I need to read error message of validation controles (RequiredFeildValidator) from resource files in my App_LocalResource folder as my web app is multilingual....
<asp:RequiredFieldValidator ID="RequiredFieldValidator4" runat="server"
ControlToValidate="ddlTicketType" ErrorMessage="Ticket type required."
ForeColor="White" InitialValue="Select" SetFocusOnError="True"
ValidationGroup="tkt" meta:resourcekey="RequiredFieldValidator4Resource1">*</asp:RequiredFieldValidator>
and the key "RequiredFieldValidator4Resource1" is existed in resource file as some text...but it is not picking up the exact value, rather it is showing some unreadable content......
I changed my ValidationSummary to ShowMessageBox="False" & ShowSummary="True" and it works, it showed me desired result.....i want them to be work in Message Box too.....
Every other thing are working fine, like text in labels and in other controles like buttons, hyper links are coming correctly.....
after scracthing my head for so many days, finally i found answer for this...the javascript alert and validation control message box uses your local computer language & cultural...i have enables it for the culture i want and it worked like a charm...thanks
Related
I'm using OWASP ZAP software to test a simple asp.net site for vulnerability. I'm getting a medium alert of Format String Attack type that I'm not understanding well.
In details I'm getting these informations:
Description: A Format String error occurs when the submitted data of an input string is evaluated as a command by the application.
URL: http://example.com/page.aspx
Parameter: ctl00%24ContentPlaceHolder1%24dropType
Attack: ZAP
Solution: Rewrite the background program using proper deletion of bad character strings. This will require a recompile of the background executable.
Other information: Potential Format String Error. The script closed the connection on a /%s
Reference: https://www.owasp.org/index.php/Format_string_attack
The ddl is like this:
<asp:DropDownList ID="dropType" runat="server" >
<asp:ListItem Value="A" Text="SIMPLE A TEXT"></asp:ListItem>
<asp:ListItem Value="B" Text="SIMPLE B TEXT"></asp:ListItem>
<asp:ListItem Value="C" Text="SIMPLE C TEXT"></asp:ListItem>
</asp:DropDownList>
and initially I thought that the problem was getting the value from that, so I change the code from:
cmd.Parameters.AddWithValue("#type", dropType.SelectedItem.Text)
to:
cmd.Parameters.AddWithValue("#type", Regex.Replace(dropType.SelectedItem.Text, "[^\w\.#-]",""))
but recompiling and rerunning the test, I'm still getting the alert. Then I try commenting that entire line of code, just for test, but compiling and rerunning the test I still having the alert. Is a false positive, considering that now I've just a simple dropdownlist in the aspx page without references to that in the code?
UPDATE:
If I add a page, page2.aspx, with the same ddl, I'm getting no vulnerability alert on it. The only difference with the other page with the same dll that's causing the alert is that there are no reference to page2.aspx in other pages, but in some pages there are instead link to page.aspx, the page of the alert:
<a href="../page.aspx">
<img src="../img/image.jpg" />
</a>
So I think that the alert in some way is about that..
Below is my html code. I have a email textbox and there is a login button. I have added a required field validator and regular expression validator for email textbox.
The problem is that when I type some thing in the email textbox browser's auto suggestion shows some list of emails. When I select any of those emails by using down arrow key and enter key it shows the error message for regular expression validation even though email is in proper format.
<asp:RequiredFieldValidator ID="reqValUserName" runat="server"
ErrorMessage="Email is required!"
ControlToValidate="txtUserName"
ValidationGroup="validateCredential"
Display="Dynamic">
</asp:RequiredFieldValidator>
<asp:RegularExpressionValidator ID="regValUserName" runat="server"
ErrorMessage="Incorrect format!"
ControlToValidate="txtUserName"
ValidationExpression="\w+([-+.']\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*"
ValidationGroup="validateCredential"
Display="Static">
</asp:RegularExpressionValidator>
<asp:TextBox ID="txtUserName" runat="server"
TabIndex="1" CssClass="inputCredential" MaxLength="60"
AccessKey="E"
ValidationGroup="validateCredential">
</asp:TextBox>
<asp:Button ID="btnLogin" runat="server" CssClass="btnPrimary"
Text="Login" onclick="btnLogin_Click"
ValidationGroup="validateCredential"/>
In this image as you see if I select the email from the suggestion and press enter it is showing the wrong email validation message.
