Showing posts with label ASP.NET/C#. Show all posts
Showing posts with label ASP.NET/C#. Show all posts

Tuesday, September 7, 2010

VS 2008, ASP.NET Development Server, .xslt vs .xsl filename extension

MS VS 2008, .xslt vs .xsl filename extension

Add New Item "Wizard" generates by default .xslt extension. The file is then served by magic cassini (ASP.NET Development Server) when testing locally.

All works fine until you try to load xslt file with XMLHttpRequest.
Cassini sends incorrect Content-Type:

HTTP/1.1 200 OK
Server: ASP.NET Development Server/9.0.0.0
Date: Tue, 07 Sep 2010 13:02:40 GMT
X-AspNet-Version: 2.0.50727
Cache-Control: private
Content-Type: application/octet-stream
Content-Length: 347
Connection: Close

and of course XHR (correctly) fails to provide xhr.responseXml property.

Questions:
How can you configure ASP.NET Development Server or .NET web application to serve "correct Content-Type"?
What is the "correct Content-Type" anyway ?
Will be XHR capable to read this "correct Content-Type" (XB of course)?

Thanx for one nice default
inconsistent with another one.

Because of using
twisted version of XHR and MSIE 7.0 it was hard to spot.

Solution ?

Use .xsl instead of .xslt.
ASP.NET Development Server servres them with text/xml Content-Type which seems to work ;-)
Posted by at No comments:
Labels: , , ,

Thursday, May 6, 2010

ViewLocationFormats (just code hint)

To use standard engine but searching in modified (extended) list of locations: protected void Application_Start() { ViewEngines.Engines.Clear(); ViewEngines.Engines.Add(new WebFormViewEngine() { ViewLocationFormats = new[] { "~/MYEXTRALOCATION/Views/{1}/{0}/Form.aspx", "~/Views/{1}/{0}.aspx", "~/Views/{1}/{0}.ascx", "~/Views/Shared/{0}.aspx", "~/Views/Shared/{0}.ascx" }, }); RegisterRoutes(RouteTable.Routes); }
Posted by at No comments:
Labels:

Thursday, February 18, 2010

Antisample - Custom implementation of TextBoxWithLabelFor

Another, this time "almost dangerous" code from ISBN 978-1-933988-62-7 already mentioned


// helper code
public static string TextBoxWithLabelFor<TModel, TProperty>(
this HtmlHelper<TModel> htmlHelper,
Expression<Func<TModel, TProperty>> expression,
string label)
where TModel : class
{
string labelHtml =
string textboxHtml = htmlHelper.TextBoxFor(expression);
return labelHtml + "&nbsp;" + textboxHtml;
string.Format("<label for=\"{0}\">{1}:</label>",
ExpressionHelper.GetInputName(expression),
label); // !!!!!! ENCODING ???????
string textboxHtml = htmlHelper.TextBoxFor(expression);
return labelHtml + "&nbsp;" + textboxHtml;
}
// usage
<%= Html.TextBoxWithLabelFor (c => c.MaxAttendees, "Max Attendees")


Raw string, outputed to HTML Plane without encoding.
Today "the label" is constant typed in the view,
tomorrow it can be metadata obtained from other source,
some next day a user input....

Writing API should be responsible for encoding.....no assumtions about clients....
CWE-116: Improper Encoding or Escaping of Output
Posted by at No comments:
Labels: ,

System.Web.Mvc.TagBuilder, dangerous, undocumented, suboptimal, useless ?

http://msdn.microsoft.com/en-us/library/system.web.mvc.tagbuilder.aspx

System.Web.Mvc.TagBuilder

Do we (they) really need this class ?

Useless,"non
validating" Constructor

Accepts any characters and builds invalid tag name
for HTML,(X)HTML and XML
<<&>Is this valid 'tag name' ?</<&>

MergeAttribute producing invalid attr. names


Accepts any characters and builds invalid
or even injected attributes for HTML,(X)HTML and XML

<a Small="Small"
is:this:correct:name="" small="small" xss="..">...<a
xss="">Is this valid attribute name ?</a>

Of course it encodes attribute value, but...... (to be shown later) BORDER CONDITIONS: null
value is converted to "" duplicit call for same attribute name is ignored silently attr names are case sensitive regarding duplicity and sorting

What the tag builder
really is ?


return String.Format( CultureInfo.InvariantCulture, "<{0}{1}>{2}",
// not validated, not encoded
TagName,
// HttpUtility.HtmlAttributeEncode
// encoded values,
// not encoded names !!!
GetAttributesString(),
// raw InnerHtml supplied or
// HttpUtility.HtmlEncode(innerText)
// null translated to ""
InnerHtml);
Do we really need 140 lines of code
to achieve this ?

