Security :: How To Prevent XSS From Hidden Fields
Feb 11, 2010How do we prevent XSS from ASP.NET hidden fields.
View 1 RepliesHow do we prevent XSS from ASP.NET hidden fields.
View 1 RepliesI have scenario, where there are html hidden fields, the page can be redirected to itself, with parameters, I have sessions too. Now depending on session value I want to set some hidden values, so that it can be picked up from javascript and can do certain operation. But, the problem is I have no idea about how to get/ set values into html controls using asp.net, and also do not know whether this is possible or not. it is imperative that I need some way to hold some data that can be set using asp.net and can be picked up by javascript. Since session can not be used for this purpose, so I need some other way.
View 2 RepliesI've been using .NET for a little while now. And, I now want to learn to use it the RIGHT way. And, by that, I mean I shouldn't be using hiddenfields on my .aspx page and setting values for those hidden fields in my codebehind. Problem is, I don't know how to ask the question.. so bare with me.. getting a value from a gridview, detailsview, or in this case a DataList when it's bound on a .aspx page, and passing it into my stored procedure? Here's my code of how I do it now..
here's the label for the Department from my datalist, which is on my .aspx page
<asp:Label ID="lblFullDept" runat="server" Text='<%# Eval("FullDept") %>' />
here's the hidden field from my .aspx page
<asp:HiddenField ID="hdnFullDept" runat="server" />
And now for my code behind - where I find the value during the databound of the datalist, and then set the value equal to the hidden field.
Protected Sub dlInfo_ItemDataBound(ByVal sender As Object, ByVal e As System.Web.UI.WebControls.DataListItemEventArgs) Handles dlMnfo.ItemDataBound
Dim lblFullDeptCompare As Label = CType(e.Item.FindControl("lblFullDept"), Label)
hdnFullDept.Value = lblFullDeptCompare.Text
End Sub
And finally, the sql portion, where the value is passed as a parameter...
Protected Sub doInsertActivation()
Dim conn As SqlConnection
Dim comm As SqlCommand
Dim reader As SqlDataReader
Dim connectionString As String = ConfigurationManager.ConnectionStrings("xyz").ConnectionString
conn = New SqlConnection(connectionString)
comm = New SqlCommand()
comm.Connection = conn
comm.CommandType = Data.CommandType.StoredProcedure
comm.CommandText = "abc123"
comm.Parameters.AddWithValue("Department", hdnFullDept.Value)
conn.Open()
reader = comm.ExecuteReader()
reader.Close()
conn.Close()
End Sub
Yes, this works, but I just feel like I need to learn a more efficient way of doing this, as I'm constantly grabbing data and inserting it into sql.
I am getting unlikely html tags for hidden fields in my website when redirecting to the page. I do not get it all the time but I am getting it frequently. e.g.: I was support to get
<input type="hidden" name="__EVENTTARGET"
id="__EVENTTARGET" value="" />
but I am getting something like
tyinput type="hidden" name="__EVENTTARGET"
id="__EVENTTARGET" value="" />
and this error is displayed in top of the page.
Can I reach the value of hidden fields in controller action ? And how ? Do I put it in the model somehow ?
EDIT: some code example how to store something in hidden field and retrieve it on postback.
According to MSDN hidden fields section,
In order for hidden-field values to be available during page processing, you must submit the page using an HTTP POST command. If you use hidden fields and a page is processed in response to a link or an HTTP GET command, the hidden fields will not be available.
If I add a HiddenField control at design time and set a value in it at design time or in the Init event in ASP.NET, why would I not be able to read/process the value when a page is first requested?
I have a dropdownlist for sorting a table as follows:
[Code]....
Which generates something like this:
[Code]....
Why does it submit as:
[Code]....
Do I need to put param1 and param2 in hidden fields?
I have a web form that has 2 hidden fields , Formname & CreateDate ( essentialy a timestamp).
How do i populate them with values?
The formname is always the same & the createdate would be the current date & time.
How to pass the query string using hidden fields in vb.net...
View 3 RepliesI'm using Master Page Structure on my webpage. Although I Added "EnableViewState="false" ViewStateMode="Disabled"" in both Master Pages and Web Pages, I still see Below Hidden Field on my web page which cause W3C Validation Error. I want to know How Could I Remove these fields.
[Code]....
I have a Grid view which is being populated from a database. Now I want to add a button that has its own html with some Hidden fields. I have introduced an Template Field and put the html in that field which works fine. But now I want to send the values in hidden field dynamically. i.e. the Id and value comming form the database.
View 3 RepliesIf I create a new project, start this project and look at the source code, I see that there are some additions to the original code. The first this, what is "ViewState" and what does the hash mean? Why is the input control hidden?Here an example:
[code]....
I would love to use hidden field value but I think I am missing something to do.
Since every page refresh or staying a little bir longer on the page, the value is missing.
[URL]
How can i do the this cookiles suff above...?
I use hidden value to keep the url to redirect to next page. May be i sould not keen on using hidden value, session variables are better?
According to MSDN and the MCTS self-paced training, asp.net can use Hidden fields for client-side state management. The book material goes on to say view-state is more secure than hidden fields because the data is encrypted. I must be missing something here. I setup a Label and made it hidden. I can store data in this hidden label and it won't even be sent to the client browser. This not only works like server side state (note the runat=server), but this seems more secure than view-state because there's no need for encryption as the client can't even see the field.
