Allow CMS user to add HTML to sql database row? - asp.net

I'd like to let my user add HTML to an entry in a SQL Server table using the CMS, but I keep getting the warning:
System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$MainContent$TextBox2="<p>We...
What is the best way to allow HTML to be added to my CMS?
Many thanks

You can enable/disable request validation on a per control, per page, or on application level.
See http://www.asp.net/learn/whitepapers/request-validation for more info.
Be aware that if you're using asp.net 4.0 you might have to set the requestValidationMode as well (see ValidateRequest="false" doesn't work in Asp.Net 4)

ASP.NET automatically tests forms for input of potentially dangerous characters (pretty much anything HTML...). To get around this you can ValidateRequest="false" at either the page or app level (in web.config), but then you will need to manually clean the HTML yourself to ensure that no malicious code is injected. The best article on code cleaning I've seen is http://wonko.com/post/html-escaping .

Related

How to Donut caching in Asp.net Core 2?

I want to create a quick page load response in ASP.NET MVC .
If I use [outputCache] then it saves the whole page with the dynamic parts and then a new client will see previous client information.
What is the Best Practice to Do It?
I saw that there is a Cache Tag Helper but will it be faster?
Because I still have to go into the Action and and rendering the page except for the section of the Cache Tag Helper.
Many thanks to those who have an optimal and fast solution.
In the docs for response caching, Microsoft has a prominent warning:
Disable caching for content that contains information for
authenticated clients. Caching should only be enabled for content that
doesn't change based on a user's identity or whether a user is signed
in.
As you indicate, your scenario involves dynamic authenticated content. Thus you should avoid caching the rendered output as a whole, and maybe consider caching specific data or elements within a page only if you're very careful and performance requires it. Otherwise, safer to leave defaults. ASP.NET Core is very fast -- it's unlikely the rendering is the bottleneck in most cases.

A potentially dangerous Request.Form value was detected from the client

I am not able to get the actual cause of this error in my Web Application.I am using IIS7.0 and .Net FrameWork 4.0
You have inputted html tags in the input field,
Put validateRequest="false" in your page directive or web.config file.
http://msdn2.microsoft.com/en-us/library/ms972967.aspx
You're posting some values that are or resemble HTML. Are you using ASP.NET MVC? If so, I blogged a solution here: specify the attribute ValidateInput(false) on the controller method and everything will work.
But make sure this is the right solution. Does your app allow posting of HTML? If so, this is what you need to do; if not, you're just opening a security loophole.

ASP3 And ASP.NET session sharing

Is there a way to share the session between ASP3 And ASP.NET?
Thanks
Despite all of Microsoft's best efforts to make ASP and ASP.NET coexist effortlessly, one area remains a stumbling block... session state. Fortunately the advantages of ASP.NET's upgraded session state management far outweigh the inconvenience of not being able to pass "Classic" session information to .NET. Unfortunately there is no simple solution; the most I can offer is an easy to implement workaround.
In trying to find a suitable resolution, I've come across two good options that are worth mentioning. The first involves parsing the session information out to hidden form fields on a "Classic" intermediate page and then submitting the page to a .NET intermediate page that loads the form fields into the session state. This is a good, simple solution, however it doesn't work both ways. In .NET you cannot specify the page that you submit to. Each page has to PostBack to itself.
The second option is probably closer to an actual solution than to a workaround. Billy Yuen at Microsoft has developed an effective solution. The code is elegant, the integration appears to be seamless, but I couldn't get it to work on my system (remember I said that there was no simple solution, not that there was no solution at all). If this solution works for you, great! You won't need my code and you'll be happily passing session information from "Classic" to .NET like it's going out of vogue, thanks for stopping by.
Ok, if you're still reading let me briefly describe the workaround I've created. It requires a database, but it is not important which type of database (though the code is written for SQL Server). When a page (source page) wants to redirect to another page (destination page) that uses a different version of ASP, it calls an intermediate page. The source intermediate page takes each session variable and adds it to the database along with a Globally Unique ID (GUID). Since "Classic" and .NET use different SessionID formats it is not possible to use SessionID, hence the use of a GUID. The source intermediate page then passes the GUID to the destination intermediate page through a Querystring variable. The destination intermediate page retrieves the session information from the database, cleans up after itself, and then redirects to the destination page. It's similar to the first workaround, but supports transferring state in both directions.
Code Usage
Installation
Run the SQL Query in "ASPSessionState.sql" on the database which will hold the temporary Session information.
Copy the .asp and .aspx.* (SessionTransfer.aspx and SessionTransfer.aspx.cs) files to a folder on your website.
Update connection object information in the "SessionTransfer.asp" and "SessionTransfer.aspx.cs" files. It is located in three places in each file (sorry about not consolidating the connection info).
Compile the aspx files.
The .asp and .aspx.* files must all reside in the same folder to work.
Usage
For use in a Hyperlink (Anchor Tag) or a Response.Redirect, set the destination URL to be one of the following:
From a ASP "Classic" page:
SessionTransfer.asp?dir=2aspx&url=<asp_dotnet_url>
From an ASP.NET page:
SessionTransfer.aspx?dir=2asp&url=<asp_classic_url>
The code will transfer the Session information and Redirect the user to the url specified by or .
Download
You can download the code from here: session_transfer.zip (4.6 KB).
Could take a look at NSession it allows sharing session state between Classic ASP and ASP.Net using State server. Pretty easy to setup just configure App to use State Server for session and register a couple of dll files.

