If an aspx file compiles, is it safe to assume that it is valid XML?
Does ASP.NET work by parsing the server controls as XML?
No - only the asp controls need to be valid XML. It is completely "legal" to write non-XHTML code in an ASPX file.
I don't think you can assume that it's valid Xml for the simple reason that it can contain markup that's not valid xml or xhtml.
One quick example: You can write <br> for the "break" tag, and this will display fine in all browsers. The valid Xhmtl version is <br />, but this is not required.
XML != XHTML != ASPX
You can test this by making a DIV and putting "Hello's to all of you" which would be valid ASP and XHTML but not valid XML: "Hello's to all of you"
Related
I have the need to add a javascript include to my ASP.NET page. The url of the javascript file has two key/value pairs in the query string. But the ampersand is being escaped and I don't want that.
Page.ClientScript.RegisterClientScriptInclude("myKey",
"https://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2&s=1")
This results in the following HTML:
<script
src="https://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2&s=1"
type="text/javascript"></script>
But what I really want is:
<script
src="https://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2&s=1"
type="text/javascript"></script>
Help?
Actually the encoded ampersand is valid HTML markup. Your goal is an attempt to generate invalid markup. Unencoded ampersands are not valid.
I have run into this in the past and never found a way around it. I needed to create the URL server side and I don't like putting inline code in my aspx pages so I ended up using a Literal control and building the script tag and assigning it.
For your example:
<form id="form1" runat="server">
<asp:Literal ID="ltScriptInclude" runat="server"></asp:Literal>
Then in the Page_Load:
string url = "https://dev.virtualearth.net/mapcontrol/mapcontrol.ashx?v=6.2&s=1";
ltScriptInclude.Text = string.Format(
"<script src=\"{0}\" type=\"text/javascript\"></script>",
url);
A complete recreation would be to also do a check for the registered key by wrapping the assignment in an if like:
if (IsStartupScriptRegistered("myKey"))
{
// assign
// set the key
}
But that is probably not needed since it is not being assigned anywhere else with the change of a PostBack double assigning it.
It's not the cleanest solution and it would have been nice if the RegisterClientScriptInclude had some type of param to tell it to not encode. Unfortunately I don't think there is any way around it and the above isn't too bad. Most includes for script files usually don't have the & so the vast majority would never run into this problem.
What is the difference between these types of comments in ASP.NET's ASPX markup page?
<%-- something here --%>
and the html comment
<!-- something here -->
The first you will only see in the ASPX and not the rendered HTML Page
The second will be rendered as part of the HTML
The first is a server side comment. It will stop the .NET code from executing.
The second is plain HTML comments. The .NET code inside the comments will still be executed on the server-side but the resulting markup will be commented out to the browser.
Scott Guthrie has a short but sweet blog post covering the differences a little more:
Tip/Trick: Using Server Side Comments with ASP.NET
The <% ... %> comment is a so called server-side comment (and will not be shown in the final output). <!-- ... --> is a regular HTML comment (and will be shown in the browser by viewing the source).
The key difference is that with
client-side comments it is the browser
which is ignoring the content within
them. Code/controls within
client-side comments will still be
executed on the server and sent down
to the browser. As such, if there is
a server error caused within them it
will block running the page.
Read more about the differences here: Using Server Side Comments with ASP.NET 2.0
the first one would not appear in the final HTML output.
the second one is how you comment in HTML and it will appear in the HTML output.
This is a server side comment and will not appear in the HTML markup:
<%-- something here --%>
This is an HTML comment and will appear in the HTML markup, as it is part of it:
<!-- something here -->
I am looking to display this in my .aspx page, without using special character XML tags, can this be achieved?
<asp:ServerTag Property1="a"
Property2="b"
Property3="c" <%-- Comment why this particular property is necessary --%>
Property4="d" />
However, I am greeted with the error message Server tags cannot contain <% ... %> constructs. If I use an HTML <!-- --> tag, I'm told the server tag is not well formed.
