How can I fix a reflected XSS client problem on ASP.Net? Can anyone help me?
The problem is below:
Reflected XSS Client
Method :
ROW:563
Private Shared Function bindSiteMenu(TSql As String) As Data.DataTable
....
563. DRow.Item("Sortby") = dt1.Rows(i).Item("Sortby").ToString
564. dtAll.Rows.Add(DRow)
....
569. Return dtAll
Method :
Public Shared Function FrontSiteMenuForSMap(ByVal SiteID As Long) As
Data.DataTable
....
529. Return bindSiteMenu(TSql)
Method :
Protected Sub SiteMap(SitID As Long)
....
27. Dim dt As Data.DataTable =
SiteMenuObj.FrontSiteMenuForSMap(SitID)
....
29. SetNodes(dt, SitID, 0, 0, "")
Method :
ROW:77
Protected Sub SetNodes(ByVal dtTree As Data.DataTable, ByVal SiteID As Long,ByVal ParentId As Long, ByVal Level As Integer, ByVal TreeNumber As String)
....
33. Protected Sub SetNodes(ByVal dtTree As Data.DataTable, ByVal
SiteID As Long, ByVal ParentId As Long, ByVal Level As Integer, ByVal
TreeNumber As String)
....
36. rows = dtTree.Select(filterExpr)
37. If rows.GetUpperBound(0) >= 0 Then
....
47. For Each row In rows
48. tmpParentId = row.Item("ParentId").ToString
49. tmpFDefaultLink = row.Item("FDefaultLink").ToString
50. tmpMenuTitle = row.Item("MenuTitle").ToString
51. tmpMenuID = row.Item("MenuID").ToString
52. tmpSiteID = row.Item("SiteID").ToString
53. tmpURL = row.Item("URL").ToString
....
71. Url = tmpURL
....
77. litF.Text = "<li " & css & "><a href=""" & Url
& """ title=""" & tmpMenuTitle & Title & """>" & tmpNumber & tmpCount &
"." & tmpMenuTitle & "</a><ol>"
Thanks for everyone's help!
Related
I've hit an obstacle. I just want to learn how I can assign SelectedIndex items with the declared costs? I feel like I am missing something obvious.
I have declared the costs of the taco types but I am not sure how I can assign them to the SelectedIndex items for the ddlTacoType in Visual Basic. Is it a good idea to use a switch statement? Ideally, the output should display the cost as 8.99 when the user selects "Chipotle Chicken."
Any help would be much appreciated.
Cheers,
Richard
Screenshot of Output
' Project: Street Tacos Order Form
' Author: Richard Lew
' Date: November 3, 2019
' Purpose: The web application allows a customer to fill out a street taco order form.
Public Class About
Inherits Page
Private _decChicken As Decimal = 8.99
Private _decPork As Decimal = 9.99
Private _strFish As Decimal = 12.99
Private _strBeef As Decimal = 13.99
Private _strExtra As Decimal = 0.99
Protected Sub Page_Load(ByVal sender As Object, ByVal e As EventArgs) Handles Me.Load
End Sub
Protected Sub btnSubmit_Click(sender As Object, e As EventArgs) Handles btnSubmit.Click
' The btnSubmit click event will calculate the cost of the street tacos
' based on the type of tacos selected.
