This is my layout template (ascx without code behind)
<%# Control Language="C#" AutoEventWireup="true" Inherits="ws.helpers.LayoutUC" %>
<div>blah blah blah</div>
<ws:Panel runat="server" ID="left"></ws:Panel>
<ws:Panel runat="server" ID="main"></ws:Panel>
<ws:Panel runat="server" ID="right"></ws:Panel>
Modules will be added into ws:Panel later.
I also allow my user create their own ascx file to custom their page layout. And because of this i do a string replace all dangerous part like script tag (runat="server"), all asp.net html tag, <%, <%#, <#.... from their custom.
Im not worry about XSS, so dont comment on it, and ask why?
I want know your thinking about this. Is is safe? Is it scalable? Is it standard or a bad way?
Have a look at the INaminingContainer Interface http://msdn.microsoft.com/en-us/library/system.web.ui.inamingcontainer.aspx.
<asp:YourControl>
<LeftColumn>
<asp:Literal ID="literal1" runat="server" Text="User created literal" />
</LeftColumn>
</asp:YourControl>
In the .ascx from the users, they register your control and insert asp.net code into properties. In the 'YourControl' class you create placeholders and insert the markup set to a specific property into these placeholders. (e.g. everything between <LeftColumn> and </LeftColumn> will the inserted into
<asp:Placeholder ID="PlaceholderLeftColumn" runat="server"/>
Edit: I summed some of the TemplateContainer issue up and posted it here: http://www.tomot.de/en-us/article/2/asp.net/how-to-create-an-asp.net-control-that-behaves-as-a-template-container-to-nest-content-via-markup
You are allowing user-uploaded content; this is inherently unsafe and there are whole books dedicated to best practices. Given that you are doing it anyway, as long as you make sure you scrub the input, is it scalable? You are allowing creation of user-uploaded files on your site. How many will there be? How many users? What about load-balancing? This solution will not scale for many users, files, or servers.
It sounds like you are trying to create a simple CMS. Why not use one that exists currently, or adopt parts of an open source solution?
Related
We are in ASP.Net Webforms. I come from a LAMP Stack mindset...
ASPX Code (part of it)
<asp:Content runat="server" ContentPlaceHolderID="PH_MainContent">
<h3 class="fleft">
<asp:Literal runat="server" ID="li_title" />
...
<Example:userControl runat="server" someVariable="text" otherVariable=<%=li_title.Text%> thirdVariable=<%=Items["sort"].toString()%> />
So, li_title is a literal set in the code behind, I want to reuse it later, passing it to a userControl, where it shall be displayed in a javascript. Items is page.Items. I have also tried this.li_title (which is suggested to me in Visual Studio 2015).
After reading "quite a few" very similar questions, this seem the solution. However obviously I'm missing the point. What would that be..?
You can create a public property for each variable on your user control and set them in aspx. See this for more information
I want to use page templating in ASP.Net (Visual Studio 2012 with .Net 4.0).
The base page emits the basic template inclusive of the body, html, form, and other tags. That means the rendered pages just have what goes inside the body part. The template adds the header and footer. Although I have not finalized a design, I am looking at a concept documented here. (Yes, I know that coding practice is to not give links to pages, which can go away, but I do not want to side track the question.)
The part of each page is:
<%# Page language="c#" Codebehind="AdvancedPageInheritance.aspx.cs" AutoEventWireup="true" Inherits="PageInheritanceSample.AdvancedPageInheritance" %>
Anything after that first line is part of the body.
If I drag and drop controls onto the form, VS2012 emits code such as:
<asp:CheckBox ID="CheckBox2" runat="server" OnCheckedChanged="CheckBox1_CheckedChanged" />
<asp:Button ID="Button2" runat="server" Text="Button" />
VS2012 automagically emits the warning, "Unrecognized tag prefix or device filter 'asp'."
One thought is to simply add in the body stuff programatically, but that is a page. I rather use the GUI.
How can I avoid the warning? Is there a better way to do templates? That author wrote the article 10-years ago, so things might have changed since then. The warnings are understandable, but in error, as there is a form, body, and html tags, just not directly visible.
(I just answered my question by catching a phrase in Vs2012 and researching it a bit. Master Pages are the answer. Obviously, Microsoft must have added that with either VS2008 or VS2010. I will leave this post, as others, like me, may not know the concept "Master Page" and may reserach page templates, just like I did. I hope that this post says other people time. Google should hopefully pick up on ASP.Net and Page Templates.)
Ideally you would use the MasterPage for laying out your main template.
Your Content pages would then have the appropriate <asp:Content /> controls, where you add your content. To add a content page you would add a new 'Web Form' item in Visual Studio and, by selecting the 'Select Master Page' checkbox, you can choose the master page the content page should use.
See Here for a tutorial on Master Pages
Then you would use a BasePage for site-wide code; for example anything that has logic needed on most pages. Your Content pages would inherit this BasePage
As a side-note, see this page Unrecognized tag prefix or device filter 'asp' in VS2012 with regards to your "Unrecognized tag prefix or device filter 'asp'." message
the website I'm currently developing can display dynamically-built forms.
A form is composed of fields, which are created directly by the users and can be displayed as one of multiple types that we support (text box, list box, tickbox, radiobuttonlist etc.). The rendering logic uses a repeater that iterates over a collection of all the fields defined by the user.
Inside the repeater (directly in the aspx page), one instance of each of the types we support is defined.
<asp:Repeater ID="fieldRepeater" runat="server">
<ItemTemplate>
<asp:TextBox ID="textBox" runat="server" />
<asp:DropDownList ID="dropDownList" runat="server" />
<asp:CheckBox ID="checkBox" runat="server" />
<asp:RadioButtonList ID="radioButtonList" runat="server" />
[...]
