I am getting XSS Poor Validation issue in the following code:
<TABLE cellpadding=0 cellspacing=1 border=0 style="table-layout:fixed">
<col width=20%>
<col width=13%>
<col width=20%>
<col width=13%>
<col width=20%>
<col width=13%>
<TR height=25>
<TD class=border_title_sub colspan=2 align=center>미작성</TD>
<TD class=border_title_sub colspan=2 align=center>임시저장중</TD>
<TD class=border_title_sub colspan=2 align=center>작성완료</TD>
</TR>
<%
do until (rs_1.EOF and rs_2.EOF and rs_3.EOF)
%>
<TR height=25>
<%
if rs_1.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_1_check_name = rs_1("check_name")
rs_1_user_name = rs_1("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_1_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_1_user_name))%></TD>
<%
end if
if rs_2.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_2_check_name = rs_2("check_name")
rs_2_user_name = rs_2("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_2_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_2_user_name))%></TD>
<%
end if
if rs_3.EOF then
%>
<TD class=border_text> </TD>
<TD class=border_text align=center> </TD>
<%
else
rs_3_check_name = rs_3("check_name")
rs_3_user_name = rs_3("user_name")
%>
<TD class=border_text><%=HTMLDecode(Server.HTMLEncode(rs_3_check_name))%></TD>
<TD class=border_text align=center><%=HTMLDecode(Server.HTMLEncode(rs_3_user_name))%></TD>
<%
end if
%>
</TR>
<%
if not rs_1.EOF then rs_1.movenext
if not rs_2.EOF then rs_2.movenext
if not rs_3.EOF then rs_3.movenext
loop
rs_1.close
rs_2.close
rs_3.close
set rs_1 = Nothing
set rs_2 = Nothing
set rs_3 = Nothing
%>
</TABLE>
Here, HTMLDecode is my custom function, which is defined as follows:
<%
Function HTMLDecode(sText)
Dim I
sText = Replace(sText, """, Chr(34))
sText = Replace(sText, "<" , Chr(60))
sText = Replace(sText, ">" , Chr(62))
sText = Replace(sText, "&" , Chr(38))
sText = Replace(sText, " ", Chr(32))
For I = 1 to 255
sText = Replace(sText, "&#" & I & ";", Chr(I))
Next
HTMLDecode = sText
End Function
%>
As my data already encoded in the DB, I am using both Server.HTMLEncode("") [ To escape from Security SW ) and HTMLDecode("") [To display information properly].
Could you please help me on this.
Related
I'm creating multiple tables by date and I want my html table rows to be a different colour depending on a number of conditions. With the help of this question I tried out the following in my shift view:
<% (Date.current - 6.months..Date.current + 6.months).each do |date|%>
<% if !Shift.where(date: date).blank? %>
<% #shifts = LaunchShift.where(date: date).all.order(start_time: :asc, booked: :desc) %>
<h2><%= date.strftime('%e %b %Y') %></h2>
<div class="table-responsive">
<table class="table table-bordered table-striped">
<thead>
<tr>
<th>...</th>
</tr>
</thead>
<% #shifts.each_with_index do |shift, index| %>
<% if shift.booked? %>
<% #booker = Member.find(shift.booked_by) %>
<% end %>
<tbody>
<% if shift.booked? %> <---Trying this for changing colour
<tr style="background-color:red">
<% else %>
<tr>
<% end %>
<td><%= shift.start_time.strftime("%H:%M") %></td>
<% if shift.booked? %>
<td>Booked</td>
<td><%= link_to #booker.name, member_path(#booker) %></td>
<% else %>
<td>Free</td>
<td></td>
<% end %>
[...]
</tr>
</tbody>
<% end %>
</table>
</div>
<% end %>
But only some of the rows marked as booked are red, though the shifts.booked? returns as True. Does this approach work differently than I think it does? Is there a better way to do this that that doesn't use JS/JQuery (Don't know those). Any advice?
Thank you!
