In asp.net two overload method of Response.Redirect() exist.
Public Sub Redirect ( _ url As String )
Public Sub Redirect ( _ url As String, _ endResponse As Boolean _ )
I would like to know the diffrence between these two? and which one should i use?
The first overload redirects to another URL, the second allows you to say whether the current code should continue to execute e.g. if Response.Redirect("http://philippursglove.com", True) occurs in the middle of a block of code, the rest of the block of code will keep executing and run database updates or whatever.
As to which one you should be using, we can't tell you without seeing it in the context of a bit more of your code.
Also have a look at Server.Transfer, which achieves much the same thing as Response.Redirect but without sending anything to the browser, which can take a bit of pressure off your Web server. See Server.Transfer vs Response.Redirect.
They both send your browser a 302 response telling it to request the specified page. You usually don't want the response to continue if you are redirecting someone to a new page so by default that is what Response.Redirect("/") does.
If you do want to continue processing a response though you will need to set the second parameter to false.
So in this example a will be 1:
var a = 1;
Response.Redirect("/aboutus.aspx");
a = 2;
In this example a will be 2 because the thread keeps running after the redirect.
var a = 1;
Response.Redirect("/aboutus.aspx", false);
a = 2;
Careful though if using this in a try catch. A slight oddity means that in the next example a will be 2!
var a = 1;
try
{
Response.Redirect("/aboutus.aspx");
}
finally
{
a = 2;
}
Related
Does this redirection method have a specific name, and how do I set it up for an ASP based site?
http://www.example.com/?URL=www.redirecteddomain.com
Ok, in that case, it not really the web server, but simply your code that can do this.
so, if you web page was:
http://localhost/MyJumpPage.aspx?URL=www.google.com
So, in your code, all you have to do is grab that 1st parameter, and then run code to jump/navigate to that page.
EG:
string strURL = "";
strURL = Request.QueryString("URL");
Response.Redirect("http://" + strURL);
So, the code behind a button, or even on page load can simply pull the query value from the url string, and then jump to that URL.
I have an aspx file Content.aspx. When you visit content.aspx/FAQ it uses the value in Request.PathInfo to determine which content to load/display from the database (in this case, the FAQ data).
This works perfectly.
Until you pass /Content.aspx/FAQ to Server.Execute(). Then it throws an Exception that an error occurred executing the Handler for the page. When I dig into the InnerException, I see the message The file '/Content.aspx/FAQ' does not exist. This leads me to believe that Execute() is not handling PathInfo correctly and is instead treating as an actual part of the path on disk.
Is there a way to get the Execute() method to properly handle these PathInfo parameters? Unfortunately it's too late now to change the way this application is doing this as this kind of 'parameter passing' is used throughout in lieu of traditional query strings for this purpose while query strings are used mostly for more complex parameters or in combination with PathInfo modifiers.
So I found a way to resolve this, albeit it is a touch convoluted.
In my MakePagePdfHandler.vb which implements IHttpHandler (not sure how important this is, so including it for clarity), I check that the path exists, and if it does not, I know there is a PathInfo part attached. From there I can redirect back to my handler with the PathInfo attached to the handler, then we can check again for File.Exists() and compare the PathInfo for the request along with the detected path info in the URI we are trying to Server.Execute() and if they match, remove the path info from the URI to execute and the path info on the hander will "fall through" or "trickle down" as if it were present like normal.
Dim pathInfo as String
If Not File.Exists(Context.Server.MapPath(path)) Then
Dim parts = link.Split("/") ' link contains the URI to Execute
pathInfo = "/" + parts(parts.length - 1)
If context.Request.PathInfo <> pathInfo Then
context.Response.Redirect(String.Format("{0}{1}?{2}", context.Request.Path, pathInfo, context.Request.QueryString))
Exit Sub
End If
End If
If pathInfo IsNot Nothing Then
link = link.replace(pathInfo, "")
End If
context.Server.Execute(link, strWriter)
In one of our webforms apps we have external links coming to the site where there are 2 querystring parameters, but the second param is also preceded by a ?.