Can anyone please let me know, how to stop this kind of message display?
If there is any clarification needed regarding the question then please add it as a comment.
You could add the EnableClientValidation="false" attribute to the regex validator so that it only checks the format on the server after the other validators have been passed.
Or follow the advice here:
What determines the order validators fire in?
Also add regular expression validator
for email text box
<asp:RegularExpressionValidator ID="regtxtPrimaryEmail" runat="server" ControlToValidate="txtEmailId"
Display="Dynamic" CssClass="cssVal" ToolTip="Invalid email." ValidationGroup="registration"
ValidationExpression="\w+([-+.']\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*"></asp:RegularExpressionValidator>
Then it will not submit until the email format correct.
It seems your some controls has autopostback="true" and your these controls are in update panel if not then what you can do is..Remove the display properties of all the validation controls and on btnLogin_Click Event call Validate(); Method.
Also read more In Depth detail on Validators on MSDN
you'll certainly get your answer....
Thanks for all your answers and suggestions.
Below is what I have done after going through all the answers.
<asp:RegularExpressionValidator ID="regValUserName" runat="server"
ErrorMessage="Incorrect format!"
ControlToValidate="txtUserName"
ValidationExpression="\w+([-+.']\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*"
ValidationGroup="validateCredential"
Display="Dynamic" EnableClientScript="false">
</asp:RegularExpressionValidator>
As you can see, I have added EnableClientScript="false" so that the error message will not be shown when I type half of email and select from auto suggestion and press enter.
Now the problem was it was always checking for whether entered credentials are correct of not as it was doing validation in server side. So I had some unnecessary code execution and database interaction.
So in click event handler of login button I did following change.
if(Page.IsValid)
{
// My credential check code
}
So the above block of code will run code for checking correctness of entered credentials only if they are in proper format.
But I am still looking for a better answer. This is only a work around. Because when it comes to performance server side validation can never match client side validation. Here I am compromising with usability. As I want user to be notified immediately after he/she enters a wrong formatted email. This can be achieved by using javascript, but I wonder if there is any way we can achieve it using validator controls..
This is happening because the client-side REV is validating on the partial input. For example, in the above illustration, the REV is validating "r" as its input. In order to verify this,
type in the entire email address "rupeshn#aol.com" >> then
select the suggested email using the down arrow >> then
hit the enter key.
The REV will not complain this time.
As for the solution: implement the REV in javascript. Add a label next to the textbox for error message. Call the js when the cursor exits the textbox. If the validation fails, find the label in the js and add the error message.
Just see the properties of the validator there you will find 'Display' property under Appearance section, set it to dynamic and VOLA!!
I have a Microsoft ReportViewer control on my web page. However, if someone types in an invalid input for one of the parameters then it displays a rather unfriendly error message where the report should go. For example: The value provided for the report parameter 'pToDate' is not valid for its type. (rsReportParameterTypeMismatch)
The control prompts the user for the information with "To Date" and "pToDate" is the internal name of the parameter. The users won't know this, nor will they likely react well to "rsReportParameterTypeMismatch" (what ever that means!? [while thinking like a user])
As I couldn't find somewhere in the ReportViewer control to put any error or custom message, my solution was to create a label in which to put a more friendly error message. This works insofar as the friendly error message is displayed.
My problem is that once the user has corrected their mistake and clicks "View Report" the report is displayed but the error message is still visible. I've set the label text to string.Empty, I've set the label to Visible = false. I've tried this in various places, ensured the code is hit, but to no avail.
So, is there any way to get custom messages to appear and disappear with a ReportViewer control?
Okay - I've got something that works
Previous I had this:
<asp:Label runat="server" ID="ReportErrorMessage" Visible="false" CssClass="report-error-message">
</asp:Label>
which I was updating in the code behind like this:
ReportErrorMessage.Text = GetErrorMessage(reportException);
ReportErrorMessage.Visible = true;
and then removing like this:
ReportErrorMessage.Visible = false;
ReportErrorMessage.Text = string.Empty;
The latter part didn't work.
