We have a asp:DropDownList that we populate server side with
ddlBranch.Items.Add(new ListItem("TEST","This is a's test"));
When this is compiled and run under .NET 3.5 we see the text "This is a's test"
However when this is compiled and run under .NET 4.0 we see the text "This is a's test"
We have added the following to our web.config and there was no change.
<pages controlRenderingCompatibilityVersion="3.5" />
For the time being we have dropped back to .NET 3.5 however we would like to know if there is a way to work around this or if this is a known rendering issue or is by design.
TIA
AJ
Hi All
Thanks for the responses and they led me to look deeper into the code looking for an Encode somewhere. It turns out there that was a:
Server.HtmlEncode(input)
being performed on all controls in a base page class.
Now what I thought was a problem really turns out to be a case of RTFM on my part
From http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes
HtmlEncode and UrlEncode Now Encode Single Quotation Marks
In ASP.NET 4, the HtmlEncode and UrlEncode methods of the HttpUtility and >HttpServerUtility classes have been updated to encode the single quotation mark character >(') as follows:
The HtmlEncode method encodes instances of the single quotation mark as ' .
The UrlEncode method encodes instances of the single quotation mark as %27.
So when I was using .NET3.5 my single quote ( ' ) was being ignored by the HtmlEncode but when switching to .NET 4.0 it was not being ignored by HtmlEncode.
Thanks again for all the responses and work that people put in to this question.
Regards
AJ
When you get the value back you could just HTMLDecode the selected value.
ie. Server.HtmlDecode(ddlBranch.SelectedValue)
Why do you believe this is a problem? ' renders as an apostrophe, and when posted will turn into an apostrophe if that value is selected.
Related
I am supposed to use the regularExpressionValidator to verify a ZIP code for a basic webpage I'm making. If the Zip code is valid, the submit button's click event procedure should display the message "Your ZIP code is" followed by the ZIP code and a period.
I don't know how to do an "if" statement to check to see if the zip is valid or not
**Why does the value = 0 when I enter 60611-3456
...don't know how to do an "if" statement...
You were assigned to use a RegularExpressionValidator, and this sounds like homework. If so, it also sounds like the purpose of the assignment is to make this happen without writing any if statements at all.
The validator controls have a feature where a postback event will not occur if validation fails. You use a correct regular expression with a correctly configured validator control, and the code that shows the "Your zip code is..." message will never run. Configuring the validator control is the point of the assignment; you need to do that part on your own. But finding an acceptable regular expression is a distraction from the real learning, and so I don't mind just giving that to you:
^\d{5}(-\d{4})?$
The issue is that your regular expression indicates the four digits must exist if you have the dash. Generally that would be okay but since you're using an input mask the dash always exists, even when it's only five digits. Try the following expression.
ValidationExpression="\d{5}-?(\d{4})?$"
Hope it helps.
I have a CMS written in ASP.NET using VB.NET and I am having problems saving Unicode characters to the database. Here's the situation:
The web page seems to send the characters fine via an AJAX request (using jQuery), at least according to Firebug it seems that the POST is sent fine I can see the characters in there as they should be (ie, not screwed up). When I look in the database instead of the non-english character I see a questionmark inside the little black diamond, you know the character. I know it's not the database since a) the field is set to NText and b) I can insert that same value directly into the DB via SQL Manager in a manual query. The database is MS SQL 2005.
So the problem must be in between, correct? I am specifically declaring the param on the insert query as NText:
Cmd.Parameters.Add("#FieldContent", SqlDbType.NText).Value = FieldContent
and in web.confing I have encoding set as:
<globalization requestEncoding="utf-8" responseEncoding="utf-8" />
I've googledhigh and low and cannot find any other solutions than the ones I've tried already. Any help is greatly apreciated.
try
cmd.Parameters.Add("#FieldContent", SqlDbType.NVarChar, 1024).Value = FieldContent;
I am doing this to replace whitespaces and line breaks. The whitespaces part works however the line break does not.
It works if I removed the tags < > from the br. The line breaks in that case does get replaced by 'br'
I am using Antixss and sanitize.GetSafeHtmlFragment?
Is that causing a problem?