' Declare and initialize variables
Dim decTacoCost As Decimal
Dim decFinalCost As Decimal
Dim decTotalCost As Decimal
Dim decChickenCost As Decimal = 8.99D
Dim decPorkCost As Decimal = 9.99D
Dim decFishCost As Decimal = 12.99D
Dim decBeefCost As Decimal = 13.99D
Dim decExtraCost As Decimal = 0.99
Dim strName As String
Dim strAddress As String
Dim strPhone As String
Dim decOrderCost As Decimal = 0D
Dim strMessage As String
' Trim additional spaces that are entered by the user
strName = txtName.Text.Trim
strAddress = txtAddress.Text.Trim
strPhone = txtPhone.Text.Trim
' Clear the Order Message
lblOrder.Text = ""
' Ensure a Taco Selection is Selected
If ddlTacoType.SelectedIndex < 0 Then
lblTacoTypeError.Visible = True
Else
lblTacoTypeError.Visible = False
End If
' Ensure a Topping is Selected
If Not (chkRedChili.Checked Or chkGreenChili.Checked Or chkBeans.Checked Or chkCream.Checked Or chkLime.Checked Or chkNoToppings.Checked) Then
lblToppingsError.Visible = True
Else
lblToppingsError.Visible = False
End If
' Calculate the cost of the Taco(s) selected by the user
Select Case decTotalCost
Case 0
decTacoCost = decChickenCost
Case 1
decTacoCost = decPorkCost
Case 2
decTacoCost = decFishCost
Case 3
decTacoCost = decBeefCost
Case 4
decTacoCost = decExtraCost
End Select
End Sub
End Class
When the user selects a taco type in the ddlTacoType drop-down list, the program should associate the item with its cost and calculate the total cost of the selected item at the end of the program.
You need to write your logic in selected index change event of dropdown
Protected Sub onSelectedIndexChanged(sender As Object, e As EventArgs) Handles ddlTacoType.SelectedIndexChanged
End Sub
Not sure why the labels are not continuously switching.
I break-pointed it and it shows the counter resets everytime and so it should just be
continuously swapping through the numbers but it doesn't seem to be working
Thanks!
Public Class WebForm2 Inherits System.Web.UI.Page
Dim d As Integer() = {0, 1, 2, 3, 4}
Dim counter As Integer
Public Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
If Not Page.IsPostBack Then
Label1.Text = d(0)
Label2.Text = d(1)
Label3.Text = d(2)
Label4.Text = d(3)
Label5.Text = d(4)
End If
End Sub
Public Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
Dim hold As Integer
counter = 0
hold = d(0)
Do While counter < 4
d(counter) = d(counter + 1)
counter += 1
Loop
Label1.Text = d(0)
Label2.Text = d(1)
Label3.Text = d(2)
Label4.Text = d(3)
Label5.Text = hold
End Sub
Protected Sub Timer1_Tick(ByVal sender As Object, ByVal e As EventArgs) Handles Timer1.Tick
Dim hold As Integer
counter = 0
hold = d(0)
Do While counter < 4
d(counter) = d(counter + 1)
counter += 1
Loop
Label1.Text = d(0)
Label2.Text = d(1)
Label3.Text = d(2)
Label4.Text = d(3)
Label5.Text = hold
End Sub
End Class
I am not familiar with vb.net but I've created asp.net pages before so I am taking an educated guess here^^
When clicking the button a postback happens and the whole page gets reloaded and the array d is declared again.
The values you store in your array are lost after the Post-Back. For keeping data you could use Session or ViewState variables:
Session
ViewState
As I said this is for asp.net but it might help anyways.
Edit: I still think the data is somewhere lost in this d-array... What if you just leave out the array and have your button_Click event like this:
String temp = Label1.Text;
Label1.Text = Label2.Text;
Label2.Text = Label3.Text;
Label3.Text = Label4.Text;
Label4.Text = Label5.Text;
Label5.Text = temp;
Your array named d (is there a better name for this?) is being re-declared on every page-load (as it seems like it should be).
The problem is that you're not persisting the adjusted array values each page load. Instead, you're starting from scratch each time as others have suggested.
See the following URL for a lot of useful information about persisting state information in a web-forms application.
http://msdn.microsoft.com/en-us/library/vstudio/z1hkazw7(v=vs.100).aspx
As far as your code, you can try something along these lines to persist the values from the current array while setting it up for the next load.
