We need to stop copy paste of few characters like '<' or '>' or any characters which can be potentially dangerous.
I know we can set a property RequestValidation to false, but for some reason we would not want to do that.
What we want to do is when the user tries to paste a text in the textbox, we want to validate the text and do a pattern match against the defined list of characters to be filters.
We tried various textbox events like OnPaste (Works in IE as well as Mozilla, but in Mozilla we are not able to get the content from the clipboard), OnBlur (Works fine but does not works when clicked on checkbox with runat as Server) and few others with no real progress.
Would appreciate if anyone of you guys can help me and help me sooner as we are in deadlines!
Thanks a lot,
Atul
First of all, you really shouldn't be accessing the user's clipboard, even if some versions of IE allow it. For reasons of integrity, that's simply nothing a browser should be dealing with. Either way, you could check the textbox value after paste, rather than inspecting the clipboard content during paste.
However, better still would probably be to perform this validation on submit. Try the built in regular expression validators. Because really, you worry about users submitting dangerous characters, right, not about the fact that they actually pasted them?
EDIT (example)
<asp:TextBox ID="txtName" runat="server"/>
<asp:RegularExpressionValidator ID="regexpName" runat="server"
ErrorMessage="This expression does not validate."
ControlToValidate="txtName" Display="Dynamic"
ValidationExpression="^[^<>]$" />
Are you trying to modify what is in the users clipboard before the paste? Why not attach a onchange event that does any validation that you require? You could replace out any characters that you don't want in there.
Related
At the client's request, we just upgraded a custom CMS system for a large site from FCKEditor 2.x to CKEditor 3.5.3.
Inside an ItemTemplate I have a custom UserControl tag in which the attributes are populated by DataBinding, like so:
<my:Viewer runat="server">
<ItemTemplate>
<my:CustomTag runat="server"
ImageUrl='<%# DataBinder.Eval(Container.DataItem, "ImageUrl") %>' />
</ItemTemplate>
</my:Viewer>
So, the point is that the above works just fine. However, when the HTML is put into the latest CKEditor, CKEditor changes the ImageUrl attribute to use double-quotes instead of single quotes. Once it's changed to double quotes, it causes a parsing error on the .aspx page. Changing: "ImageUrl" to "ImageUrl" works, but it's not ideal for our client who is going to have to update every page that exists in a very large CMS system. So, I'm asking this question hoping someone might know of a way to toggle CKEditor to use single quotes in HTML attributes by default instead of double quotes to reduce the amount of work my client is going to have to do.
I'm only looking for easy configuration-type changes, not patching the editor, etc.
This should do what you want
Taken from here
http://cksource.com/forums/viewtopic.php?f=11&t=20647&sid=f47526ecfb1f2303ad0b923ceed7aafe&start=10
To avoid CKEditor changing special chars:
switching in source view:
CKEDITOR.instances.TEXT.on( 'mode', function(ev) {
if ( ev.editor.mode == 'source' ) {
var str=ev.editor.getData();
str=str.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, "\"");
ev.editor.textarea.setValue(str);
}
});
When save edited document:
var html=CKEDITOR.instances.TEXT.getData()
html=html.replace(/&/g, "&").replace(/>/g, ">").replace(/</g, "<").replace(/"/g, "\"");
I'm going to say that the " solution that I mentioned being too much work is simply the only answer...just to put some closure on this. Or, if I can find a way, I'll withdraw the question. Thanks rqmedes for trying...I'd actually forgotten all about this question until I got your response
:)
Drop Down list comes in front of all the controls. I have a calander extender for the text box which is right above(top) the drop down. when the calender pop's out it goes under i.e behind the drop down. Any solution friends.
How about posting some code/markup?
It wont like it via the google intellisense but you need to add the following to your DropDownList markup:
<asp:TextBox runat="server" id="TextBox1" autocomplete="off" />
By default if asp.net finds an attribute that it doesnt recognise then it simply passes it through into the underlying html that is generated.
Note 1: There is some kind of AutoComplete setting for this control but this doesnt do what you need it to do, you need the lowercase version like I have stated above.
