I need to localize an asp.net webapp with lots of pages.
So far what i'm doing is replace all text with literals where needed and i'm adding <%$ Resources: restype, reskey %> tags wherever needed. All the strings come from my database.
The problem is putting all the text in the database it's just a huge time spender.
I really don't want to be putting all the text in the database manually because everytime i finish a new page i have to go over the same excercise again.
So i came up with an idea:
What if i extended the localization resource handler with a default value like this (pseude code):
<asp:literal runat="server" Text='<%$ Resources: restype, reskey, 'This was the hard coded text' %>' />
When the page was first loaded the string resource wouldnt be in the database, but having the default text i can add it with the known resource type and key to my database. I could prefix the default values with a question mark for example. This allows me to check my table with strings and everywhere i see a text with a question mark i know it needs translating.
This way i only have to add resource tags to my markup and i avoid inserting all the text in my database. I just have to make sure to load every page once, which i can do locally in debug and then send the non-translated labels to a translator.
Please advise on this approach.
What we do here where I work is to declare string resources using special helper class. When the application is run, new string resources defined in code are auto-inserted into the database with their default value. The application works without any preparation steps. Later you can change the strings.
But yes, it requires some wrapper code to write.
Sounds like a nice idea, especially if you can't go along with the standard resource files mechanism which is automatically generated by VS.
Rick Strahl has written a solution for localizing ASP.net webapps to the DB. He's written some kind of Ajax UI which would even allow your users to translate the Webapp. The source code is also open, so you may take a look at it when developing your own solution.
Here's the link: http://www.west-wind.com/WestWindWebToolkit/
Related
I got a simple Site with a textbox where the user can enter some stuff. That Text is analysed and fancy stuff is done with it (like counting the words, displaying the text in another textbox)
No Database-Connection exists. No data is saved permanently
Do I still have to worry about code injection?
Can something harmful be done?
I agree with #nmat and want to add here that If you want to do check against the security, the only thing you need to consider is cross site scripting due to weird inputs in textbox. You can use Anti-cross site scripting library for validation. Same site is also having details regarding what I just said.
Depending on how you implement the application behaviour, plenty of things could go wrong. You don't have to worry about SQL injection because you don't have a database, but you may have problems if you aren't careful with the submitted data.
Add ASP validators to the TextBox to ensure that the user only submits data that you expect to receive. Ex: add a maximum length, a regex or other custom validation. ASP validators work both on the client side and on the server side so this should be enough protection in this case.
I am trying to use a checkbox that is dynamically declared in an .vb file that I am trying to write into my .aspx page. I am able to write a normal checkbox of <input type='checkbox /> from the .vb Class using Response.write, but it comes up blank when using <asp:Checkbox runat='server' />I need to pass whether or not the box is checked back to the server, because I am having to either approve something if one is checked, reject something if the other is checked or do nothing if neither are checked. I have figured out how to make them mutually exclusive either way so that is not the problem. Does anyone have any recommendations?
Your problem lies in the order that the pages are compiled in: When you place an asp control like the asp:checkbox, it is compiled into a regular checkbox with some javascript attached when it is sent over to the client.
When you write the string "<input type='checkbox />" to the page from the code-behind it is writing that string directly to the page, after the aspx page has compiled its controls, but since that is valid html the browser renders the control. When you write the asp:checkbox, the browser doesn't know what to do with it, because it is not valid html. In addition, the page has already been compiled, so there is no chance of .net creating the correct control for you.
You need to programmatic add the control to the webpage by creating a new control through the code behind
This site does a great job explaining it
And #toodles seems spot on. Writing static html and asp.net are two totally different ball games. I would spend a bit of time (like hours/days) reading/watching learning material to help you get on your feet.
The technical answers you are getting are all good. However, your question indicates that you really need to start by learning how asp.net server controls work. I suggest spending a couple hours watching the videos at http://asp.net and particularly http://www.asp.net/general/videos/intro-to-aspnet-controls
Then focus on understanding the page lifecycle and you'll have enough of the basics to be much more effective at asp.net. Have fun!
You can't use response.write to create server controls.
See this site for an example of the right way to do it:
http://msdn.microsoft.com/en-us/library/kyt0fzt1.aspx
I'm currently working on an ASP.NET 3.5 project, and I wanted to know your opinion regarding the following situation, which I happen to run into sometimes:
Let's say I've defined the following control of an imaginary component framework somewhere in my code:
<Window runat="server" ID="windowTest" />
Let's assume that with the above mentioned imaginary component framework it's possible to get a reference to my Window control from the client-side using its ID (for example to change its appearance):
function MyFunc(){
var win = GetWindow("windowTest");
}
Let's also assume that both code snippets are placed in different files, e.g. the JavaScript code in MasterPage.Master and the control in AnotherPage.aspx.
As you might already have noticed, the passing of the control's ID as a hard-coded string to the GetWindow function is a bit problematic here, since changing the control's ID is going to break the JavaScript function.