Public Class WebForm2 Inherits System.Web.UI.Page
Private _dValues As Integer(19)
Private _currentValues As Integer(19)
Private _newValues As Integer(19)
Private _startIndex As Integer
Public Sub New()
_dValues = {0, 1, 2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19}
_startIndex = 0
End Sub
Protected Sub Page_PreRender(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.PreRender
If Page.IsPostBack Then 'Load values from form
For i As Integer = 0 To _currentValues.Length - 1 Step 1
_currentValues(i) = Request.Form(String.Concat("Hidden", i))
Next
_startIndex = Request.Form("StartIndex")
Else
_currentValues = _dValues 'First time around
End If
Dim position As Integer = _startIndex
For i As Integer = 0 To _currentvalues.Length - 1 Step 1
If position >= _newValues.Length Then
position = 0
End If
'Assign the current position in the new array equal to the current sequential value in the previous array
_newValues(position) = _currentValues(i)
position += 1
Next
End Sub
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
'Increment the counter every post back
If Page.IsPostBack Then
_startIndex += 1
End If
'Don't allow the counter to go outside the bounds of the array
If _startIndex >= _currentValues.Length Then
_startIndex = 0
End If
Me.StartIndex.Text = _startIndex 'Assign the value of the hidden field
End Sub
Public Sub Button1_Click(ByVal sender As Object, ByVal e As EventArgs) Handles Button1.Click
'Dynamically set label / hidden data
For i As Integer = 0 To _newValues.Length - 1 Step 1
CType(Page.FindControl(String.Concat("Label", i), Label).Text = _currentValues(i)
CType(Page.FindControl(String.Concat("Hidden", i), Hidden).Text = _newValues(i)
Next
End Sub
Protected Sub Timer1_Tick(ByVal sender As Object, ByVal e As EventArgs) Handles Timer1.Tick
'Dynamically set label / hidden data
For i As Integer = 0 To _newValues.Length - 1 Step 1
CType(Page.FindControl(String.Concat("Label", i), Label).Text = _currentValues(i)
CType(Page.FindControl(String.Concat("Hidden", i), Hidden).Text = _newValues(i)
Next
End Sub
End Class
Then in your form:
<asp:Hidden ID="StartIndex" runat="server" Value="" />
<asp:Label ID="Label1" runat="server" Value="" />
<asp:Hidden ID="Hidden1" runat="server" Value="" />
<asp:Label ID="Label2" runat="server" Value="" />
<asp:Hidden ID="Hidden2" runat="server" Value="" />
etc...
This code (or at least a version of it) will build a number of label and hidden input fields that will be used to display data and persist data. Each time the page is posted, the start index will be incremented, which will change the start position of the new values. While the current values will be based on what is posted back from the hidden inputs.
In this program I created one array, while clicking on the get Button it does not show any output because the str variable is empty. How should I get proper output...
Partial Class dynamic_array
Inherits System.Web.UI.Page
Dim s(2) As String
Dim str As String
Protected Sub btn_save_Click(sender As Object, e As System.EventArgs) Handles btn_save.Click
Dim i As Integer = 0
For i = 0 To s.Length - 1
s(i) = InputBox("enter name " + (i + 1).ToString)
Next
End Sub
Protected Sub btn_get_Click(sender As Object, e As System.EventArgs) Handles btn_get.Click
Dim i As Integer = 0
str = ""
For i = 0 To s.Length - 1
str &= s(i) + vbCrLf
Next
MsgBox(str)
End Sub
End Class
You can use Session or ViewState to store the Array values..
try like this
Partial Class dynamic_array
Inherits System.Web.UI.Page
Dim s(2) As String
Dim str As String
Protected Sub btn_save_Click(sender As Object, e As System.EventArgs) Handles btn_save.Click
Dim i As Integer = 0
For i = 0 To s.Length - 1
s(i) = InputBox("enter name " + (i + 1).ToString)
Next
ViewState("Array")=s
End Sub
Protected Sub btn_get_Click(sender As Object, e As System.EventArgs) Handles btn_get.Click
Dim i As Integer = 0
str = ""
s= ViewState("Array")
For i = 0 To s.Length - 1
str &= s(i) + vbCrLf
Next
MsgBox(str)
End Sub
End Class
Hope this will help, Mark useful if it's helps.
