tinymce with asp.net, ValidateRequest=false in page, is it dangerous? - asp.net

I am using tinymce editor in asp.net page. It was configured fine but when I tried to write soem text in editor it raised error "A potentially dangerous Request.Form value was detected from the client with timymce" I searched and came to know it was bascailly scan of input message form script and sql injection attaks.
To remove this error I put ValidateRequest=fasle in page heade in aspx page. Now I am sure input is not beign validated but is it unsecue now ?
Please guide me what type of threat it has now and what safty measure I can take to prevent it. The editor is being used for compose and store emails. I just read on some sites that client side script attaks are possible from input. Please guide and help.

I believe this answer is along the lines of what you are looking for.
Basically, you have to make sure you html encode/decode all the input fields where applicable. In reality, you cannot completely avoid it, unless you disable the validation. But if you are, make sure you take steps to avoid direct use of the input.

Related

Webscraping a tricky asp.net page

The overall goal is to perform a search on the following webpage http://www.cma-cgm.com/eBusiness/Tracking/Default.aspx with a container value of CMAU1173561. I have tried two approaches, the php extension cURL and python's mechanized. The php approached involves a performing a POST submit using the input fields found on the page (NOTE: These are really ugly on the asp.net page). The returned page does not contain any of the search results. The second approaches involves using python's mechanize module. In this approach I load the page, select the form, then change the text field ctl00$ContentPlaceBody$TextSearch to the container value. When I load the response again no search results.
I am at a really dead end. Any help would be appreciate because as it stands my next step is to become a asp.net expertm which i perfer not to.
The source of that page is pretty scary (giant viewstate, tables all over the place, inline CSS, styles that look like they were copied from Word).
Regardless...an ASP.Net form still passes the same raw data to the server as any other form (though it is abstracted to the developer).
It's very possible that you are missing the cookies which go along with the request. If the search page (or any piece of the site) uses session state, the ASP.Net session cookie must be included in the request. You will be able to tell it from its name (contains "asp.net" and "session").
I assume that you have used a tool like Firebug or Chrome to view the complete outgoing request when the page is submitted. From my quick test, it looks like the request may be performed with a GET, not a POST. I submitted a form, looked at the request, and pasted the URL into a new browser window.
Example: http://www.cma-cgm.com/eBusiness/Tracking/Default.aspx?ContNum=CMAU1173561&T=57201202648
This may be all you need to do.

API for word definitions

i'm trying to implement a little app which basically only hs a label, textbox and a button and when the user enters a word, i want to connect to some online api to retrieve the word's definition and display it in the label. is this possible? all i keep finding is api's related to other stuff on google/other se's. but i have seen this in practice before so i know they are out there, i just don't know where.
I suggest you try WordNet. It has got an API that you can use over the web.
Check it out here: http://wordnet.princeton.edu/wordnet/related-projects/#web
If you search more probably you will find, but let me give you a hint:
You can make a http web request to any website who handles word definitions. You can even search for "define: " + word in google and get the response.

IE not offering to save password of ASP.NET form

Sometimes Microsoft does something so stunningly dumb that it makes my head hurt. Help me find out it's really not the case ... please!
I've got an issue with the login page of an ASP.NET (3.5) site I'm developing whereby IE (7 or 8 ... can't bear to open 6) doesn't offer to save the password when a user logs in. I've checked other browsers and Firefox, Chrome and Safari all offer to save the password just fine. I've also confirmed that IE password saving on my test boxes is is working OK on other sites and for e.g. Google etc it works fine.
The searching I've done has turned up very little, but what little it did turn up seems to suggest that IE won't offer to save a password if the form on the page contains more than two text controls. That's the case with my form which also has controls to allow a user to register. And when I remove these additional controls, IE magically prompts to save password, so this does seem to be true.
Now ... if ASP.NET would allow me to have multiple forms, all would be well and I would be able to separate out the two functions into standalone forms and IE would prompt to save passwords. But, ASP.NET doesn't allow me to do this as it only allows a single form. I could fudge a non runat=server form in there and try to do this, but guess what? Because my page uses a MasterPage, any form tag I add is automatically stripped out, even if it's a non runat=server form.
So, I don't see any way around this without fundamentally changing what I was trying to achieve. It looks like I have to explain to my users that they won't be prompted to have their passwords saved if they use IE (a Microsoft product) because I developed my site with ASP.NET (err ... a Microsoft product).
If this is so, I just can't get over how head-smackingly ridiculous this is. If anyone can offer any ideas on how to get around it, can tell me I've got it all wrong and am a big, stupid idiot myself, or just wants to confirm that it's not just me that thinks this is monumentously dumb, then please, please do so.
Just for the record, I really don't want to (and don't see why I should have to) compromise my design and split my pages in two (which will result in a worse experience for the user).
#Chris That's what I went for in the end.
So for the benefit of anyone else, I still have my activation controls in a runat=server form and process these in the code for that page. Then I have a second, standard HTML form with HTML input textfields that posts to a different .NET page. This deals with the users login. I pick up the values in this page via Request.Form and deal with the login from here.
Upsides:
It all works and users get their logins remembered as they would expect to.
Downsides:
I lost the ability to use a MasterPage (as I need two forms in the page) so I effectively have had to duplicate the template - I don't like this much.
If the users login is invalid or causes some kind of error, I have to redirect to the initial page and pass it a flag to get it to show a relevant error message - I don't like this much either.
Like I say, though, it just works and in this case that's what was most important. Thanks for your input.