This situation surely smells like it needs a good ol' Replace Magic Number with Symbolic Constant refactoring. I can achieve this by dynamically creating the Window control and using a constant for the value of the control's ID:
AnotherPage.aspx:
Window windowTest = new Window();
windowTest.ID = Consts.ID_WINDOW_TEST;
form1.Controls.Add(windowTest);
MasterPage.Master:
function MyFunc(){
var win = GetWindow("<%= My.Namespace.Consts.ID_WINDOW_TEST %>")
}
My question now is: How do you handle such situations? Do you create all your controls dynamically (like shown in the example above) when running into this situation, and are there any drawbacks using this approach, e.g. Designer doesn't display the control anymore? Or do you say "Screw it, nobody's going to change that control's ID" and leave it hard-coded in your code? Or do you have other approaches to this situation?
I personally am a fan of the of the first option (refactoring), since a) it makes sure that a change to the ID is not going to break my code and b) I almost never work with the Designer, but I thought I'd ask this question on SO to get some valuable opinions on this.
Thanks in advance for all the responses.
Greetings,
Giu
Update / Clarification:
I made a small error in the first version of this question by stating that the code snippets are placed in the same file. Since both the control and the JavaScript method are located in the same file, there is no need to create the control dynamically and defining the control's ID using a constant; by defining the control directly in the .aspx file I could use its ID in the JavaScript method as follows: GetWindow("<%= windowTest.ID %>");
But, my problem is another one; the control and the JavaScript method are each placed in different files, in which case the mentioned approach of using the control's ID doesn't work anymore. Therefore I introduced the solution mentioned in my question with the constant and the dynamic creation of the control. I now corrected both the filenames in my question so that the correct scenario is described to which my question is related.
In 4.0 you can control the client ID that's generated in master/content page situations quite well. but i believe if someone changes the ID manually in the page at one place and not in the javascript code it will still be a problem. If you are the only one who'll be working on this code then you can always be mindful and refactor properly. Otherwise you can go in for the constants option or store the IDs in a separate resource file.
In my opionion there a two suitable solutions:
1) Use the JQuery framework to get ahold of the html element you want to adress via JavaScript. JQuery is designed to be able to work with autogenerated hierarchically created control IDs
2) Use .net Framework 4.0 and don't use autogeneration of the Control ID. (I've heard that this is a new feature in 4.0. I think in your situation it might be worth trying out)
Check out Rick Strahl's blog post entitled "A generic way to find ASP.NET ClientIDs with jQuery"... it seems to have some good ideas that could be of some help to you.
He uses jQuery, as the first responder suggested, but does it in a way that you are using ASP.NET's built-in ClientID property to get the actual id ASP.NET generates and uses a client-side friendly mechanism that enables you to write script code referencing controls that won't break with ID changes.
I need to do some checking on a validation control but I am not sure what type of text ASP.NET will think is a security issue. Can someone give me some things to try? I tried various HTML tags and it seemed to accept them fine. This is a multiline rich textbox used for saving a field of text to the database. The code for saving is inside of an If Me.IsValid with no ELSE specified, but after the save function is called it proceeds to display a 'saved' message and redirect the page. Some users have been losing work so I think the problem is that Me.IsValid is false so the save function is called but does nothing... Anyways what can I try to invalidate this with? Note I did not write the code for this I am just troubleshooting it.
It sounds like you are confusing Validator controls with ValidateRequest, an internal mechanism of ASP.Net for sanitizing requests.
Validator validation is entirely dependant on your validators. Are you using a RequiredFieldValidator? Then the invalid inputs are simply blank textboxes. Is it a RegularExpressionValidator? Then you need to enter something that doesn't match the regular expression. CustomValidator? Then you need to check the validation logic.
It sounds to me more like you're worried about the input being sanitized for running database queries with. The first thing to check is that in your Page directive, "ValidateRequest" isn't being set to "false". If it is, that would explain why HTML is being allowed through.
You should also check out the following:
How to: Protect Against Script Exploits in a Web Application by Applying HTML Encoding to Strings
Validating User Input in ASP.NET Web Pages
Then, if you'd like to try a database injection attack, just google for a basic SQL Injection tutorial.
javascript:alert('rrrrrooooaaaarrrrr');
Is a good start.
Try some ASCII Codes for non breaking spaces, carriage return, etc.
Since you're saving to a database, try some sql injection as well.
I have a web page that has a web form for signing up. I want to remove fields. I've tried removing the field code from the .asp file but obviously there are other things that I need to remove along those lines. I have full access to all the code but I need help knowing where things are linked as far as making the form work again. Our programmer bailed.
A step by step guide would be great on this. thanks.
If they're just .ASP files, you should be fine removing the field tag, along with any references to it.
I.e. you'd delete this line:
<asp:TextBox id="text1" runat="server" />
and do a search for the 'id' attribute in the rest of the file (a find on 'text1' in this case), and remove those lines.
If everything to do with that for in in the same ASP page, it's easy. You can do a simple text search for the names and/or IDs of each form field. Sometimes they're referenced in a javascript block, so you'll have to comment-out some of the form validation code referencing those fields.
If they've used some dumb Dreamweaver script for all this - good luck!
If there are #include statements, or references to external JavaScript files it's more work - you'll have to trace through them as well, hoping they don't have their own included files as well.
After removing the input parts of the markup, if it is a .asp (assuming asp v3 instead of asp.net) it is also worth going through the <% %> tags part of the page to look for references to the removed inputs. If it's asp.net then check the vb.net / c# code in the script runat server block in the page, or look in the code behind file for references and recompile.