You can try like
.booked{
background-color: red;
}
.available{
background-color: grey;
}
<tr class="<%= shift.booked? ? 'booked' : 'available' %>">
</tr>
If shift is booked then booked class will apply otherwise available class will apply using ternary operator.
#ashvin's solution is fine but it would be nice to go one step farther and put the ternary operator into a helper method, thereby keeping your view free of logic. e.g.
<tr class="<%= booked_class(shift) %>">
create a shift_helper.rb file in the helpers folder
module ShiftHelper
def booked_class(shift)
shift.booked? ? "booked" : "available"
end
end
So i have this login script that will open on the machine its located on but if i try to run from my machine on the same network and subnet i get the below error log message.
And
Server Error 500 - Internal server error. There is a problem with the
resource you are looking for, and it cannot be displayed.
GET /isite/login.asp
|22|800a0009|Subscript_out_of_range:'[number:-1]' 80 - 172.17.11.212
Mozilla/5.0+(Windows+NT+6.1;+WOW64;+rv:31.0)+Gecko/20100101+Firefox/31.0
500 0 0 50
<!-- CENTER COLUMN BEGINS HERE -->
<%
'--------------------------------------------------------------------------
'This page is used to allow users to login to the intranet page.
'If no attempt at logging in has been made, the section below will run.
'--------------------------------------------------------------------------
if request.querystring("action") = "" then
full_username = Request.ServerVariables("AUTH_USER")
'response.write full_username
'response.End()
username = Split(full_username,"\")
Dim uservalid
uservalid = "false"
SQLgetallusers = "SELECT * FROM users"
rs.Open SQLgetallusers, Conn
Do while not rs.EOF
If LCase(rs("userid")) = LCase(username(ubound(username))) then
uservalid = "true"
End if
rs.MoveNext
Loop
rs.Close
If uservalid = "true" then
response.cookies("user") = LCase(username(ubound(username)))
Response.Cookies ("user").Expires = DATE + 365
response.redirect("index.asp")
Else
End if
%>
<table width="100%" border="0" cellspacing="1" cellpadding="3" align="center">
<tr>
<td class="titleheader">Please Login</td>
</tr>
<tr>
<td class="maintext">
<table width="100%" border=0 cellspacing="1" cellpadding="0">
<tr>
<td width="100%" align="center">You do not have access to this resource.<br>
<br>
Please contact the Service Desk for access.
</td>
</tr>
</table>
</td>
</tr>
</table>
<%
else
'If the user has made an attempt at logging in, the following scripts will run
'------------------------------------------------------------------------------
'This creates a recordset with all the users in it which will allow us to check for usernames against passwords.
SQLgetaccount = "SELECT * FROM users"
rs.Open SQLgetaccount, Conn
Do while not rs.EOF
'If the username entered in the login page and the password entered in the login page both correspond to their
'database equivalents, then the user cookie is created with an expiry of 1 year and the user is redirected to index.asp
if rs("userid") = request.form("user_name") AND rs("password") = request.form("user_pass") then
Response.Cookies ("user") = rs("userid")
Response.Cookies ("user").Expires = DATE + 365
response.redirect("index.asp")
end if
rs.MoveNext
Loop
rs.Close
'If the username and password are incorrect, the following script is run
%>
<table width="100%" border="0" cellspacing="1" cellpadding="3" align="center">
<tr>
<td class="titleheader">Please Login</td>
</tr>
<tr>
<td class="maintext"><form method=post action="login.asp?action=login">
<table width="100%" border=0 cellspacing="1" cellpadding="0">
<tr>
<td colspan=2 align="center" class="maintext"><p style=" color: red "><strong>Invalid Login details</strong></p></td>
</tr>
<tr>
<td width=50% align="right" class="maintext">Username: </td>
<td width=50% align="left" class="maintext"><input type="text" class="maintext" name="user_name"></td>
</tr>
<tr>
<td width=50% align="right" class="maintext">Password: </td>
<td width=50% align="left" class="maintext"><input type="password" class="maintext" name="user_pass"></td>
</tr>
<tr>
<td colspan=2 align="center"><input type="submit" value="Log In"></td>
</tr>
</table></form>
</td>
</tr>
</table>
<%
end if
%>
<!-- CENTER COLUMN ENDS HERE -->
<!--#include file="footer.inc"-->
I am new to ASP.I need to write a script for Download Excel in ASP.I tried but it is downloading the entire page content but I need to download the table from database.
