My application uses a single aspx page, and dynamically loads in master pages based on the url.
I have a few secured master pages that have forms that need to post html, so I have to set ValidateRequest="false". This of course isn't available in the #Master directive, only the #Page directive. I don't want to disable this security setting site-wide, so is there an alternate way of accomplishing this at the master page level?
I'm referring to the "A potentially dangerous Request.Form value was detected from the client" error message you get when posting a page with html markup.
I don't think I can use web.config either as it's the same physical url that's serving up the entire site.
My only thought is to use javascript to encode the input.
Thanks.
EDIT: Confused Request validation with Event Validation.
Why not set Page's ValidateRequest also, based on URL.
But just out of curiosity, why did you choose that approach? to have one content page and vary the master? Are you applying theming based on the URL?
As it seems you cannot set ValidateRequest property dynamically. It has to be set either in the page directive, or Web.config.
Try using Page.EnableEventValidation = true, if that gives the needed result.
Related
Scenario:
I have one main master page say MasterPage1. In that master page I have a splitter. In that splitter there is an iframe. Within that iframe we load another master page say "MasterPage2". In MasterPage2 we load a page on which different User Controls are rendered.
Problem:
Now I want to find a control on MasterPage1 from my User Control loaded on the page in MasterPage2.
Please help....
Problem To your Scenario:
masterpages and content pages are rendered as a single object, thus the page class is able to reference every element found in both the objects(master and content page). When you are rendering an iframe the iframe content is requested by client hence no reference exists. so it is not possible to reference each other on server.
Solution to the problem
From above you must have realized all the problem is the reference , so you will have to hack inti it. the simplest way I can think is to use querystring.
call the iframe page with querystring containing a identifier to the masterpage like mpage=mpage1,mpage=mpage2 etc.
Now in masterpage2 request the querystring to find which masterpage is applied and proceed. This way you will have little relaxaction because masterpage1 content cannot be changed but masterpage2 can be.
Now you will need to work more to what you need. Proceed only if this is the only way to solve the real problem(I think the problem is not masterpage but the solution to the problem that is making you to do these weired things).
Well for that you will have to use javascript and handlers which will render and return the rendered usercontrol. But i seriously say not to use this setup in production and find other alternative by changing your code to use usercontrol instead of iframe.
I need to do a dynamically loaded Header and Footer on Master page where there are two placeholders to store the users controls which will become the Headers and Footers. The reason why I am doing it to make it more customizable and it is the how it is required from my supervisor as well.
So I have two key-value in web.config such as
<add key="MasterHeader" key="~/Controls/Header.ascx"/>
<add key="MasterFooter" key="~/Controls/Footer.ascx"/>
So I am wondering which Page event should I load these users controls by saying
UserControl uc = (UserControl) Page.LoadControl(ConfigFile.MasterHeader))
PlaceHolder1.Controls.Add(uc)
Where is the best Page event to put the codes above?
Do I need to put something in the page directive to make it work?
I would use OnPreInit or OnPreLoad. You shouldn't need to put anything in the page directive to make this work, the way you're describing it.
I have an ASP.NET website where i have implemented page level caching using the OutPutCache directive.This boosted the page performance.My pages has few parts(Some buttons,links and labels) which are specific to the logged in user.If user is not logged in,they will see different links.Now Since i implemented the page level caching,Even after the user logged in,It's showing the old page content(Links and buttons meant for the Non logged in User).
Caching is obviously good.But how to get rid of this problem ? Do i need to completely remove caching ?
what you want is Partial Page caching:
http://msdn.microsoft.com/en-us/library/ms227429.aspx and http://msdn.microsoft.com/en-us/library/h30h475z.aspx
I ran into the exact same issue and was able to resolve it using Response.WriteSubstitution. Just create a static method that accepts HttpContext as an argument, returns the login status as a string, and render the method using WriteSubstitution:
Response.WriteSubstitution(new HttpResponseSubstitutionCallback(GetLoginStatus));
The rest of the page will cache as normal but the login status will be updated each time the page is loaded.