Comming soon: HttpUtility.HtmlAttributeEncode and HttpUtility.HtmlEncode
challanged

Posted by at No comments:
Labels:

Monday, December 21, 2009

WARNING: Request.ApplicationPath and Forms Authentication

In previous post I have made some remarks about using Request.ApplicationPath concatenation with app. running in the root.

Another risc with this approach is related to "cookieless Form based autentication". In this case URLs contain auth. token as part of the URI path. However Request.ApplicationPath does not contain this token segment.

Thus using this "fixed: version of concat:

HyperLink2.NavigateUrl = Request.ApplicationPath.Length > 1 ? Request.ApplicationPath + "/foobar.txt" : "/foobar.txt";
is also incorrect, and will produce link without the auth. token.
Posted by at No comments:
Labels:

Monday, December 7, 2009

Anti-Sample Of The Day - Request.ApplicationPath +"/mypath"

Imagine the following 3 alternatives of setting link URI:

<asp:HyperLink ID="HyperLink1" runat="server" NavigateUrl="~/foobar.txt" Text="asp:HyperLink ~foobar.txt"/><br/>
<asp:HyperLink ID="HyperLink2" runat="server" NavigateUrl="" Text="HyperLink2.NavigateUrl = Request.ApplicationPath + '/foobar.txt';"/><br/>
<a href="<%=Request.ApplicationPath+"/foobar.txt"%>">Request.ApplicationPath+"/foobar.txt"</a>
<script runat="server">
protected void Page_Load(object sender, EventArgs e)
{
HyperLink2.NavigateUrl = Request.ApplicationPath + "/foobar.txt";
}
</script>


Run under /sample application (seems fine):
href=
1."../../../../foobar.txt"
2."/sample/foobar.txt"
3."/sample/foobar.txt"

Run under / (breaks links 2,3):
1."foobar.txt"
2."//foobar.txt"
3."//foobar.txt"



Source: MSDN, search for ApplicationPath samples. Or one is located directly under ApplicationPath docs:
http://msdn.microsoft.com/en-us/library/system.web.httprequest.applicationpath.aspx
with small excuse in Remarks section
Use this property to construct a URL relative to the application root from a page or Web user control that is not in the root directory.
BTW: In "equivalent Servlet API" getContextPath()" they have made decision elminating this sort of concat mistake:
The path starts with a "/" character but does not end with a "/" character. For servlets in the default (root) context, this method returns "".
Posted by at No comments:
Labels: ,

Prove Me Wrong, please - First line of HTTP request

There is no reliable way to retrieve EXACT form of URI specified in the first line of HTTP request.
This applies to Servlet API (need for Cross-Container solution working at Tomcat, WebSphere 6.0.2,6.1,7.x , and others), as well as to ASP.NET Runtime (2+) on IIS 5.1 (and maybe others not tested) with standard modules in action.


Sniff:
GET /UriHandler.aspx/[%5d HTTP/1.1

Exected result:
/UriHandler.aspx/[%5d


Mission: tell me THE MAGIC API to achieve this.

Also wanted: description and comparative tables describing IIS and ASP.NET URL normalization with IIS 5,6,7, with/without URLScan and other URL related HTTP.sys and other settings. I mean complete IIS URL handling stack for all IIS versions ;-)
Posted by at 1 comment:
Labels: ,

Friday, December 4, 2009

Anti-sample Of The Day - Cast, Null reference, If Too Late

Unbelievable what we can find on the net :-(

public void Init(HttpApplication context){
context.BeginRequest += delegate(Object sender, EventArgs ea) {
HttpApplication ha = sender as HttpApplication;
String absoluteUrl = ha.Context.Request.Url.ToString( ).ToLower( );
if (ha != null) {


Sample is called "Real World HttpModule Examples", subtitle of the web site is "... Home for AJAX, Silverlight, and .NET Technology, Architecture, and Elegance" Date of publishing 2007.
More bad news, author is MVP [ASP.NET] ;-(
http://www.netfxharmonics.com/2007/08/Real-World-HttpModule-Examples.aspx
Posted by at No comments:
Labels: ,
Subscribe to: Posts (Atom)