Spoiled by Ruby on Rails (3), I expect all my HTML output to be automatically encoded.
I asked this question about script exploits a bit earlier and am now wondering, is there some setting, plugin or extension for ASP.NET that will automatically cause all HTML to be HtmlEncode'ed or do I have to be really careful and ensure that on my own?
Various ASP.NET controls automatically encode HTML with HtmlEncode (and a few do URL encoding with UrlEncode), but it's not universal. Here's a list of controls and what encoding (if any) they do automatically. I don't know if it's updated for .NET 4.0 or not:
Which ASP.NET Controls Automatically Encodes? (this link will ask you to save the document)
This is the blog that the above document is from:
http://blogs.msdn.com/b/sfaust/archive/2008/09/02/which-asp-net-controls-automatically-encodes.aspx
It was originally posted in Sep 2008, so it's probably current for 2.0, but not necessarily 4.0. Still a useful resource to have, though, IMO.
You should also look at the Microsoft Anti-Cross Site Scripting Library 3.1.
As pointed out by balexandre, it appears the Anit-XSS library is now part of the open source Web Protection Library:
Microsoft Web Protection Library
Also, OWASP is a good resource for security information, and they have an Enterprise Security API project (ESAPI) that is available (to varying degrees) in various programming languages. The .NET one is not complete yet, I believe.
OWASP Enterprise Security API
If you're using ASP.NET 4.0 with WebForms, then using the code nugget <%: %> will automatically HtmlEncode the output. If you're using the Razor engine, then all data is HtmlEncoded by default.
By default, ASP.Net will not accept postbacks where a Inputcontrol contains html elements. This behaviour is set at a page level by the property ValidateRequest.
If you want to accept postbacks containing html, you need to set ValidateRequest to false and HtmlEncode the userinput yourself on the server before further proceeding
Related
I have recently been investigating methods of creating web-based forms for an ASP.NET web application that can be edited and managed at runtime. For example an administrator might wish to add a new validation rule or a new set of fields.
The holy grail would provide a means of specifying a form along with (potentially very complex) arbitrary validation rules, and allocation of data sources for each field. The specification would then be used to update the deployed form in the web application which would then validate submissions both on the client side and on the server side.
My investigations led me to Xforms and a number of technologies that support it. One solution appears to be IBM Lotus Forms, but this requires a very large investment in terms of infrastructure, which makes it infeasible, although the forms designer may be useful as a stand-alone tool for creating the forms. I have also discounted browser plug-ins as the form must be publicly visible and cross-browser compliant.
I have noticed that there are numerous javascript libraries that provide client side implementations given an Xforms schema. These would provide a partial solution but server side validation is still a requirement.
Another option seems to involve the use of server side solutions such as the Java application Orbeon. Orbeon provides a tool for specifying the forms (although not as rich as Lotus Forms Designer), but the most interesting point is that it can translate an XForms schema into an XHTML form complete with validation. The fact that it is written in Java is not a big problem if it is possible to integrate with the existing ASP.NET application.
So my question is whether anyone has done this before. It sounds like a problem that should have been solved but is inherently very complex. It seems possible to use an off-the-shelf tool to design the form and export it to an Xforms schema and xhtml form, and it seems possible to take that xforms schema and form and publish it using a client side library. What seems to be difficult is providing a means of validating the form submission on the server side and integrating the process nicely with .NET (although it seems the .NET community doesn't involve themselves with XForms; please correct me if I'm wrong on this count).
I would be more than happy if a product provided something simple like a web service that could validate a submission against a schema. Maybe Orbeon does this but I'd be grateful if somebody in the know could point me in the right direction before I research it further.
Many thanks.
I'm probably missing something but...
The way I've done this sort of thing in the pass is to create a schema for form declaration & an xslt to convert that xml to html. You can then add all sorts of validation, based on the xml schema you've designed. What I am usually missing is the form designer though.
You can use XHTML for the forms, or like Simon suggested, a custom language as an abstraction layer. The application can load the form at runtime, transform/style it and serve it to the user. You can edit the form and make changes without the need to recompile/redeploy.
For validation you can use Schematron, this can also be easily edited at runtime using XML-aware tools.
You can use Javascript to produce XML data in the browser, or you can transform application/x-www-form-urlencoded to XML on the server (that is what I do on this page).
Are there any third-party Templating Engines for Asp.net like we have smarty,savant for php ?
Spark: http://sparkviewengine.com/
Your question does not explicitly states what "breed" of ASP.NET you are using, so I guess it is most likely web forms. If this assumption is correct, I would not recommend for you to replace the default view engine. In order to make good use of the build in controls, you really want to keep the abstraction where HTML like elements can be marked runat=server and accessed from the server side code.