Clear ASP.NET OutputCache across web applications

Is it possible to clear the output cache of one asp.net web application from inside another asp.net web application?
Reason being... We have several wep applications structured like...
http://www.website.com/intranet/cms/
http://www.website.com/area1/
http://www.website.com/area2/
Pages in /area1/ and /area2/ are cached and are managed through /intranet/cms/. When a page is edited using /intranet/cms/ I want to clear it out of the cache in the appropriate /area#/ application.
I already tried using a VaryByCustom that looks up a guid stored in the HttpContext.Cache but that seems to be cached per web application, that doesn't work.
Really if there were any way of passing data between web applications on a single server, that would solve my problem, since I can use that + VaryByCustom.
Thanks!
-Mike Thomas
The way I've done this in the past is to have a "hidden" page (in each of the /areaX sites) that does the flushing, reloading, etc. The page validates a shared secret query parameter before doing anything (to avoid DoS attacks). If valid the page would output an "OK" message once the operation is complete; generates a 404 error if the secret is invalid.
If you want the flush to be on a per-item or per-group basis then add a second parameter that identifies that item/group.
This method is also server technology independent, and can be triggered by other management tools if required.
One way I know of doing this is by using a shared resource as a dependency, usually a file. When the file is changed, the cache is cleared. I think you can use HttpResponse.AddFileDependency for this.
However, in these cases it's usually better to use an out-of-process cache such as memcached. I haven't tested it myself, but this link deals on using memcached with OutputCache.

ASP.Net Context.User.Identity weirdness

I have an ASP.Net 3.0 SP1 app that uses Form Authentication.
While testing, I noticed that if I viewed a page that another user was viewing, the other users name would be displayed in the control on my master page. The Context.User.Identity is also for the other user.
If I switch to different page that no one else is viewing the Context.User.Identity is correct.
I stumped and would appreciate suggestions.
Thanks in advance.
Chris
Maybe because output caching is enabled for the page: if the page is cached server-side with VaryByParam=none, all users will get the same copy from the cache.
I can only think of two things that can cause this:
You're storing user-specific data in a place shared between requests (e.g. in a static(C#)/shared(VB) variable, in the ASP.NET Cache, in the Application object, ...)
You have output caching enabled.
Check for:
OutputCache directives in your aspx and ascx files,
system.web/caching element in your web.config file(s),
Calls to the HttpCacheability.SetCacheability method.
If you can't find the problem:
Try creating a simplified version of your application until you get the simplest possible version that still reproduces the undesirable behaviour.
During this process of simplification you'll likely discover the problem for yourself. If not, post some code from the simplified version.
Make sure you are not using a link that comes with the authentication ticket when using a cookieless browser.
Also make sure to review any other that might be sharing the data among requests. Just like DOK said, but remember Application isn't the only way you could be doing that.
It looks like the issue was caused because I setting targetframe="_self" or Target="_self". I removed all these and everything seem to be working fine.
One other note: If I were to refresh the page it would also display the page with the correct user.

Resources