Here is my code:
<%#Language="VBScript"%>
<form name="form1" id="form1" method="post">
<input type="hidden" name="action" value="sel">
<table>
<tr>
<td><input type="submit" name="submit" id="submit" value="Download Excel"></td>
</tr>
</table>
Hello World
<%
action = Request.Form("action")
If action="sel" Then
Response.ContentType = "application/octet-stream"
Response.ContentType = "application/vnd.ms-excel"
SET Conn = Server.CreateObject("ADODB.Connection")
Conn.OPEN "PROVIDER=SQLOLEDB;DATA SOURCE=10.1.1.1;UID=sa;PWD=root;DATABASE=Student"
dim Conn,Rs
set Rs=server.createobject("ADODB.recordset")
Rs.open "SELECT * FROM studentdetails",Conn
Response.AddHeader "Content-Disposition", "attachment; filename=xl_data.xls"
%>
<TABLE BORDER=1>
<TR>
<%
j = 2
For i = 0 to RS.Fields.Count - 1
%>
<TD width="18"><B>
<% = RS(i).Name %></B></TD>
<% Next %>
<TD width="42"></TD>
<TD width="53"></TD>
</TR>
<%
Do While Not RS.EOF
%>
<TR>
<% For i = 0 to RS.Fields.Count - 1
%>
<TD VALIGN=TOP><% = RS(i) %></TD>
<% Next %>
</TR>
<%
RS.MoveNext
j = j + 1
Loop
RS.Close
End If
%>
</TABLE>
In this program I have included Hello World line while downloading it is downloading that also.So Please give me some suggestions.THANKS IN ADVANCE.
replace
Response.ContentType = "application/octet-stream"
with
Response.Clear
otherwise you are sending the form and the table to Excel
I like to query based on some fields to generate a report: Date range, Department, Student with date range. I have the form to work on searching....
However, I need to calculate totals for each of these fields from a report.
For example: if I search for students and the search results are:
Department Date Range Student Cost
DeptA 1/1/2012-12/31/2012 StuA $100
DeptA 1/1/2012-12/31/2012 StuB $50
DeptA 1/1/2012-12/31/2012 StuC $50
How can I calculate the total of cost automatically online (= $200)?
Thanks.
Here is my code:
<%
Path = Request.ServerVariables("PATH_TRANSLATED")
While (Right(Path, 1) <> "\" And Len(Path) <> 0)
iLen = Len(Path) - 1
Path = Left(Path, iLen)
Wend
Set adoCon = Server.CreateObject("ADODB.Connection")
adoCon.open strCon
SelectStmt = "Select * From view_costs Where "
WhereClause = ""
WhereBetweenClause = "BETWEEN"
If Request("qryDepartment") <> "All Departments" Then
qryDepartment = replace(request("qryDepartment"),"'","''")
WhereClause = WhereClause & "Department = '" & qryDepartment & "' AND "
End If
If Request("qryStudents") <> "All Students" Then
WhereClause = WhereClause & "Name = '" & Request("qryStudents") & "' AND "
End If
sStartDate = Request("StartDate")
sEndDate = Request("EndDate")
If IsDate(sStartDate) And IsDate(sEndDate) Then
WhereClause = WhereClause & "(StartDate >= '" & sStartDate & "' AND EndDate <= '" & sEndDate & "') "
End If
Set adoCon = Server.CreateObject("ADODB.Connection")
adoCon.open strCon
pstart = trim(request.form("pstart"))
pfinish = trim(request.form("pfinish"))