Normally, your querystring will only have one ?, which is at the beginning just before the first param, and any subsequent params are preceded by &. For example:
www.somesite.com?param1=a¶m2=b <---- this is properly formed
www.somesite.com?param1=a?param2=b <---- this is malformed
Yes, I know that param values can contain question marks, and it is best to escape them, but we don't have that issue.
These urls are coming from an external source and we can't do anything about them right now, but we do need to parse the querystrings properly.
With the above malformed url, Request.QueryString["param1"] yields:
a?param2=b
But if the url were properly formed it would yield:
a
Also if properly formed, Request.QueryString["param2"] would yield:
b
How best to handle such a situation, if you are unable to fix the source of the problem? I might add that the url comes to the site urlencoded.
This is the solution that I have come up with. Just fix the querystring and redirect back. In the Page_Load, I call this ProcessQS method, and have added the fix qs code to it:
private bool ProcessQS()
{
var param1 = Request.QueryString["param1"];
if (string.IsNullOrWhiteSpace(param1))
return false;
// Workaround for external links that have ? instead of & for querystring parameter beyond the first.
// In this case, id should be preceded by &, this handles those urls that have a ? preceding id.
if (param1.Contains("?param2="))
{
var qs = Request.ServerVariables["QUERY_STRING"];
qs = HttpUtility.UrlDecode(qs);
Response.Redirect($"~/somepage.aspx?{qs.Replace("?param2=", "¶m2=")}", true);
}
return true;
}
I have an aspx page on my webserver which I load through an embedded web browser on a windows form. I am able to call the Sub1 from javascript window.external procedure. This is only when using the standard VB control WebBrowser. I have the necessary permissions active with
<PermissionSet(SecurityAction.Demand, Name:="FullTrust")> _
<System.Runtime.InteropServices.ComVisibleAttribute(True)> _
This works just fine. However, I am in need of using GeckoFx as my javascript is too complex for the standard WebBrowser as well as my styling.
I have tried the same approach as is, just with the geckobrowser, but it does not work at all, is there any:
GeckoPrefereces.User("somesetting") = True
that I need to activate to get it to work or is there something else I am missing?
I would just like to call the 'form close' procedure of my windows form, from the webpage which is embedded in the GeckoBrowserControl.
Refer the following link for your answer as it is solved here.
How to call C# method in javascript by using GeckoFX as the wrapper of XULRunner
Change this process to C# as VB cannot send the message to a procedure, only store the value and this creates a difficult situation in reading the data later.
then:
private void showMessage(string s)
{
if (s == "some data")
{
//Do stuff here you need to, ie. close the form, etc
}
}
This allows you to read the message sent and do with it what you wish.
Also important:
browser.AddMessageEventListener("myFunction", ((string s) => this.showMessage(s)));
must be before you load the html or the url
myBrowser.Navigate("www.google.com");
We did a Fortify scan on our ASP.net application. We found that there many header manipulation issues. All the issues are pointing to Response.Redirect(). Please have a look at the below code where I encoded the parameters. Even then the below code is counted as header manipulation issue.
int iCount = 0;
foreach (string Name in Request.QueryString.Keys)
{
iCount++;
if (iCount > 1)
{
url += "&";
}
url += Name;
if (Request.Params[Name]!=null)
{
url += "=" + AntiXss.UrlEncode(Request.Params[Name]);
}
}
Response.redirect(Server.UrlPathEncode(page.root) + "\Test.aspx?" + url);
Can some body let me know what else is required to change here to resolve the issue?
Take off the Server.UrlPathEncode(page.root) portion and use Server.Transfer() instead of Response.Redirect().
Server.Transfer() transfers the user to another page on the same site and poses little to no danger of accidentally directing someone to another site.
Response.Redirect() is good for when you want to redirect someone to another site.
Also, Fortify doesn't tend to like Request.Params[] due to its possible ambiguity. A careful attacker may be able, on some servers, to send a UTF-7 or non-printing version of a name as one of the request variables and let the name of the variable contain the actual XSS injection, or overwrite the GET-request value with a cookie of the same name. Make sure both the name and value are htmlencoded, and consider using Request.QueryString[parametername] instead of Request.Params[parametername] to avoid more issues with Fortify.
Hopefully this gets you past your Fortify issues!
It appears that Fortify percieves Name as user defined and that will triger "Manupulation" error. If it's true try to use predefined list if possible.