In VS 2013 have opened an asp classic project and for example here is a source code from it:
CASE "WSF_LAST"
call lastname()
I have always clicked F12 on the method name and it goes to the source code of that method but I have never seen or worked on asp classic project and it does nothing when I F12 it.
If I do a search-all on lastname() the other thing I find is this:
<%sub LastName()%>
<tr>
<td width="1%" align="right" class="inputboxeslabel" nowrap> Last/Inst Name </td>
<td width="99%"><input type="text" name="PhysicianName" size="20" maxlength="35" value="<%=PN%>"></td>
</tr>
<%END Sub
So where is finally the code is coming from?
You've found it... that right there is the Subroutine definition. It's not recommended practice to do it quite like this, but it is what it is. More appropriate to define a function and either Response.Write or return the HTML you see above. Jumping in and out of ASP in the middle of a Sub is difficult to read.
Related
I am working on an ASP.NET VB.NET Web Application. I inherited a bunch of forms from another application we have in house. I'm running into a very strange problem when working on the Login page.
This is an abbreviated version of my code:
<asp:Content ID="Content2" ContentPlaceHolderID="MainContent" runat="Server">
<table>
<tr>
<td>
<span id="Span1" runat="Server" style="Color: Red"></span>
</td>
</tr>
<tr>
<td>
<asp:Login ID="Login1" runat="server">
<LayoutTemplate>
<table>
<tr>
<td>
<span id="Span1" runat="Server" style="Color: Red"></span>
</td>
</tr>
</table>
</LayoutTemplate>
</asp:login>
</td>
</tr>
</table>
</asp:Content>
I have a <span id="span1"> that is located inside my web form, within the Content part of the page. I can easily access this in my CodeBehind, and do whatever I want to do with it. However, if i move that span and put it inside the <asp:login> part of the page, it doesn't seem to recognize it, it won't let me access it in code behind, it gives me a squiggly blue line and says
span1 is not declared. It may inaccessible due to protection level
This bit is from the top of the webform in designer
<%# Page Language="VB" AutoEventWireup="false" CodeFile="Login.aspx.vb" Inherits="_Default" MasterPageFile="~/Site.master" %>
This bit is from the Login.aspx.vb page
Partial Class _Default
Just to say it again, id="span1" works perfectly fine where it is shown in the code above, but when I move it inside the I cannot reference it anymore. Since I'm talking about this issue, for that matter I cannot add any new controls inside because I am not able to reference any other controls in vb.net. (this form was pretty much copied from another project, everything works properly I'm just not sure why I'm having this strange issue)
I noticed that a lot of people have similar issues, but in my case I'm working with <asp:login> and I'm really not sure how it's affecting my controls.
EDIT: <span id="Span1" runat="Server" style="Color: Red"></span>
You need to use FindControl on the Login1 Control
HtmlGenericControl hgc = Login1.FindControl("Span1") as HtmlGenericControl;
hgc.InnerText = "Span Found";
VB
Dim hgc As HtmlGenericControl = CType(Login1.FindControl("Span1"),HtmlGenericControl)
hgc.InnerText = "Span Found"
As per my comments, and as requested by the OP...
You're hitting a problem with the naming container.
When the <span runat="server"> is outside of the <asp:Login><LayoutTemplate> it exists as an object within the page, which you can reference directly.
As soon as it's moved within that <LayoutTemplate> it becomes a child of the <asp:Login> control instead.
So to access the control, you can use the following...
CType(Logon1.FindControl("span1"), HtmlGenericControl).InnerHtml = "hello"
The FindControl will bring back an object, but it needs to be "boxed" into the correct type before you can access the InnerHtml property
to access a control on server side, you must include the "runat='server'" attribute on a tag. That's what tells .NET that any given control is supposed to be worked with on the server side as well as the front-end.
Do note that it will change the ID produced in the rendered HTML
<span id="span1" runat="server"></span>
I need to update a bit of text that's being rendered on a .aspx page. I've searched the source and DB tables, views, and stored procedures, and can't find it.
The bit of code that's generating the text looks like this:
<asp:PlaceHolder id="teamMemberTable" runat="server" />
I searched and couldn't find any references to teamMemberTable anywhere else in the code. Is it possible that the code generating that bit has been compiled into binary and doesn't exist in plaintext anymore?
Here is an example of the outputted html:
<span id="ctl00_rightContent_Repeater1_ctl01_Literal1" class="teamListName">
Team Number One
</span>
<table>
<tr>
<td class="teamListMember">Team Captian</td>
<td class="teamListPlayer">Jane Doe</td>
<td class="teamListStatus teamListStatusPaid">Paid</td>
</tr>
<tr>
<td class="teamListMember">Player 2</td>
<td class="teamListPlayer">John Q. Public</td>
<td class="teamListStatus teamListStatusNotPaid">Not Paid</td>
</tr>
</table>
Yes, it is possible that the code is in an assembly that has already been compiled and is not in plaintext. One option is to run a tool such as .NET Reflector or ILSpy and decompiling all the assemblies in the app and searching through the decompiled code to locate any references to "teamMemberTable".
