I'm using a literal to display some javascript on a product page control. Basically what I'm doing is in my code behind I'm declaring a new stringbuilder, writing the script while inserting some dynamic variables to populate the script then setting the literal text to the stringbuilder. This leaves me open to xss attacks. What can I do to prevent this?
System.Text.StringBuilder sb = new System.Text.StringBuilder();
//loop through items in the collection
for (int i = 0; i < _prod.ActiveProductItemCollection.Count; i++)
{
sb.Append("<script type='text/javascript'>");
//add +1 to each item
sb.AppendFormat("mboxCreate("product_productpage_rec{0}",", i+1);
[code]...
i have grid that uses around 12 to 15 label when i bind it...and grid contains thousands of records, now if i'll use literal control instead of label will it to improve the speed.
Is this LINQ statment vulnerable to SQL injection?
var result = from b in context.tests where b.id == inputTextBox.Text select b;
where context is an Entity and tests is a table. I'm trying to learn LINQ and I thought that the benefit of it was that it wasn't vulnerable to sql injection, but some stuff I've see has said differently. Would I need to parametrize this LINQ statement to make it safer? If so, How? Also would this be considered linq to sql or linq to entities?
I have got a literal control on page (with some data on it). i want to access it in javascript and want to put some text on it. how can i access literal control in javascript. (i am using asp.net)
My code in javascript (but not working):
lths = document.getElementById("<%= lblhs.ClientID %>"); lths.innerHTML = 'this is text line"
using a linqDataSource control... in the selecting event I have code like the following for a simple search feature:
[Code]....
In general, would dynamically building the 'Where' property of a linqDataSource be vulnerable to sql injection? Or does the control protect against this internally?
THE CODE: Session["foo"] = "bar"; Response.Redirect("foo.aspx");
THE PROBLEM:
When foo.aspx reads "foo" from the session, it's not there. The session is there, but there's no value for "foo". I've observed this intermittently in our production environment. But I don't mean here to ask a question about Response.Redirect().
THE EXPLANATION:
Bertrand Le Roy explains (the bolding is mine): Now, what Redirect does is to send a special header to the client so that it asks the server for a different page than the one it was waiting for. Server-side, after sending this header, Redirect ends the response. This is a very violent thing to do. Response.End actually stops the execution of the page wherever it is using a ThreadAbortException. What happens really here is that the session token gets lost in the battle. My takeaway there is that Response.Redirect() can be heavy-handed with ending threads. And that can threaten my session writes if they occur too near that heavy-handedness.
THE QUESTION:
What about ASP.NET session management makes it so vulnerable to this? The Response.Redirect() line of code doesn't begin its execution until the session write line is "finished" -- how can it be such a threat to my session write? What about the session write doesn't "finish" before the next line of code executes? Are there other scenarios in which session writes are similarly (as though they never occurred) lost?
I should probably say I love these forums, I've been viewing for some time and have found loads of valuable information. I'm having a problem with my project, I have an updatepanel containing several items (Two Daypilot Schedulers and a Literal Control). I have set it to conditional and have it update whenever bookings are added/modified in the schedulers. This all works perfectly! I then have a literal control which contains div items with onmouseover= parameters. The control basically contains a list of pending booking requests. On Page_Load I call a method which populates the list...which works fine.
However, whenever I call the UpdatePanel.Update() method (say, when a booking is added), the schedulers update but the literal control does not. I have gone through the debugger and found that the LiteralControl.Text property is correctly set to the new updated list just before calling the Update() method. So basically it all works perfectly apart from the literal control not updating along with the schedulers in the UpdatePanel.
I am maintaining some Asp.net code. When one of the pages displays, a bulleted list of text is displayed on the web form. Somehow the bulleted text is passed in with a LITERALcontrol. I looked at the property of this LITERAL control and it is defined as "Pass Through".
I was confused because their was no C# code that was used to populate the LITERAL control. So basically with google I found out that the LITERAL must be using something called a "Pass through property"to pass in the data. Does anyone know anything about this? It seems very strange because I have no idea where the data is coming from.
So I hope I am on the right path here figuring out that a pass through property might be getting used.
Can someone me to understand this more, as I am so confused.
I have a literal control within a ContentPlaceHolder on my master page. In the master page code behind, I want to check to see if the literal is still there and if so, update the text.
This is my code, but it always believes my literal control does not exist:
Difference between Label and literal control in Asp.net and also state when to use what???
I am completely confused as till nw i was going with label control and suddenly i am shock to see that literal control also plays similar role...
I am confused same say's that difference is only regarding to span tag i mean label control output comes with span tag... but who care's when we can do same things with label why to go with literal control
I'm building a html table dynamically in an ASP.NET code behind file using C#. I basically loop through a set of data which is an unknown number of records and split a string containing all the values to make the required number of tds. I display the html by assigning it to an asp:Literal control. However I can't get the table to fit the screen - the browser is adding a horizontal scroll bar and the full table is well off the screen. I tried in IE 8 and FF 3.6.13. Most things I've read online about it say to set the width to 100%. I'm doing this but it's having no effect.
I was attempting to use a gridview, but found that it was a little to restrictive in terms of formatting. So I'm using a DataReader and a StringBuilder (using the Append method to attach to the Literal control) to build a form. The form is pretty simple: labels, radio buttons, and textboxes. The appended data was practically taken from a classic asp page (with just some minor tweeking). For the most part there will always be 5 records on the form to loop through and save (sometimes less...never more).
Now comes the tricky part. I want to save the information on my form, but I'm not sure how to proceed. Do I use the Append method to add a save button to my form. And if so, how do I save the data (I couldn't use the codebehind could I)? Do I use an asp:Button and if so, will it recognize the form since it was build dynammically?
I have a Button1_Click event that I want to display the first 7 records of a dataset by looping through them and presenting on the page in a Literal Control. All of the database code is working fine because when I use the Response.Write statement below, the first 7 rows are dumped at the page top before the HTML. But, when I replace the Response.Write with the Literal1.Text as shown below, only the last (7th) record is displayed on the page.
Here is the code section in question:
for (int i = 0; i <= 6; i++) { DataRow dr = dt.Rows[i]; string text1 = dr["Question"].ToString(); //Response.Write(text1); Literal1.Text = text1; }
In my child page i have an imageButton, which is surrounded by the UpdatePanel. When the user clicks on the image button a record is removed from my database.
In my master page i have literal control which displays the records for the current user (something like Records: 10)
The RecordsCount control is updated on the page Load event of the MasterPage
Private Sub Page_Load(ByVal sender As Object, ByVal e As System.EventArgs) Handles Me.Load RecordsCount.Text = GetRecordsCount() End Sub
How can i update the RecordsCount control? I mean i use postbacks for removing records from the database. And currently the RecordsCount control will be updated if the user hits the Refresh button of the Internet browser. How could i apply the Jquery Highlight on the RecordsCount control when the user clicks on the btnRemove button on the child-page?
UPDATE: Well the first question is solved by using javascript
I've read the MSDN page describing the Localize control and read about the difference between designers in the following link:http://my.safaribooksonline.com/0321341384/app01lev2sec53 Still, I can't find any visual difference between the Localize and Literal control in the designer view of VS 2010.I've tried using explicit and implicit expressions in an aspx and the designer looks the same for both controls - shows the neutral culture resource.I've looked at the LocalizeDesigner code in reflector and the only thing the designer seems to localize is the HTML format of the outputed span control, and that seems irellevant to the designer.Can anyone attach a short example that demonstrate when the two controls behave differently?