as it still only checks the field once I leave the field. I'll look into blocking the entry of letters completely at a later stage and post the answer here.
<asp:CompareValidator
ID="ProgrammaticID"
ControlToValidate="txtS2KoringA"
Type="Double"
Operator="DataTypeCheck"
ErrorMessage="Error Message"
Text=" Net nommers word toegelaat in die 'Werklik' velde"
ForeColor="Red"
BackColor="White"
SetFocusOnError="false"
Display="Dynamic"
runat="server">
</asp:CompareValidator>
I don't really know if I should be using both the Regular Expression Validator and Required Field Validator or what? I have just a normal form in ASP.Net (Visual Studio). I want to make sure the user types in the correct characters, such as for a phone number (which is why I want the reg ex control), but I also want the field to be required. So should these be combined or what is the best way to do this?
Right now I just have the required part working, like this:
<asp:RequiredFieldValidator runat="server" id="RequiredFieldValidator2"
controltovalidate="TextBoxLocation" errormessage="Required"
/>
You can use both of them, but make sure to add Display="Dynamic" on both of the controls.
<asp:RequiredFieldValidator runat="server" id="RequiredFieldValidator1"
controltovalidate="TextBoxLocation" Display="Dynamic" errormessage="Required"
/>
<asp:RegularExpressionValidator ID="RegularExpressionValidator1" runat="server" ErrorMessage="Enter valid Phone number" ControlToValidate="TextBoxLocation" Display="Dynamic" ValidationExpression="^[01]?[- .]?(\([2-9]\d{2}\)|[2-9]\d{2})[- .]?\d{3}[- .]?\d{4}$" ></asp:RegularExpressionValidator>
Both, simply because one validates client side and the other is server side.
This allows you to make sure the user didn't alter your clientside JavaScript and then send bad data.
I'm making a custom module for mojoPortal CMS which needs to allow the client to add an affiliate into the database. As far as I can tell, this requires creating a .ascx file and then installing that using the administration toolbar in the Web interface to get it to a point where I can put it into a page, as http://www.mojoportal.com/hello-world-developer-quick-start.aspx.
The form is simple enough, but the values in the text boxes just stay empty when I submit, though the file upload works fine. The code:
<asp:Label ID="Label1" runat="server" Text="Company Name" AssociatedControlID="CompanyName">
</asp:Label>
<asp:TextBox ID="CompanyName" runat="server"></asp:TextBox>
<asp:Label ID="Label2" runat="server" Text="Company Description" AssociatedControlID="CompanyDescription"></asp:Label>
<asp:TextBox ID="CompanyDescription" TextMode="MultiLine" runat="server"></asp:TextBox>
<asp:Label ID="Label3" runat="server" Text="Company Logo" AssociatedControlID="CompanyLogo"></asp:Label>
<asp:FileUpload ID="CompanyLogo" runat="server" />
<asp:Button ID="SubmitButton" runat="server" Text="Add Affiliate" />
EnableViewState for the page and the controls is enabled
The text box is not set to ReadOnly, and there is no funky JavaScript dynamically modifying elements (at least, I didn't set any).
I can work around this by using HTML elements, and get the values using Request.Form. The information is actually there, I can see it in the Request.Form, but I would have to get that by something like Request.Form[CompanyName.ClientId.Replace("_","$")] or Request.Form[6] which both seem very messy and IIRC aren't really the way things are supposed to roll in .NET. Besides, having worked until 3 last night, I really want to know what the answer is now!
Any thoughts anyone?
What I had done was not created a click event for the button, relying on the fact that it was posting to the server (like I would in PHP). Oops! When I added a click event, then the text boxes retained their value when I was within that method.