In my ASP.NET MVC project I have a requirement to return certain pages in a database-driven way, i.e. the ASP page code is stored in the database, I need to retrieve it and return that.
I tried doing this using a ContentResult, but the problem I'm finding is that all the special characters denoting server-side script are coming through literally and being displayed in the browser.
How do I return an ActionResult that behaves as an ASP page, not as content?
You can't do that. ASP (Active Server Pages) is meant to be interpreted by the web server and only on the server-side. You'd have to write your own client-side ASP interpreter with something like JavaScript to be able to do what you want to do (who knows, maybe that already exists - I haven't looked). But this sounds like a very, very bad idea.
Related
I have a project where Im using a windows hosting environment and classic asp / vbscript and need to take a Javascript array that is created dynamically and save it to a local file ( "somefilename_unique-ID-I-will-add.js" )... I've used fso in the past to create dynamic log files on a couple of projects but am unsure where to begin in terms of figuring out how to take the js array and 'give' it to or access it in .asp / vbscript especially since the .asp runs before any javascript / jquery is run.
Anyone have any idea a) if its do-able and b) how to go about it?
the resulting .js file on the server will be used as the json or jsonp data source for an android and ios app.
Thanks for any light anyone can shed on this.
You can do this.. You would need to create an API method (search for ASP web method) and post the array to the server via an AJAX call. You could then construct the file server side within the web method.
Here is a link for an example of [WebMethod] :
http://encosia.com/using-jquery-to-directly-call-aspnet-ajax-page-methods/
If this project is OK with a trip to the server, then you can merely submit a form where the onLoad of the page used JavaScript to fill some hidden form fields with the values from your array. Or even use a querystring, i.e., sender_page.asp?data001=blahblah&data002=blahdeblah&data003=blahdoobleeblah...
After running a security scan across our web application (WebInspect), it has reported several XSS vulnerabilities with some aspx pages.
The request URL seems to be able to change the form action.
Example,
/Website/somepage.aspx/'+alert(1234)+'
the form action is changed to
action="'+alert(1234)+'"
To rule out our application code, I tried this with the default new Visual Studio webform project and it allows the same.
How can this be prevented?
I've always been told that un-validated input being reflected into the page is bad news.
just put something in the action, something like this:
<form id="id_form" runat="server" action="Default.aspx">
When the action form is not specified asp fills this attribute with which you wrote in the URL next to the last slash. If you write something there asp doesn't rewrite this.
Please check your global.asax - Application_Start to see if any routes have been defined.
Introduction
I'm developing a web-crawler and I need get the return of ASP.NET forms.
I know about the difficult to try that, but my crawler can get the return of PHP forms or languages like that. I'm using HtmlAgilityPack and call with POST parameters. That works fine.
Problem
My problem starts when I need crawler ASP.NET Forms, with a lot of hiddens fields and other the information (like __VIEWSTATE or __EVENTARGUMENT) for ASP.NET Kernel.
Question
How Can I put for my crawler send a POST call and receive the correct return with the data base filters? Somebody have information about that? Somebody tried something like that?
Thank's everybody.
I'm waiting for a good response.
I am trying to use aspx pages as an email templates. There will likely be a bunch of objects on the page which will be used as replacements in the html. Because it's an aspx page I'll be able to use databinding, repeaters, etc. At run time, I want to be able to instantiate the aspx page from its path, pass in a bunch of properties, and then get the rendered result of the page and email it. This seems pretty straightforward from a asp.net website (maybe using BuildManager or Server.Execute.) However, I want to be able to use the same templates via a console application by just loading up a page object from its filepath. Is this possible?
You could host your own webserver. Like the Cassini webserver.
In my own application (a Windows-based Desktop-CMS), I include a web server, too (non-Cassini). It works very well, also it does not serve ASP.NET but plain, HTML.
As I did some research back then, I first wanted to use the Cassini, too, but at some point, I found out that too much user privileges were required to run it successfully; this may not be an issue to you, but keeping this in mind and try to run it early with the permissions of the later user, might be a good idea.
I am wondering are there any standard mechanisms available to protect the asp.net asp code in the client browser ? I found some references to Windows script encoders. Question is, are these script encoders encodes both aspx and code behind source ? If aspx is encoded with the Windows script encoders then how client browsers can decode it? Are they aware of the encoding algorithms ?
Or can we control the client browsers ( IE, Firefox, Chrome etc) to disable the view source option in the Tasks Menu when web site a loaded in them?
Any pointers will be appreciated.
The HTML code generated on a webpage is by definition public. It has to be accessible to the browser for it to be able to render the page properly. You will not find a reliable solution to hide the view source option in browsers.
To explain the basics a little bit :
When you create a page, you write markup in your .aspx file and some c# source code in the .aspx.cs file. The c# code is the server side code, which means that it is executed on the server (as opposed to, say, javascript which is executed directly in the client's browser -- client side).
When a page request is executed, the ASP.NET engine executes the server side code, and also executes the asp tags that you wrote in the .aspx page (for example : <asp:Button runat='server'... /> . It then spits out HTML code (this is a very simplified version of what actually happens).
The client's browser only ever gets the HTML (and it will not see the C# code nor any of asp markup code which is used to generate your page).
As I said before, the HTML generated is, and will always be public. There is nothing you can do to reliably hide it.
Server-side code (ie. code in code-behind pages, controllers, helpers, <% code nuggets %>, etc) will of course never be visible to a web client.
Your aspx or view pages (ie. .aspx, .cshtml, .vbhtml) files will also not be visible to web clients unless you have a signficiant security vulnerability, but the HTML generated by said files will be, along with any outputted or referenced JavaScript.
If the client couldn't read the HTML or JavaScript, how would the web browser be able to parse it?
Here's a question about obfuscating JavaScript, which will at least hinder but not completely remove a user's ability to view your source: How can I obfuscate (protect) JavaScript?
Similarly, one could theoretically obfuscate outputted HTML as well, but it could also be likely be reversed with some work.
It is impossible for the user to see your server-side (C#) source.
It is impossible to stop the user from seeing your client-side (HTML & Javascript) source.
In terms of javascript - the only thing you can do is obfuscate it to an extent that makes it worthless for someone to try to understand.
None of the code behind code is sent down to the client, only the rendered HTML.
there is no way to completely remove the ability for a client to view the source of your HTML. The only thing you can do is to obfuscate your HTML to make it harder for them to tell what they're looking at.
There are many libraries out there for obfuscating HTML in .net if you do a google search.
I'm confused really, but...
If you are on about the ASP.NET markup, you need not worry as any request to an ASP.NET page will cause the page to be compiled (if it hasn't already been, or isn't cached) which renders the page content as HTML.
If you are worried about people navigating to your code behind (e.g. mysite.com/SomePage.aspx.cs), you need not worry, as ASP.NET will not serve that content [unless the standard configuration has been changed].
If you are worried about people accessing your code through FTP, then I would suggest you change your compilation method and not deploy the source.
Am I missing anything?