If you happen to use ASP.NET MVC, the picture is completely different. Here, there are lots of different view engines available - including NDjango, NHaml, Spark. If you are the type of web developer who care about the templating engines, you are likely to prefer ASP.NET MVC as a whole, and you might want to check it out before starting your next project.
After reading the answer here, I understand that, if I register a user control (I guess I'm really trying to use it as a custom server control) like this:
<%# Register Assembly="MyDLL" Namespace="MyDLL" TagPrefix="myDLL" %>
Then only the codebehind is used, and the markup (.ascx) page is ignored. Why is this the case (it seems arbitrary), and how can I get around this problem without having to specify the Src="..." attribute in my Register directive? All I want to do is build a user control into a single assembly (a DLL) and hand that DLL off to another web site or web application project in such a way that the web site/app can use my user control. This should not be that hard, but apparently it is...
I am working in Visual Studio 2008, if it makes a difference.
Edit (prompted by the links in Rex's M's comments): it seems like most of the instructions for doing this kind of thing are applicable to VS2005, even the stuff on MSDN. My question is pretty much exactly stated here; is the answer provided on that thread correct
Is there any reliable, recent documentation describing this sort of thing for ASP.NET 3.5 and VS2008? I feel like using the latest versions is causing more confusion and difficulty than benefit.
The thread you linked to is indeed correct. The information which originally addressed .NET 2.0 and VS 2005 is still very applicable. .NET 3.5 does not actually change .NET 2.0, just adds extra stuff. For things that are already in .NET 2.0, they are unchanged in 3.5.
It sounds like you want the functionality of a Custom Control. In a normal user control situation, the website needs an .ascx and that cannot be placed in a DLL.
I strongly recommend to take a look at custom server controls. Since for the purpose of sharing controls over multiple projects they are better suited in my opinion than user-controls. User controls are better for internal reuse, within the same web application (i.e. on multiple pages).
We're about to migrate an existing large ASP.NET web application to make it section-508 compliant. Are there any recommended tools and practices that can be employed for this kind of project?
Ensure the application can function correctly without the use of JavaScript. You may find you have to cut down on the use of the built in ASP.NET server controls to do this.
Ensure the HTML is valid, and makes full use of elements such as labels to give meaning to all the inputs etc..
You may wish to consider using ASP.NET MVC as it gives you much more control over the final HTML rendered. Alternativly CSS Control Adapters can be used instead.
If your application requires an XHTML editor it may be worth looking at XStandard. This editor provides an accessible interface and generates compliant XHTML (without requiring JavaScript), the downside is that it's a browser plug-in, so it may not be suitable for your application.
Do you guys know about an ajax toolkit (or something similar to the m$-ajaxtoolkit) for mono??
Microsoft's ASP.NET AJAX Control Toolkit works on Mono, and is open source (Ms-PL). That doesn't preclude the use of jQuery, though. There are actually several third party AJAX libraries and control toolkits that support Mono, and many are compatible or work in conjunction with ASP.NET AJAX.
I agree with Brian, but want to add that you should read Dave Ward's series on jQuery and ASP.net. He really distills the essence of what you can do with jQuery, PageMethods, and WebForms without MS Ajax. These ideas are directly applicable to the Mono / Linux environment.
Here's a list of essential posts:
Using jQuery to directly call ASP.Net Ajax PageMethods
Use FireBug To Learn jQuery
Simplify calling ASP.NET Services with jQuery
I'd recommend rolling your own using jQuery. That's what m$ is doing now anyway.
Debugging Mono website
Do you remember, that you have no development environment in this machine? You can install it, or download Mono liveCD with openSuse. But before doing it, please note, that GTK# (it’s devenv) is not very user friendly. It even worse, then Eclipse. So let’s try to understand first whether we can fix small compatibility problems without entering code.
The most convenient method to debug web site on Mono is by using XSP and XSP2 mini web servers. Just enter the directory of the site and run it. By default you’ll be able to access the site by using ... (it also be written for you). Enter and notice whether you have any errors in console. No? Keep doing
The most common problem is “error 500” with nonsense stack. If it contains ScriptManager error Type not found, the problem is in Web.config file. Try to regenerate it to be compatible to Mono (for example, Mono has different version of System.Web.Extensions assembly. In ASP.NET 3.5 it has version 3.5, Mono has only 1.0.61025.0 (the old AJAX.NET). To recreate your web.config all you have to do is to execute “mconfig af AJAX Web.config” It will create default web.config file, supports System.Web.Extensions (AJAX features).
Not helped? Keep doing. Let’s look another time into the stack – if it contains errors in “EnablePageMethods” or “ShouldGenerateScript” or “EncryptString” – the problem is serialization. Mono has very limited support for JSON, XML and SOAP serialization. Try to look into your code and notice if you have classes, marked with [Serializable] or you are transferring your own classes by using PageMethods. If so, replace it with regular strings (my grandma serialization).