Web Forms :: Are Server.Htmlencode,Urlencode Useless Functions!
Feb 2, 2010
For protect against XSS we should make all input from textboxes thoht Server.Htmlencode function.
1) If i let a input go thorgh Server.Htmlencode and save it in database. But what happen if i letter show this input data from database on browerser ...if database input data have <script> it will then make Xss!!!!.
2) I use Server.Htmlencode.. and the user write <b>ss<b>... (label.text = userinput.text;) and i WANT to show ss in browser. What shuld i do for make this happen ??
This post is exactly my situation. Here's what his post says: (bolded key parts) I'm trying to get used to sql server 2008 having been forced to upgrade by my isp. I need to back up my key db on a weekly remote schedule, so have been trying to use ssms to export data from my remote db to a local copy.
Firstly I created a new empty db on the local machine. Then I scripted the structure of the db on the remote machine and ran the resulting query on the local machine to copy the table structure into the new db. This gave me empty target tables to map to (see below).
I used the export data wizard and selected my remote tables, then highlighted the tables to be copied and used the Edit Mappings option. Here I need to do two things, firstly checking'Enable Identity Insert' (because I have a unique id in most tables which is identity seeded, and I've read that if this is not checked sql server will helpfully renumber your entire table, rendering all your foreign key references useless). Secondly I need to decide what to do with the data already in the destination table. SQL 2k DTS simply dropped the destination table and recreated it. SQL 2008 will either keep the structure and delete the rows therein, or drop the table and recreate it. Because I intend to save this package and call it on a schedule in the future, I need to choose one of these options, because next time the target db won't be empty.
If I choose the delete rows option, when the package runs I get the following error when the process gets ot the first table with an identity ID which is used elsewhere in the db as a foreign key.
Error 0xc002f210: Preparation SQL Task 4: Executing the query "Truncate TABLE [dbo][tblCompany] failed with the following error 'Cannot truncate table tblCompany because it is being referenced by a foreign key constraint. Possible failure reasons: Problems with the query, "Result Set" property not set correctly, parameters not set correctly or connection not established correctly'
Half a dozen preceding tables did seem to transfer fine, but the process falls down on this one table. What I want is for the process to ignore constraints whilst it does the backup.
Undeterred I tried the other option, dropping each table and creating a new version. This time I get the error:
Error 0cx0202009: Data Flow Task 1: SSIS Error Code DTS_E_OLEDBERROR. An OLE DB error has occurred. Error code 0x80004005. An OLE DB record is available. Source MS SQL Server Native Client 10.0. Hresult 0x80004005 Description "The statement has been terminated". An OLE DB record is available. Source MS SQL Server Native Client 10.0. Hresult 0x80004005 Description "Violation of Primary Key constraint 'PK_LoginClasses'. Cannot insert duplicate key in object 'dbo.LoginClasses'.
Then I try unchecking the Enable Identity Insert option to see what happens. This happens:
- Validating (Error)Messages Error 0xc0202049: Data Flow Task 1: Failure inserting into the read-only column "UserID". (SQL Server Import and Export Wizard)
Error 0xc0202045: Data Flow Task 1: Column metadata validation failed. (SQL Server Import and Export Wizard)
Error 0xc004706b: Data Flow Task
1: "component "Destination - Login" (40)" failed validation and returned validation status "VS_ISBROKEN". (SQL Server Import and Export Wizard)Error 0xc004700c: Data Flow Task 1: One or more component failed validation. (SQL Server Import and Export Wizard)
Error 0xc0024107: Data Flow Task 1: There were errors during task validation. (SQL Server Import and Export Wizard)
I can't see any more options to try. So how do I get SSMS 2008 to do what Enterprise Manager 2k did with no drama?
I have used Server.HtmlEncode(MY TEXT) to display data,
I have setted the page property validateRequest="false" in .config file,
all this is working fine.since I have large application using hundreds of labels and text boxes to show data,
so, now it is almost impossible ( time consuming ) for me to place Server.HtmlEncode(MY TEXT) every where while setting data to them e.g. in label.text, textbox.text, etc
is there is any way to set the property some where and all the labels and text boxes automatically use Server.HtmlEncode() when i set there text
So I have a Hyperlink called lnkTwitter:And I'm trying to set the url in the code behind:lnkTwitter.NavigateUrl = string.Format("http://www.twitter.com/home?status={0}", Server.UrlEncode("I'm Steven"));When I do that and hover over the link, the url displays correctly in the status bar as "http://www.twitter.com/home?status=I'm+Steven", but the actual url, if I click on the link or look at the link's properties, is "http://www.twitter.com/home?status=I%27m+Steven".For some reason, this only happens in Firefox; in IE, I am taken to the correct url.