Another possibility is that the control is being referenced by index instead of by name. For example, if the PlaceHolder control is in the page, it could be referenced as Page.Controls[5] and so you'd never see the name in the source code.
I have been told to find a fix to Cross Site Scripting (XSS) in some of my bank old .asp pages.
I did some research on the subject, but I didn't find an answer to my problem. It's the first time I heard about XSS and the first time I am looking at ASP (although the page has nothing but HTML) and I haven't been into web design for about 2 years now, so I am very very rusty.
So for example, I have this form
<form method="POST" id="CH" name="CH" action="http://some_url/some.asp">
<input type="hidden" name="srv" value="1" ID="srv"/>
<TABLE border="0" cellpadding="0" cellspacing="0" width="100%" align="center">
<TR valign="top">
<TR>
<TD align="center">Input something here
<input name="input_something" type="text" class="field-no-fit" maxlength="12" value="">
</TD>
</TR>
</TR>
</TABLE>
</form>
If I manually input the URL (which contains this form) as
http://this_url/this.asp?1=%22%3E%3Cscript%3Ealert%28HelloWorld%29%3C/script%3E%3Cimg%20alt=%22%22%20src=%22
the page will load and then it will throw a javascript alert and display an error image.
My goal is to stop scripts from running when opening the page.
I read about Server.HTMLEncode but can't find a way to use it to stop the script from running at page load.
Thanks in advance!
EDIT: Will I be able, at least partially, to work around it if I replace the input's value with:
"<%= Server.HTMLEncode(Request("input_something"))%>"
I cannot test it, since, currently, I have no access to IE6, and all the other browsers (including IE>6 versions) avoid the error (already disabled XSS Filter in the Security tab, but it does not work)
i do not think that has anything to do with the browser?
you obviously write the content of a querystring parameter directly on your page like so:
<%=Request.QueryString("1")%>
that is bad.
as you already have found out you should use
server.htmlencode( Request.QueryString("1") )
everywhere on your pages where you write user input directly on the page.
that should do the trick
also have a look here
(I do not know much about ASP) You may be able get an easy fix by enabling ASP request validation. As with any behaviour changes, a number of things can break on other pages (although this would be surprising), so test the the change first. See Step 1 in http://msdn.microsoft.com/en-us/library/bb355989.aspx
Your server is filling in all tags on the page, including the hidden "srv" input, from URL parameters, with no filtering for HTML tags, which then get pasted into the page. You can limit this form to respond to POST only, not GET method, then your example attack will not work. This is probably the easiest and most harmless fix.
Finally, look if you can set cookie attribute for whatever cookie is used to track sessions to HTTPOnly.
A very long read on all possible measures you can use is at http://msdn.microsoft.com/en-us/library/ms998274.aspx
Is it posible to convert an ASP app to ASP.NET? I prefer to work with Visual Studio, in ASP.NET rather than just ASP. I need to do this because I'm stuck trying to watch an ASP page, as I don´t know how to work with ASP, I'm trying to see the code of ASP (classic ASP) in Visual Studio, maybe I need to make some changes, but I don´t know what the changes are. I did several changes in my app, like put a button to select and unselect checkboxes, but I can´t see any change or image, this way to works is different that the way I'm use to it, well,it's supossed this code works, (the problem is I can´t see any change):
<td align="center" colspan="3">
<input type="button" name="btn_seleccionar_todo" value="Seleccionar todo" onclick="javascript:marcar(this.form);">
</td>
<td align="center" colspan="3">
<input type="button" name="btn_desseleccionar_todo" value="Seleccionar todo" onclick="javascript:desmarcar(this.form);">
</td>
function marcar()
{
for (i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=true;
}
}
function desmarcar()
{
for(i=0;i<form.usuarios.options.length;i++)
{
form.usuarios.options[i].checked=false;
}
}
Switching fundamental technologies is a huge undertaking and not to be taken lightly. You definitely shouldn't approach it as a simple translation of VBScript into C#... you need to rewrite the entire thing using the newly selected technology idiomatically. Its like using Google translate to communicate via email or chat with someone who speaks a different language - it could work, but not really very well.
I have added placeholder to a page as below.
<tr >
<td >
<asp:PlaceHolder ID="phMemberName" runat="server" >
</asp:PlaceHolder>
</td>
<td>
<asp:PlaceHolder ID="phMemberTextboxes" runat="server">
</asp:PlaceHolder>
</td>
</tr>
I am adding controls(checkboxes) to it dynamically to it.
It works fine but it throws an error if run in debug mode.
What is the reason ?
The error is
The name 'phMemberName' does not exist in the current context
The problem can be solved the issue using FindControl()
like ,
PlaceHolder phMName = (PlaceHolder)form1.FindControl("ControlID");
check this
Is it possible you've made a typo?
"The name 'placeholderName' does not exist in the current context"
Should that not be "phMemberName"
You might be missing the aspx.designer.cs file. Since this file essentially glues the aspx markup controls to the CodeBehind page(aspx.cs), absence of this file can cause the CodeBehind page to not understand where the "placeholderName" placeholder control exists and hence the error "does not exist in current context".