Set getDepartment = Server.CreateObject("ADODB.Recordset")
getDepartment.Open "Select Department from view_costs order by Department;",adoCon
Set getname = Server.CreateObject("ADODB.Recordset")
getname.Open "Select Name from view_costs order by Name;",adoCon
%>
<html>
<head>
<title>The Resport</title>
</head>
<body>
<table width="770" align="center">
<tr>
<td colspan="4" class="n"><span id="h3">Search Menu</span></td>
</tr>
<form method=Department action="Search.asp" name="Search">
<tr>
<td>
<% if not getDepartment.eof then %>
<select name="qryDepartment" size="1" title="Select a Department Name" style="width:200;background-color=#F5D0A9;">
<option selected>All Departments</option>
<% do until getDepartment.eof %>
<option><%= getDepartment("Department") %></option>
<% getDepartment.MoveNext
loop %>
</select>
<% end if %>
</td>
<td>
<% if not getname.eof then %>
<select name="qryStudents" size="1" title="Select a Student Name" style="width:200;background-color=#F5D0A9;">
<option selected>All Students</option>
<% do until getname.eof %>
<option><%= getname("Name") %></option>
<% getname.MoveNext
loop %>
</select>
<% end if %>
</td>
<%
%>
<td><span id="b"> Start:</span> <input name="StartDate" type="text" size="15" maxlength="12" value="<%=sStartDate%>">
<img src="calendar.gif" alt="calendar"></td>
<td><span id="b"> End:</span> <input name="EndDate" type="text" size="15" maxlength="12" value="<%=sEndDate%>">
<img src="calendar.gif" alt="calendar"></td>
</tr>
<tr class="search-bg">
<td colspan="6">
<input type="button" name="Submit" value="Search" onClick="if (isDate()) document.Search.submit();">
</tr></table>
<% If oRs.RecordCount = 0 Then %>
<p></p>
<% Else %>
<table width="960" align="center">
<form method="Department">
<tr bgcolor="#FE9A2E" height="25">
<td class="a"> Department Name</td>
<td class="a"> Student</td>
<td class="a"> Start</td>
<td class="a"> End</td>
<td class="a"> Cost</td>
</tr>
<tr>
<td><%=oRs("Department")%> </td>
<td><%=oRs("Name")%> </td>
<td><%=FormatDateTime(Month(oRs("StartDate")) & "/" & Day(oRs("StartDate")) & "/" & Year(oRs("StartDate")))%> </td>
<td><%=FormatDateTime(Month(oRs("EndDate")) & "/" & Day(oRs("EndDate")) & "/" & Year(oRs("EndDate")))%> </td>
<td <%=sRowStyle%>>$<%=oRs("Cost")%> </td>
</tr>
<% oRs.MoveNext %>
<% WEND %>
</table>
</td>
</tr>
</table>
<% oRs.close
set oRs = nothing
set adoCon = nothing
%>
Why not specify the fields in your SQL (instead of "SELECT * ..."), then add up the values via variables in the loop and output them in a new table row after the loop?
Or you could use SQLs SUM() function to query those values.
i am looping the entire table along with the controls. For each row the user can enter a number to perform a calculation and display in a label on that same row but it keeps on affecting all the rest of the rows because their in a loop so there is no unique id for each control.