You can use the VaryByParam directive:
VaryByParam: This attribute allows us
to control how many cached versions of
the page should be created based on
name/value pairs sent through HTTP
POST/GET. The default value is None.
None implies that only one version of
the page is added to the Cache, and
all HTTP GET/POST parameters are
simply ignored. The opposite of the
None value is *. The asterisk implies
that all name/value pairs passed in
are to be used to create cached
versions of the page. The granularity
can be controlled, however, by naming
parameters (multiple parameter names
are separated using semi-colons).
Used like so in the page directive
<%# OutputCache Duration="10800" VaryByParam="State;City" %>
Be careful what you use in the VaryByParam, as this can cause the number of copies of the page in memory to be up to the number of different values of your parameter that exist.
EDIT: as mentioned in comments, this won't work if you're using cookies for login, but some people do use cookie-less login, which puts the info in the GET/POST portion.
See here for more details
I've found that when using the
<!-- include file="MyPage.aspx" -->
command in ASP, I'm not able to use the code-behind in MyPage.aspx.
The issue is that when I try to include MyPage.aspx, there is an error because we have two Page Directives. If I remove the Page Directive, I can include MyPage.aspx just fine, but cannot access the code-behind, because the "CodeBehind" parameter in the Page Directive is no longer there.
So, as far as I can tell, we have a Catch-22. Does anyone know of a work-around for this? Or is there just something I'm missing?
Thanks,
-Onion-Knight
I'm not sure if this changes anything, but I am using a Master Page with the page that includes MyPage.aspx.
Why don't you use a user control (*.ascx) instead of including an aspx page?
Have a look at this overview in MSDN which shows how to create and user "user controls".
on our site we do url rewriting to generate massive amounts of database generated pages. on every page, there is a Login control for users. like this:
Internal aspx page: /DB.aspx?id=123
User visible url: /ABC/123.aspx, /ABC/456.aspx ... (url rewritten)
unfortunately, the tag on each page has an action attribute of "DB.aspx?id=123". when the user clicks the button the browser is posting to /ABC/DB.aspx?id=123 which of course does not exist.
solutions i tried:
1. change the action attribute by subclassing HtmlForm. this destroys the all other forms on the site.
2. remove the action attribute (so that the browser is always posting to the same url). this works on the rewritten pages but on "/" (the default.aspx in the root dir) i get a message that the verb post is not allowed on "/" (iis 6 and i have no control over mappings)
anybody?
Check this really nice blog post from scott gu, http://weblogs.asp.net/scottgu/archive/2007/02/26/tip-trick-url-rewriting-with-asp-net.aspx.
"Specifically, you can take advantage of the new ASP.NET 2.0 Control Adapter extensibility architecture to customize the rendering of the control, and override its "action" attribute value with a value you provide. This doesn't require you to change any code in your .aspx pages"
Check the section: "Handling ASP.NET PostBacks with URL Rewriting", I have used the adapter he posted successfully.
Ps. be aware there are some issues on asp.net when using url rewrite when using cookieless session, and the rewritten url is deeper than the original page, just like the one you have. (/abc/apage vs. /db?). The issue is right into the source code of the framework, there are workarounds but that's a whole subject (with tradeoffs :( ... you might want to have them at the same level).
Semantics maybe, but does the action attribute = "DB.aspx?id=123" or "/DB.aspx?id=123"? Assuming your URL rewriting allows pass-through to physical pages, this might be your issue.
I never did it, but I saw the code using Reflector and I guess you can fix it this way:
On the page:
this.Form.Action = null;
or:
this.Form.SetAttribute("action", null);
If that doesn't work, just set the path you want:
this.Form.SetAttribute("action", "ABC/123.aspx");
If you upgrade to ASP.NET 3.5 SP1, the action property is now properly recognized and can be set from codebehind.