In Asp.Net all variables set on the page level are reset on every postback. Thats why s-variable is always empty on get-button click.
You could save this information for example in the viewstate
Viewstate("MyData") = "Something"
I encourage you to familiarize your self with Asp.Net web forms basic state management: http://msdn.microsoft.com/en-us/library/50x35554(v=vs.80).aspx
I have a repeater list that displays results in sets of 15. When you click the next button it shows the next 15 and so on.
I have added some buttons that will then filter the display to show the results in sets of 10, 25, 50.
When you click these it does work but when you click the next button it resets the display value to 15.
Below is the chunk of script:
Public Property CurrentPage() As Integer
Get
' look for current page in ViewState
Dim o As Object = Me.ViewState("_CurrentPage")
If o Is Nothing Then
Return 0
Else
' default to showing the first page
Return CInt(o)
End If
End Get
Set
Me.ViewState("_CurrentPage") = value
End Set
End Property
Protected Sub ItemsGet()
Dim pageSize As Integer = 15
ItemsGet(pageSize)
End Sub
Private Sub ItemsGet(ByVal pageSize As Integer)
' Read sample item info from XML document into a DataSet
' Populate the repeater control with the Items DataSet
Dim objPds As New PagedDataSource()
Dim selectedCategory As String = ddlCategory.SelectedValue.ToString()
Dim selectedCategoryIndex As Integer = ddlCategory.SelectedIndex
Dim selectedCategoryMonth As String = ddlCategoryMonth.SelectedValue.ToString()
Dim selectedCategoryMonthIndex As Integer = ddlCategoryMonth.SelectedIndex
Dim query = GetXmlDataSet()
If (Not String.IsNullOrEmpty(selectedCategory) And selectedCategoryIndex > 0) Then
query = query.Where(Function(x) x("SCategoryName") = selectedCategory)
End If
If (Not String.IsNullOrEmpty(selectedCategoryMonth) And selectedCategoryMonthIndex > 0) Then
query = query.Where(Function(x) x("SCategoryMonth") = selectedCategoryMonth)
End If
If (query.Count() > 0) Then
objPds.DataSource = query.CopyToDataTable().Rows
objPds.AllowPaging = True
objPds.PageSize = pageSize
objPds.CurrentPageIndex = CurrentPage
lblCurrentPage.Text = "Page: " + (CurrentPage + 1).ToString() + " of " + objPds.PageCount.ToString()
' Disable Prev or Next buttons if necessary
cmdPrev.Enabled = Not objPds.IsFirstPage
cmdNext.Enabled = Not objPds.IsLastPage
Display10.Enabled = True
Display25.Enabled = True
Display50.Enabled = True
categories.DataSource = objPds
categories.DataBind()
Else
CurrentPage = 0
categories.Controls.Clear()
cmdPrev.Enabled = False
cmdNext.Enabled = False
Display10.Enabled = False
Display25.Enabled = False
Display50.Enabled = False
lblCurrentPage.Text = "Page: 0 of 0 "
End If
End Sub
Private Sub Display10_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim pageSize As Integer = 10
CurrentPage = 0
ItemsGet(pageSize)
End Sub
Private Sub Display25_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim pageSize As Integer = 25
CurrentPage = 0
ItemsGet(pageSize)
End Sub
Private Sub Display50_Click(ByVal sender As Object, ByVal e As System.EventArgs)
Dim pageSize As Integer = 50
CurrentPage = 0
ItemsGet(pageSize)
End Sub
Private Sub cmdPrev_Click(ByVal sender As Object, ByVal e As System.EventArgs)
' Set viewstate variable to the previous page
CurrentPage -= 1
' Reload control
ItemsGet()
End Sub
Private Sub cmdNext_Click(ByVal sender As Object, ByVal e As System.EventArgs)
' Set viewstate variable to the next page
CurrentPage += 1
' Reload control
ItemsGet()
End Sub
Protected Sub ddlCategory_SelectedIndexChanged1(ByVal sender As Object, ByVal e As System.EventArgs)
CurrentPage = 0
ItemsGet()
End Sub
Protected Sub ddlCategoryMonth_SelectedIndexChanged(ByVal sender As Object, ByVal e As System.EventArgs)
CurrentPage = 0
ItemsGet()
End Sub
You need to 'persist' the number of items to get.