[code]
<%# Page Title="" Language="VB" MasterPageFile="~/public.master" AutoEventWireup="false" CodeFile="ccalc.aspx.vb" Inherits="ccalc" %>
<%# Import Namespace="System.Data" %>
<%# Import Namespace="System.Data.OleDb" %>
<asp:Content ID="Content1" ContentPlaceHolderID="head" Runat="Server">
</asp:Content>
<asp:Content ID="Content2" ContentPlaceHolderID="ContentPlaceHolder2" Runat="Server">
<div>
<h1>Estimated Monthly Electricity Consumption Calculator</h1>
</div>
<div>
<%
Dim id As Integer
Dim catname As String
Dim db As New databaseconnection
Dim cmd As New OleDbCommand
cmd.Connection = db.connection
cmd.CommandText = "select * from ecg_projectDB2.dbo.DeviceCategory"
cmd.CommandType = CommandType.Text
Dim dr As OleDbDataReader
dr = cmd.ExecuteReader
Dim found As Boolean = False
While dr.Read
found = True
id = dr("CategoryID")
catname = dr("CategoryName")
%>
<table width="100%" cellpadding="5" cellspacing="1" bgcolor="#FFFFFF" class="ten">
<tbody>
<tr>
<td colspan="5"><h2><% Response.Write(catname)%></h2></td>
</tr>
<tr align="center">
<th class="style1" bgcolor="#FFCC66">Electrically Powered Items</th>
<th class="ten" bgcolor="#FFCC66"><div align="center">Quantity</div></th>
<th class="ten" bgcolor="#FFCC66"><div align="center">Average
monthly KWh</div></th>
<th class="ten" bgcolor="#FFCC66"><div align="center">KWh/month</div></th>
<th class="ten" bgcolor="#FFCC66"><div align="center">GHc /month</div></th>
</tr>
<%
Dim appid As Integer
Dim appname As String
Dim wpm As Single
Dim brb As New OleDbCommand
brb.Connection = db.connection
brb.CommandText = "select * from ecg_projectDB2.dbo.Appliances where CategoryID = '" & id & "'"
brb.CommandType = CommandType.Text
Dim br As OleDbDataReader
br = brb.ExecuteReader
Dim ins As Boolean = False
Dim counter As Integer = 0
While br.Read
ins = True
appid = br("ApplianceID")
'quantity.ID = appid
kwh.ID = appid
ghc.ID = appid
appname = br("ApplianceName")
wpm = br("Wattpermin")
counter = counter + 1
Dim qid = quantity.id
Dim kwhid = kwh.ID
Dim totusage As Single
'Label1.Text = quantity.ID
If IsPostBack Then
Dim aaa = quantity.ID
If counter Then
'Dim MainContent As ContentPlaceHolder = CType(Page.Master.FindControl("MainContent")
kwh.Text = quantity.UniqueID
'kwh.Text = Results.text
End If
End If
%>
<tr>
<td class="style1"><strong><% Response.Write(appname)%></strong></td>
<td class="highlight"><div align="center">
<asp:TextBox ID="quantity" runat="server" AutoPostBack="True" CssClass="input"
Width="79px" ></asp:TextBox>
</div></td>
<td><div align="center">
<input name="refrigeratorMonthKWh" value="182" type="hidden" />
<asp:Label ID="Label1" runat="server" Text="Label"></asp:Label>
</div></td>
<td><div align="center">
<asp:TextBox ID="kwh" runat="server" CssClass="input4" Width="59px"></asp:TextBox>
</div></td>
<td><div align="center">
<asp:TextBox ID="ghc" runat="server" CssClass="input4" Width="59px"></asp:TextBox>
</div></td>
</tr>
<%
End While
brb.Dispose()
br.Close()
%>
</tbody>
</table>
<%
End While
cmd.Dispose()
dr.Close()
%>
</div>
<%
%>
<div>
<table width="100%" border="0" cellpadding="5" bgcolor="#FFF7E5" class="ten">
<tbody>
<tr>
<td><font color="#9f7f40">Estimated</font> monthly <u><font color="#FF0000">household </font></u>*
usage:
<asp:TextBox ID="totalusage" runat="server" CssClass="input4" Width="59px"></asp:TextBox>
kWh; <br /></td>
</tr>
<tr>
<td class="highlight"><font color="#9f7f40">Estimated</font> monthly <u><font color="#FF0000">household</font></u>*
bill: ¢
<asp:TextBox ID="totalbill" runat="server"
CssClass="input4" Width="59px"></asp:TextBox>
</td>
</tr>
<tr>
<td class="highlight"><h3><strong><em>*Heating usage
not included in household totals</em></strong></h3></td>
</tr>
</tbody>
</table>
</div>
</asp:Content>
<asp:Content ID="Content3" ContentPlaceHolderID="ContentPlaceHolder1" Runat="Server">
</asp:Content>
[/code]
you should really consider using Asp.net Repeater Control. The way you doing things is NOT optimal, this is Classic Asp Approach, and you should stay away from it.
in your approach you have to use client side html controls (same as classic asp) and access them using Request Object.