<asp:Label ID="Label1" Visible="false" runat="server">secret info</asp:Label>
<input id="Text2" type="text" style="visibility:hidden;" value="secret 99" />
I have a form as
<form action="" method="post">
<input name="Descripcion" type="hidden" value="" id="Descripcion" runat="server" />
<input id="Submit1" type="submit" value="Comprar" />
Instead of clicking on submit button i want that the form should be posted without clicking submit button with hidden fields
I am having two hidden fields which are server controls and i set the values in the javascript function. But i want to clear them as soon as one of my code behind method gets updated. As my page is not refreshing the hidden fields are not getting cleared. But i dont want page refresh.
So how do i clear the hidden field values without refreshing the page.
I am using hidden fields to save some preset data, but upon postback they appear to disappear.
Here's what my controller actions look like:
[Code]....
The view is coded like this:
[Code]....
But when the POST action receives the object back, some of the fields have become null. The FormCollection, however, contains all values. I realize I could just take everything from the formcollection but it's probably better practice to use the object, right?
I have a user control which has a gridview with hidden fields in some of the template columns. The grid columns are created and bound by code dynamically in each postback and not in design mode. The gridview is placed in an update panel. In my aspx page where i use the user control , there is a dropdown which fires postback and based on the selected value of the dropdown the grid data gets filtered. The dropdown in aspx is not part of any update panel.
After the postback of dropdown, the grid data gets filtered and the grid is rebound with fresh values. The values in the controls like label, button or link button are bound correctly. But the values in the hidden fields are not refreshed and always points to the values of the rows that was generated before the postback of the page (initial page load).
I used the script where the image array has static images.I want to convert it dynamically by finding my images names from index.aspx.cs files which are stored in hidden fields.
my hiddenfileds has value:
uploads/../uploads/M_Banner_3-JO633939707781250000.jpg;uploads/../uploads/M_Banner_4-JO634014944056581250.jpg;uploads/../uploads/M_Banner_2-I-85634067544720151968.jpg;uploads/../uploads/M_Banner_1-Plan634067543966714468.jpg
I want to split this hidden filed and assign it to imagearray.how can i do this
var mygallery2=new fadeSlideShow({
wrapperid: "fadeshow2", //ID of blank DIV on page to house Slideshow
dimensions: [568, 313], //width/height of gallery in pixels. Should reflect dimensions of largest image
imagearray: [
["images/1.jpg", "", "", ""],
["images/2.jpg", "", "", ""],
["images/3.jpg"],
["images/4.jpg", "", "", ""] //<--no trailing comma after very last image element!
],
displaymode: {type:'auto', pause:2500, cycles:0, wraparound:false},
persist: false, //remember last viewed slide and recall within same session?
fadeduration: 500, //transition duration (milliseconds)
descreveal: "always",
togglerid: "fadeshow2toggler"
})
I have a form that has a MAC Address field and a Password field and I have the chrome auto-fill options turned off, but when I load the page, chrome thinks the MAC Address should be an e-mail address and puts an e-mail address in there and for the password, it puts a password in there. Is there a way to prevent this behavior? Is there way to do this programmatically on page load, I tried clearing the fields, but that doesn't work.
View 4 RepliesIf a disabled drop-down list is dynamically rendered to the page, it is still possible to use Firebug, or another tool, to tamper with the submitted value, and to remove the "disabled" HTML attribute.
This code:
[code]....
The problem occurs when I use Firebug to remove the "disabled" attribute, and to change the selected option.On submission of the form, and re-creation of the field, the newly generated control has the correct value by the end of OnLoad, but by OnPreRender, it has assumed the identity of the submitted control and has been given the submitted form value.
.NET seems to have no way of detecting the fact that the field was originally created in a disabled state and that the submitted value was faked. This is understandable, as there could be legitimate, client-side functionality that would allow the disabled attribute to be removed.
Is there some way, other than a brute force approach, of detecting that this field's value should not have been changed?
I see the brute force approach as being something crap, like saving the correct value somewhere while still in OnLoad, and restoring the value in the OnPreRender. As some fields have dependencies on others, that would be unacceptable to me.
I am using a third party gateway. The third party gateway does not support query-string , so i will need to post the form to pass the values to the given URL and another thing is that they don't expose the web-services so we need to use their page and that means we need to host it in an iframe in asp.net
so what i did is that i have hidden fields that will be used as parameters as depicted below
Code:
<input type="hidden" name="p1" value='4635' />
<input type="hidden" name="p2" value='Reference_test' />
<input type="hidden" name="p3" value='Purchase credits' />
[Code]..
Now the purpose of this , is to load the iframe after the page load event of the asp.net gets fired.
Now my problem here is that when the iframe loads , it does not pass the parameters to the url that is being set in the iframe.
I have attached the example, project. (2kb)
When you run the project you will notice when the iframe loads there is an Error
"NO VCS ID"
now this means that the parameters were not passed when the Iframe loads , i can understand because it seems like iframe does not do a full form post. so to demonstrate what i want, click the proceed button and you will notice it will give you a page with no errors and it will be a page where credit card details are required , i want to iframe to load that the first time.
I am using microsoft visual web developer 2010 to build and publish my website, I am facing a security problem. My website has authentication service for my clients, each one he has his own user name and password. After I introduced a new member, my database collapsed, may be this last member is a hacker. Is their a way to improve security vulnerabilities to prevent future attacks. May be through web.config, could be encrypted.
View 11 RepliesI've set up a page where create logins with createuserwizard. I can login with created account but I get logged out after like 20min if I dont do anything (reload etc). How can I remove this timeframe? I dont want a timeframe at all, i want to stay logged in until i close the browser.
View 3 Replieshow to prevent multiple login using vb.net? I'm using visual studio.net 2008
View 6 Replies