</ItemTemplate>
</asp:Repeater>
During the loading, we figure out which control is required and actively hide all the other ones.
Being still new to the web based development world, this approach seems very odd to me. My guts would prefer keeping the UI clean and instanciate exactly the controls that are required in CodeBehind and not start "playing" with visibility... but the current approach has some obvious benefits as well.
Is it really how one would do it in a web app?
Are there some best practices here?
Thanks!
I have no idea what the best practice is here, but I have done something similar before in a previous project and tried both approaches. Both will work.
Creating the controls in code-behind can be fiddly, especially if you are having to deal with post-backs. The controls have to be created in OnInit, as otherwise they won't get the posted form values and viewstate populated. This will cause complications if any of the control creation is based on the values of other controls, as you won't known the values without manually delving into the posted form values.
The only practical disadvantage with your current approach that I can think of is that all four controls (TextBox, DropDownList etc.) have to be instantiated and processed server-side by ASP.Net, which is a bit of a waste of resources. But it's probably not too significant; maybe do some profiling to see. I do agree that it seems a bit odd though, it doesn't feel very "clean".
As you said you're new to web development, then I would recommend continuing with your current approach of including all the controls and hiding the irrelevant ones. I just found it simpler when I did, even though it may not seem as nice.
Good luck!
I would like to know how to create a RecaptchaControl template on my ASP.NET site.
I need to change the HTML of the control to fit RTL layout.
Here is the code for the control:
<%# Register TagPrefix="recaptcha" Namespace="Recaptcha" Assembly="Recaptcha" %>
<recaptcha:RecaptchaControl
ID="recaptcha"
Theme="custom"
runat="server"
PublicKey="YYYYYYY"
PrivateKey="XXXXXXX"
/>
I know this is a late reply, but probably the simplest way to go about this would be to use the CustomThemeWidget property of the recaptchacontrol. Here is a great tutorial on using it:
http://www.onequarterenglish.co.uk/using-a-custom-recaptcha-in-asp-net
Appeaars that there are some issues with rtl and recaptcha - this link pertain to drupal
but it seems with custom themeing it may be posible. I am unsure how you would imleent it with a server control. You might have to dive into the source
A simple question, I think:
I want to put a tag into an ASP.NET app I've been asked to maintain, so I'm coming at this from a newbie point of view just tinkering around the edges without knowing a lot.
I wrote an old ASP application back in 1998, so I am just running on memory...
How do I write some output to the webpage?
I know I can use an
<asp:label id="blah">
but then I need to define a Label blah; in my code behind and then assign it.
I believe that I can put in-place:
<% Response.Write("sometext"); %>
and that will write sometext in the location within the page. (Am I correct?)
Lastly, I remember there was a syntax to the effect of
<%= "some string" %>
but I can't find the documentation on it, to say either it is deprecated, unadvised, or the rationale for such a decision.
I have tried googling for "ASP.NET grammar" but I can't even find a good description that "<%=" even exists, though it is mentioned in a few blogs.
For something simple, like inject the global version number, or the current date, then I can't see anything particularly wrong with in-place composition - it would save me defining 15 labels and having to initialise them all - though perhaps the asp:label approach could reference one global instance of a label?
Just asking for opinions on good practices :)
<%= string %> is perfectly valid ASP.NET syntax. The reason you will often find references to problems with using that is people use <%= (equivalent to Response.Write) when they should use <%# (for databinding) or vice-versa.
For example, we use it very extensively in our content managed site, where we pull in values from a global settings repository:
<%= SiteContext.Current.GetSetting("SiteTitle") %>
MSDN:
MSDN entry on <%= (this is under the JScript.NET section but still applies)
MSDN entry on <%#
Some others suggest <%= is not a "best practice" or a very good approach, but I strongly disagree with that sentiment. For an MVC-ish type site (especially a site that is template- or view-driven in some way), the most direct approach is frequently more effective than using server controls.
Just be mindful that when you use an <asp:Label /> it renders the .Text inside the <span> tag whereas an <asp:Literal /> adds no extraneous HTML to the string passed to it.
For example, if you were building a content management system and wanted to display user-driven HTML, a Label control would not correctly display the output from a WYSIWYG type rich textbox whereas a Literal control is the appropriate choice.
The <%= %> is the late-bound equivalent of the Literal's .Text property. The only difference here is when the value is placed in the page (aside from obvious syntax and separation of concerns paradigm) during the course of the page lifecycle.
Since the .Text property is on a control inherited from WebControl, it can be set/read/manipulated during any of the events following the control's Load event (wherever/whenever you load the control inside the page), but the <%= %> text cannot be directly read/used/manipulated by the code-behind without referencing some other control to get to it (like a containing div's InnerHtml property).
There are lots of options. You could use a single label, and string concatenate all the data you want displayed in that location.
You could create a user control with the layout you want and assign values that way.
You could inject it directly with response.write or the <%= %> syntax
You could create an HtmlGenericControl in your code behind (it's a div), add some text to it, and inject it into the pages controls collection.
Whatever you pick, try and go with the existing style of the coded page.
Look up the term "render blocks" for the <% %> syntax.
How about using
<asp:Literal id="z" text="goofy" runat="server" />?
Labels are usually used with forms.
You can also take full control of the rendering of your pages and controls and compose whatever you need to. You control the HTML, the order of rendering your controls, etc...
Go with the <asp:label /> (or a literal control if you want to customize some html in the content). Seriously. I'ts not that hard: when you put label in your markup visual studio will create it in the code-behind for you, so there's no extra work involved.
You could use the <%= "some string" %> syntax in web forms, but there can be issues when mixing that with the asp controls and there's a good reason new frameworks moved away from mixing logic like that in with your markup.