There are a few ways to do this....
Re-factor PageSize into a property with its backing kept in the viewstate, remember to initialise with appropriate default values.
Change the ItemsGet sub to use the property instead.
My vb is rusty!
Public Property PageSize() As Integer
Get
If Me.ViewState("PageSize") Is Nothing Then
Me.ViewState("PageSize") = 15
End If
Return CInt( Me.ViewState("PageSize") )
End Get
Set
Me.ViewState("PageSize") = value
End Set
End Property
could you please help me find the reason of the mystery I've found?
In the below code, I create a DataTable and filter it. When I use filter1, everything works as expected.
When I use filter2, everything works as expected only if the SubsectionAmount variable is less than 10.
As soon as I set SubsectionAmount=10, the dr2 array returns Nothing.
I can't find what is wrong. Here is the code:
Imports System.Data
Partial Class FilterTest
Inherits System.Web.UI.Page
Protected Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load
Call FilterTable()
End Sub
Sub FilterTable()
Dim dtSubsections As New DataTable
Dim SectionID As Integer, SubsectionID As Integer
Dim SubsectionAmount As Integer
Dim filter1 As String, filter2 As String
Dim rowID As Integer
Dim dr1() As DataRow, dr2() As DataRow
With dtSubsections
.Columns.Add("Section")
.Columns.Add("Subsection")
.Columns.Add("FieldString")
SectionID = 1
SubsectionAmount = 10 '9
For SubsectionID = 1 To SubsectionAmount
.Rows.Add(SectionID, SubsectionID, "abcd" & CStr(SubsectionID))
Next SubsectionID
For rowID = 0 To .Rows.Count - 1
Response.Write(.Rows(rowID).Item(0).ToString & " " _
& .Rows(rowID).Item(1).ToString & " " _
& .Rows(rowID).Item(2).ToString & "<BR>")
Next
SubsectionID = 1
filter1 = "Section=" & SectionID & " AND " & "Subsection=" & SubsectionID
filter2 = "Section=" & SectionID & " AND " & "Subsection=" & SubsectionID + 1
dr1 = .Select(filter1)
dr2 = .Select(filter2)
Response.Write(dr1.Length & "<BR>")
Response.Write(dr2.Length & "<BR>")
If dr1.Length > 0 Then
Response.Write(dr1(0).Item("FieldString").ToString & "<BR>")
End If
If dr2.Length > 0 Then
Response.Write(dr2(0).Item("FieldString").ToString & "<BR>")
End If
End With
End Sub
End Class
The line
"Section=" & SectionID & " AND " & "Subsection=" & SubsectionID + 1
looks dodgy to me (?)
Consider this snippet of code:
var i = 2;
string j = "Hello " + i + 1;
when you print j you will get "Hello21" and not "Hello3". The + operator applied on a string will accept any object on the right-hand side and uses them by calling ToString() on the object, hence making your int effectively a string. Now, I assume that in VB.Net it is quite similar, which may not be what you want.
Update
Apparently VB.Net does things differently, so happily ignore...
change your column add statements to the following so it does the comparisons correctly.
.Columns.Add("Section", GetType(Integer))
.Columns.Add("Subsection", GetType(Integer))
.Columns.Add("FieldString")