Note 2: This is a non-standard attribute. It works in FF and IE but it will cause your validation to fail if you run it through the w3c checker.
I have a validation problem
I have a listview, in the edit item template I have two composite controls with a textbox inside
I put a comparevalidator on it
<asp:CompareValidator ID="myCompareValidator" runat="server"
ControlToValidate="mycompositecontrol1" ControlToCompare="mycompositecontrol2"
Operator="GreaterThanEqual" Type="Date" Display="Dynamic" ErrorMessage="there is an error !"
Text="!" ValidationGroup="myValidationGroup" />
It works great !
so I do exactly the same operation in the InserItemTemplate (It's a copy/paste)
but this time, it doesn't work, I have no error message in my validationsummary and near my control to validate!
If you know that problem, help me please
thanks in advance
This isn't really a good answer to the question directly, but:
I have never had any good luck with the baked in ASP validators. I always try to hammer their square peg into a round hole for a while, get close, get frustrated, then roll my own with my own logic, error messages in labels, and switching visibility with a CSS style.
P.S. when you copy pasted your validator, make sure you changed what control it is validating...
is there a simple way to suppress certain keystrokes within a textbox? for example if i only want to allow numbers.
There's nothing built-in, you will need to write some JavaScript to capture and ignore the keys you want to disallow.
Or you can use this FilteredTextBox control extender, from the ASP .NET AJAX Control Toolkit
You could also use a <asp:CompareValidator>. E.g.
<asp:CompareValidator ID="valNumbersOnly" runat="server"
ControlToValidate="controlYouWantToValidate"
Operator="DataTypeCheck"
Type="Integer"
ErrorMessage="Please enter only numbers">*</asp:CompareValidator>
Or you could go even further and use a regular expression validator.
These solutions will work with and without javascript, so they will validate client side and server side. Not everyone has javascript turn on!
HTHs,
Charles
The following asp label fails to be displayed in the browser, can someone please
tell me what I am doing wrong. I expect to see the value <abc> but instead
I get nothing.
<asp:Label ID="Label1" runat="server" Text="<abc>"></asp:Label>
By the way, I realize that I can accomplish the same thing doing the following:
<asp:label id="Message1" runat="server"> <abc> </asp:Label>
But that is not really what I am asking for, what I would like to know is if using a string such as "<abc>" in an attribute value for an asp elements is allowed or not. In other words, is this an ASP.Net bug or is this behavior by design and if it’s by design what’s the reason for such design?
Thank you very much.
Believe it or not, but you can include entities without escaping them, thus:
<asp:Label runat="server" ID="myLabel" Text="<abc>" />
This will render an <abc> tag.
Edit: OK, sorry, you want to display the brackets, not make a tag, of course..
Using entity references in the Text attribute will give the same result - an (invisible) <abc> tag - because they are translated when the tag is parsed server-side. What you must do is:
<asp:Label runat="server" ID="myLabel" Text="<abc>" />
This will give the desired result - the & entity reference will render an ampersand to the client. Followed by lt;, the result is a correct client-side entity reference (<). Which will render as <.
To answer you questions explicitly: Yes, using entity references in ASP.NET attributes is (obviously) OK, since it's an XML format. This is not really a 'decision' on Microsoft's part (and certainly not a bug) - i's simply XML.
The trick is realizing when the entity references are parsed (when the tag is parsed on the server), and what the resulting text is, which is what will be sent to the client.
Yes it's allowed of course. Label control's purpose is to show text and markup to client. And it's really useful I think. injected code is your responsibility.
The asp.net aspx parser will unescape the "<" and ">" to "<" and ">". It will generate something like this method:
[DebuggerNonUserCode]
private Label __BuildControlLabel1()
{
Label __ctrl = new Label();
base.Label1 = __ctrl;
__ctrl.ApplyStyleSheetSkin(this);
__ctrl.ID = "Label1";
__ctrl.Text = "<abc>";
return __ctrl;
}
If you wanted to write it in the text property you could double escape like "<", but it is probably easier just to write it between start and end tags like you mention.
<asp:Label ...><abc></asp:Label>.