Is there any other syntax to make this possible?
Put server-side comment above your server-side control.
<!-- client-side comment (html) - appears in html source but not rendered on page
<%-- server-side comment - stripped out on server, never sees light of day, browser never knows about it
like this
<%-- Usage:
Property2 is xyz...
Property3 will .. abc. Ignore Property 1 when this is set. etc
--%>
<asp:ServerTag Property1="a"
Property2="b"
Property3="c"
Property4="d" />
It's just like putting source code comments above your functions.
Think "server to server". It will make the difference between your HTML source looking like
cluttered with "pass through" html comment <!--:
<!-- Property usage: abc, def, ...xyz -->
Rendered server control contents.
vs. the cleaner stripped out " <%-- source:
Rendered server control contents.
Less bandwidth with latter too. No extraneous (and confusing to user) comments in HTML source.
It's not possible, no. The server tags need to be well-formed XML and you can't have tags like that in XML. You can put a comment at the top, of course, like so:
<!-- Property2 needed because... -->
<asp:ServerTag Property1="a" Property2="b" Property3="c" />
Not necessarily like that but you may want to consider decorating the property in c# to let the user know its relevance. After that something like resharper (or maybe vs) will give you this information when you try to set it.
see here this error - http://validator.w3.org/check?verbose=1&uri=http%3A%2F%2Fwww.sitecore.net%2F
runat="server" is asp.net server control syntax. It must not come in html. It is interpreted by ASP.NET. you must remove this attribute.
Possible Reason for this:
1. I think the template is dynamically created. the developer make static site and cut copy paste on server side to make it dynamic but use control as response.write and forgot to remove runat="server" because it must be html content in response.write.
NOTE: No ASP.NET server control gives runat="server" in HTML. It is hardcoded in your code. remove this from both anchor and image tag.
Er... remove the attributes? They aren't valid HTML, and they're only meaningful when interpreted by ASP.NET.
Your pages should not be rendered with runat="server", so something's definitely going wrong here. What does the part of your aspx look like, that corresponds to one of the elements that is giving this validation error?
Can anyone explain what might be causing this error. Im thinking its the quotes.
Exception Details: System.Web.HttpRequestValidationException: A potentially
dangerousRequest.Form value was detected from the client
(ctl00$ContentPlaceHolder1$DetailsView1$txtContent="...l economy.<br /><br />The
Prop...").
The contents of a control (probably a textbox) contains what ASP.net considers to be markup, eg:
<br /><br />
You can add ValidateRequest="false" to the Page directive in your .aspx file as follows:
<%# Page ........ ValidateRequest="false" ........ %>
As other answers noted, asp.net is doing this to try and protect you from potentially malicious input so make sure you're aware of the risk and encode/decode user data appropriately.
I think you can take a look at this A potentially dangerous Request.Form value was detected
Its the html "<br/>" tags.
Here's an article with a brief explanation . Also shows you how to work around it by turning off validation. Though I guess that would be a bit dangerous to just turn it off.
It actually should be
<br /><br />
it complains about.
That would be the '<' and '>'.
EDIT: It's assumed that including html entries in form responses is intended as an attack on the server on which the form resides. So, by default, any code that resembles html (i.e. includes '<' or '>') is automatically flagged as a problem.
One way to resolve this is to turn off this type of validation by setting validateRequest="false" in the Page directive for that page, but there are other (and better) ways to work around that.
Here's some information from Microsoft about this issue.
My idea: allow this exception to be thrown. Use Application_Error handler to write code, that redirects (using Response.Redirect - this is important, since this gives users’ browser ability to go back) user to a custom error page. On this page write some text explaining that users had incorrectly input some text. Something like:
"Dear user, you have entered some invalid text, like “<” or “.”. Please, enter text using only characters and numbers".
Put a link on that page, and this link can contain a javascript "back" command:
href="javascript: history.go(-1)"
Users after clicking suchlink will be redirected by their browsers to the previous page, where they can re-edit their input.