This might work:
http://wpl.codeplex.com/workitem/14053
AntiXss.GetSafeHtmlFragment(strMessage.Replace(ControlChars.Lf.ToString(),"<br>"))
Where strMessage is the string with newlines you're calling AntiXss
on.
This might also help:
http://eksith.wordpress.com/2012/02/13/antixss-4-2-breaks-everything/
.NET AntiXSS with Multiline Textboxes
Maybe a little code....and a description of your current problem
Sounds like your doing this to a models field. In an edit or create view is this correct? if you are using texteditorfor(model => model.property) and the property is of type string then the line breaks will automatically be removed.
If it is a validation error due the HTML it should indicate that on the error page. If this is the case then in the model you must allow html with the [AllowHtml] attribute to the property. you must include system.mvc
We have taken over a .NET project recently and upon looking at the db we have the following in some columns:
1) Some columns have values such as
" & etc etc
2) Some have <script> tags and other non html encoded tags
This data is displayed all over the site. When trying out HtmlEncoding on point number 1 we get the following " -> "
Obviously we are wanting to htmlencode when displaying as point 2 contains javascript which we don't want executed.
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
Is there a way to use HtmlEncoded on values that might or might not be already encoded?
No there isn't.
What i would suggest is that you write a quick script that goes through the database and unencode the already encoded data. Then use something like the Microsoft AntiXSS library (tutorial here) to encode all output before it gets output to the web page. Remember that it is fine to store the data unencoded1, the danger is when you echo it back out to the end user.
Some controls already encode output using encode functionality built into the .Net framework - which is not bulletproof to XSS - you just have to either avoid using those controls or just not encode the data displayed by them. There is a FAQ question pertaining to the MS controls that encode at the bottom of the page for the first link which you should read. Also some third party control vendors encode the output of their controls, you would do yourself a favor if you test them to make sure they are not still susceptible to XSS.
1Don't forget to take steps to prevent SQL injection though!
Before applying HtmlEncode( "myText" ) use HtmlDecode method to the input text.
That way you will decode your string from:
& quot; & amp; etc etc < script>
to
" & etc etc < script>
and afterwards apply encode "from scratch".
I have a query string parameter value that contains an ampersand. For example, a valid value for the parameter may be:
a & b
When I generate the URL that contains the parameter, I'm using System.Web.HTTPUtility.UrlEncode() to make each element URL-friendly. It's (correctly) giving me a URL like:
http://example.com/foo?bar=a+%26b
The problem is that ASP.NET's Request object is interpreting the (encoded) ampersand as a Query String parameter delimiter, and is thus splitting my value into 2 parts (the first has "bar" as the parameter name; the second has a null name).
It appears that ASP.NET is URL-decoding the URL first and then using that when parsing the query string.
What's the best way to work around this?
UPDATE: The problem hinges on URLRewriter (a third-party plugin) and not ASP.NET itself. I've changed the title to reflect this, but I'll leave the rest of the question text as-is until I find out more about the problem.
man,
i am with you in the same boat, i have spent like hours and hours trying to figure out what is the problem, and as you said it is a bug in both, as normal links that contain weird characters or UTF-8 code characters are parsed fine by asp.net.
i think we have to switch to MVC.routing
Update: man you wont believe it, i have found the problem it is so strange, it is with IIS,
try to launch your page from visual studio Dev server and Unicode characters will be parsed just fine, but if you launch the page from IIS 7 it will give you the ???? characters.
hope some body will shade some light here
I would have thought that %26 and '&' mean exactly the same thing to the web server, so its the expected behavior. Urlencode is for encoding URLs, not encoding query strings.
... hang on ...
Try searching for abc&def in google, you'll get:
http://www.google.com.au/search?q=abc%26def
So your query string is correct, %26 is a literal ampersand. Hmm you're right, sounds like a bug. How do you go with an & instead of the %26 ?
Interesting reading:
http://www.stylusstudio.com/xsllist/200104/post11060.html
Switching to UrlRewritingNet.UrlRewrite did not help, as it apparently has the same bug. I'm thinking it might have something to do with ASP.NET after all.
I think URLRewriter has a problem with nameless parameters (null name).
I had a similar problem. When I gave my nameless parameter a (dummy) name, everything worked as expected.