Best way to create complex html email message with asp.net, how?

After user places an order I have to send detailed email message containing order details, instructions for payment, some additional text etc.
I want to create nicely formatted HTML email message.
By now I found two options:
manually creating piece by piece, string by string, which is too cumbersome,
creating actual aspx page and binding data, then rendering that page as html and sending as body of email.
This second option is more visual and easier to implement except:
I do not know how to actually load and render page, I know how to do it with ascx
This seems to much of overhead to instantiate page and render it
How to load page and render it? Do you have any other ideas or suggestions for this task?
Well, IMO, your basic problem amounts to "How do I convert an ASPX resource into an HTML string to pass to the MailMessage Body property ?"
You could do that simply by using a WebRequest to the ASPX URL in question and read that response into a Stream. Then simply read the stream into a string and your primary problem is solved.
Edit: Here's an article that illustrates this concept.
Personally, I'd want to use a template, either in a database, or as a file that gets loaded. This template would have most of the content for the email in HTML, with tokens that I can replace with the content.
ex.
<b>Receipt for order # [[ordernum]]</b>
That way I could use simple string replacement to place the dymanic content into the email, without having to build the whole email every time it needs to be sent.
In a similar situation I store a template email message in my database so that the people who use our software can modify the message. It is created (by the user) using the online HTML editor control from Telerik. Within this message, I support several "mailmerge" type fields that all have the pattern {FirstName}, {LastName}, etc.
When it is time to send the message, I pull the formatted text from the database, use string replace to fill in any slots in the template, and then send it. I guess the key is that I know the message is HTML formatted because the Telerik control helps ensure that it is so. However, there is no reason why you couldn't create your HTML and then just save it for later use.
The .aspx page route? I just wouldn't do it. It is way overkill and doesn't offer you any advantages.
I'll use a template like Jay mentioned.
Below resource might turn out useful for you.
http://dotnettricks.com/blogs/roberhinojosablog/archive/2006/05/12/57.aspx
Try using a template stored in a .NET string resource file. Down the line this will make localization a lot easier too.

Parsing PlainText Emails from HTML Content (ASP.NET)

Right, in short we basically already have a system in place where the HTML content for emails is generated. It's not perfect, but it works.
From this, we need to be able to derive a plaintext alternative for the email. I was thinking of instantly jumping on and creating a RegEx to strip the <*> tags from the message - but then I realised this would be no good because we do need some of the formatting information (paragraphs, line breaks, images etc).
NOTE: I am OK with actually sending the mail and setting up alternative views etc, this is only about getting plaintext from HTML.
So, I am pondering some ideas. Will post one as an answer to see what you guys think, but thought I would open it up to the floor. :)
If you need any more clarification then please shout.
Many thanks,
Rob
My Solution
OK, so here it is! I thought up a solution to my problem and it works like a charm!
Now, here are some of the goals I wanted to set out:
All the content for the emails should remain in the ASPX pages (as the HTML content currently does).
I didn't want the client code to do anything more other than say "SendMail("PageX.aspx")".
I didn't want to write too much code.
I wanted to keep the code as semantically correct as possible (no REALLY crazy-ass hacks!).
The Process
So, this is what I ended up doing:
Go to the master page for the email messages. Create an ASP.NET MultiView Control. This control would have two views - HTML and PlainText.
Within each view, I added content placeholders for the actual content.
I then grabbed all the existing ASPX code (such as header and footer) and stuck it in the HTML View. All of it, DocType and everything. This does cause VS to whinge a little bit. Ignore It.
I then of course added new content to the PlainText view to best replicate the HTML view in a PlainText environment.
I then added some code to the Master Page_Load, checking for the QueryString parameter "type" which could be either "html" or "text". It falls over to "text" if none present. Dependant on the value, it switches the view.
I then go to the content pages and add new placeholders for the PlainText equivalents and add text as required.
To make my life easier, I then overloaded my SendMail method to get the response for the required page, passing "type=html" and "type=text" and creating AlternateView's as appropriate.
In Summary
So, in short:
The Views seperate the actual "views" of the content (HTML and Text).
A master page auto switches the view based on a QueryString.
Content pages are responsible for how their views look.
Job done!
If any of this is unclear then please shout. I would like to create blog post on this at some point in more detail.
My Idea
Create a page based on the HTML content and traverse the control tree. You can then pick the text from the controls and handle different controls as required (e.g. use ALT text for images, "_____" for HR etc).
You could ensure the HTML mail is in XHTML format so you can parse it easily using the standard XML tools, then create your own DOM serialiser that outputs plain text. It'd still be a lot of work to cover general XHTML, but for a limited subset you plan to use in e-mail it could work.
Alternatively, if you don't mind shelling out to another program, you could just use the -dump switch to the lynx web browser.

Resources