I eventually realised that the ReportViewer control is using partial rendering and so wasn't actually changing the label at all (and consdering that, I've still not quite figured out how the initial display actually worked, but anyway...)
The solution was to wrap the label in an update panel like this:
<asp:UpdatePanel runat="server">
<ContentTemplate>
<asp:Label runat="server" ID="ReportErrorMessage" Visible="false" CssClass="report-error-message">
</asp:Label>
</ContentTemplate>
</asp:UpdatePanel>
UPDATE
I've also added a full explanation onto my blog: Friendly Error Messages with Microsoft Report Viewer
I am developing contactus webpage which have a input field called Email. It is validated against a required field validator and regular expression validator with appropriate messages.
Required: Enter Email
Regular Expression: Invalid Email
I am setting these two as given below:
<asp:TextBox ID="txtEmail" runat="server"></asp:TextBox>
<font color="#FF0000">*</font>
<asp:RequiredFieldValidator ID="rfvemail" CssClass="error_text" ControlToValidate="txtEmail"
runat="server" ErrorMessage="Enter email address."></asp:RequiredFieldValidator>
<asp:RegularExpressionValidator ID="revemail" runat="server" ControlToValidate="txtEmail"
ErrorMessage="Invalid Email" ValidationExpression="\w+([-+.]\w+)*#\w+([-.]\w+)*\.\w+([-.]\w+)*"></asp:RegularExpressionValidator>
My problem is both Enter Email and Invalid Email is occupying its own space. For Ex: If I leave email as empty space and press submit, Enter Email is displaying right next to it. If I enter invalid email(xxx), Enter Email is off but taking the space, Invalid Email message is displayed after these space taken by 'Enter Email' before.
Is there any way to remove this space??
Mahesh
Set Display = "Dynamic" on it.
http://msdn.microsoft.com/en-us/library/system.web.ui.webcontrols.basevalidator.display%28v=VS.100%29.aspx
Use Diplay = "Dynamic"
The display behavior for the validation control. Legal values are:
None (the control is not displayed. Used to show the error message only in the
ValidationSummary control)
Static (the control displays an error message if validation fails. Space is
reserved on the page for the message even if the input passes validation.
Dynamic (the control displays an error message if validation fails. Space is not
reserved on the page for the message if the input passes validation
If I understand the question correctly, I think the answer is to set the Display property to Dynamic.
If you're using ASP.NET Themes, you can set this as the default for all validators in your Theme using a Skin file, so you never have to worry about it again.
Does asp.net have a built in mechanism that can sanitize all textbox input instead of redirecting to the error page?
I have a textbox input where a user can enter a name, but if they try to enter and <> tags the page automatically throws an error. I just want to handle this error in a user friendly way.
You'll want to look at the AntiXSS library for that. It's a dll so it's easy to drop in and start using it.
The download is at CodePlex.
You can use the ASP.NET RegularExpressionValidator control with a pattern like: ^[^<>]*$
<asp:RegularExpressionValidator ID="rev" runat="server"
ControlToValidate="txtBox"
ErrorMessage="The <> tags are not allowed!"
ValidationExpression="[^<>]*" />
<asp:RequiredFieldValidator ID="rfv" runat="server" ControlToValidate="txtBox"
ErrorMessage="Value can't be empty" />
The RequiredFieldValidator is used in conjunction with the RegularExpressionValidator to prevent blank entries. If that textbox is optional, and only needs to be validated when something is entered, then you don't have to use the RequiredFieldValidator.
The benefit of doing it this way is that the error can be handled gracefully and the user can be notified on the same page.
However, if you need to do this for many textboxes and you just want to present something nicer than the error page, you could handle the ValidateRequest error to provide a friendlier message and keep the user on the same page (not just replace it with a custom error page). For more info, check out Kirk Evans' post: Handling ValidateRequest errors within a Page (refer to the section titled Overriding the OnError Method).
Read this for a step-by-step: http://yourtahir.wordpress.com/2008/03/28/aspnet-not-allow-html-in-text-boxserver-error-in-application-a-potentialy-dangerous-requestform-value-was-detected/
You have to do some web.config work.
ASP.net has validation controls
[http://msdn.microsoft.com/en-us/library/7kh55542.aspx][1]
Also there is Mark Down Editor which is a control that strips out html tags etc.