I am trying to set up a POST from one aspx file to another progromatically. Inside the POST is a String of XML data which i have properly added to Server.HtmlEncode(). For some reason, when I grab it in my logs on the other page, it is showing with 3 question marks. I at first thought it was logging text i left somewhere, but have narrowed it down to a Encoding error of some sort because when i change the encoding it changes the character, and when I just put some text in there, i see it on the other side fine. i have tried UTF 8,UTF32,Unicode,ASCII... Can't seem to find the right combination. Can't find the UTF-16 when I use the Encoding object
Below is my Code:
[Code]....My Sending Debug log has the Extension xml coming out in HTML format correctly before POST. Below is just a piece of it[Code]....
I'm trying to mock Server.HtmlEncode(), but I keep having a null reference exception.I'm pretty new to the Moq framework, here is my code:
var context = new Mock<HttpContextBase>(); var request = new Mock<HttpRequestBase>(); var response = new Mock<HttpResponseBase>(); var session = new Mock<HttpSessionStateBase>(); var server = new Mock<HttpServerUtilityBase>(); server.Setup(svr => svr.HtmlEncode(It.IsAny<string>())).Returns((string s) => s); context.Setup(ctx => ctx.Request).Returns(request.Object); context.Setup(ctx => ctx.Response).Returns(response.Object); context.Setup(ctx => ctx.Session).Returns(session.Object); context.Setup(ctx => ctx.Server).Returns(server.Object);
I work on an asp.net web application (3.5) with Visual Studio 2008. There are a lot of files in this project (approximately 500 aspx files) and I think I can remove some of them.
My question is: Is there a way to identify the useless files, I mean, the files that are no longer used in the project (like an image, aspx, etc.); by using Visual Studio or an external tool?
I have spent quite a bit of time researching this here on Asp.Net's Forums, but also on the web in general, and I am still drawing a blank.
The problem: I am trying pass a values such as ... "Jacob's Carpentry" as a query string to another page. However, the other pages keeps seeing "Jacob\s Carpentry".
What I have tried: I have tried using both the Server.UrlEncode and HttpUtility.UrlEncode, and neither have worked. I have also tried using them twice as was suggested in this article, but still with no luck. Finally, I went so far as to try and encode the string, but then do a String.Replace on the " ' " apostrophe and substitute with a "%27". This also did not work, as it appeared that the String.Replace wiped out the encoding.
So I am stuck/lost. It appears the standard PHP functions easily encode the apostrophe, but for some reason the .Net function isn't working.
Here is the code I am using ...
[Code]....
I notice, however, then if I put a breakpoint where the PostBackUrl is set, the encoded string is still only showing "Jacob's+Carpentry", no %27.
What is the best way to encode the url in Hyperlink without writing code behind. I have many uses and I would like to do it in the Hyperlink statemeent if possible. Some thing such as the following would be great: (This does not work)
How we use a function in a sql query.me some example of using functions in query.Please donot provide me example for using inbuilt sql aggregate functions.Please give some userdefined sql functions example in a query.
I'm having problems running IO functions on my PUBLISHED website, on the server running IIS. I can run everything just fine on my own machine without any issues in debug mode.
I pinpointed the errors to some IO functions Im trying to add.
Example:
StreamWriter sw = new StreamWriter(outputfile, true);
sw.WriteLine(DateTime.Now.Date.ToString());
or
File.Copy(sourceFile, destinationFile), true);
When I add something of this nature.. I get the generic runtime error (since I'm not sure how to make it show more specific errors at this point)
I was thinking it has something to do with a security issue. But, Im not sure where to look.
I have an ASP.NET control (a button) in a WebApp. It has an onclick attribute:
onclick="SaveButton_Click" SaveButton_Click()
is a C# function in the codebehind file. When the user clicks the button, SaveButton_Click() is executed.
What I would like to know is whether there's a way to set up a javascript callback junction. I know how this is done in AJAX, but I'm not sure in ASP.NET (with controls that run on the server) how (or if) this can be done.
it's my first question to this nice site :) ... i use ckeditor.com in my asp.net web site and it have a great features but if any check the full feature example when inserting image you have two feature ( upload to server - browse server and choose image ) as shown in below image
http://i45.tinypic.com/2rmp5ds.jpg
My Questions : 1- Browse Server function integrate with another product called CKfinder .. i don't want to use it i search for such one but in asp.net and can be integrating with ckeditor ?
2- is there an example Upload image function that can save in SQL DB and can be integrated with ckeditor ?
I have a url which I wish to encode that contains a couple of encrypted querystring parameters:
[URL]
I've been asked by a client I'm working with to html encode this url. I've used HttpUtility.HtmlEncode() to do this. This returned the following:
[URL]
This appears to be correct as the '&' has been replaced with '&'. However a problem arises when I try to use HttpUtility.HtmlDecode() on this new value as I get the following returned:
[URL]
What appears to have occurred is the '&' has had the 'amp' removed and the ';' has been html encoded (I checked the value of '%3b' and it corresponds with the html encoded value of a semi-colon). I'm not sure why this is happening?
I realise I could manually do a .Replace("%3b", "") as a temporary fix but I can't see this being a good long-term solution.
