Seems like Microsoft updated the Anti XSS library today:http://www.microsoft.com/downloads/en/details.aspx?FamilyID=f4cd231b-7e06-445b-bec7-343e5884e651 In addition there is a new release of the Web Protection Libraryhttp://wpl.codeplex.com/ Are these two downloads the same thing? What XSS library should I be using?
View 2 Replies
In the intent of preventing XSS attacks, I am updating a page in which we have a textbox that accepts HTML, stores it in a database and retrieves and renders it at a later time.
My understanding is that I can sanitize the HTML using AntiXSS.GetSafeHtmlFragment() method. As long as I do this before storing the HTML in the database, am I covered? Do I need to do anything when the HTML is outputted on a web page?
Also, it appears that the white list is kind of a black box. Is there a way to update this based on our requirements?
With .net 4 there's a new <%: %> script enclosure that's like <%= %> but does an html encode. People are encouraging the use of this new syntax. My question is, does <%: %> protect against XSS better or as well as using the Microsoft Anti XSS library?
A Microsoft security person once told me to never just use HTML Encode as it doesn't protect very well and that I should always use the Anti XSS library (or another library). Is that still true with <%: %>? Or can I confidently use <%: %> knowing it's going to protect my app from XSS like people are saying?
I am looking at the twitter api page http://apiwiki.twitter.com/ and I noticed that they have already built libraries that are wrappers against the twitter api. So I am thinking this is the best way to go but I am unsure which C# library I should use.
What I am trying to do is make some simple service or cmd line application that will help me automate retweeting.
So I am looking for a library that will allow me to get posts from other twitter accounts and then retweet them from another account.
I am not sure if the library can do this or not. Otherwise I was thinking of getting the RSS feed from the twiter account I want to get the twitters from parse out the new ones and use a library to retweet them on my own account.
I have not used twitter much so I am hopping someone can shed some light on this.
I need to learn the following security-related questions pertaining to ASP.NET membership system (which I am currently using):
1) How to set up "secure" log-in for site members (when other sites say "secure login", what exactly is meant?) --- is that easy for a novice programmer to set up?; are there third parties?; is this done in collaboration with the site host?...Or by using the ASP.NET member system (which I have already set up), is that by default "secure" already?
2) When signing members up, what is best way to block out spammers from the registration process? Is there also third party software I can use? Perhaps someone can give quick answers to these, or point me in the right direction to read a good updated resource on this.
I am building an email feature in my website (jobs site). By using this functionality, recruiters will be able to send emails to candidates. I want an option so that the user can also set 'From Address' and the email should be ANTI-SPAM compliant.
View 2 RepliesI was just curious has anyone set up two projects a asp.net mvc membership project and a silverlight wcf ria project in a silverlight library?? I really do not see alot of examples over the internet and I would appreciate any advice I also saw you set basic authentication to none. I know silverlight uses classic mode in iis
View 1 RepliesI was told that there's an encryption library I can use and there's a couple that I can choose from (eg. AES, RSA, etc). I also read something about keys. Are keys something you just generate so you can encrypt and decrypt a series of texts? Do you have to purchase that key? Also, is there a best practice that I need to be aware of in encrypting and decrypting? Is encrypting a password recommended? Would performance be affected?
View 3 Repliesis there a way of referencing a .NET 4.0 in a .NET 2.0 app? Whenever I try to compile and build I get an error saying:
Could not load file or assembly 'blahblahblah' or one of its dependencies. This assembly is built by a runtime newer than the currently loaded runtime and cannot be loaded.
Ive tried adding the Library as a project AND as a .DLL but still no luck. Unfortunately converting the .NET 2.0 to .NET 4.0 is not optional...
I have a C# library that gets built and gets placed into my website's bin folder. In my C# library I have a .ascx file and I'm trying to put another .ascx control in there. But I get this error:
Could not resolve type for tag "fb:FormBuilder". Make sure the proper namespace is registered.
This is in the top of my user control that I want to add to others:
<%@ Control Language="C#" Inherits="System.Web.UI.UserControl, ITextControl" %>
In my parent control, I have this:
<%@ Control Language="C#" %>
<%@ Register TagPrefix="fb" TagName="FormBuilder" Src="~/Resources/ControlTemplates/Backend/FormBuilder.ascx" %>
....
<fb:FormBuilder runat="server" id="FormCode"></fb:FormBuilder>
All my files are set as the Build Option as being "Embedded Resource" (.NET 3.5).
I have a web Application and have created a seperate class library project.I am trying to use the Class Library by referencing it in the Web Application. I am doing this by right clicking the web application and clicking 'Add Reference...'. I then browse to my Class library and click ok. This gets added to a Bin folder in my web application.The problem is I can't actually get any of the objects that are in the Clas Library. I have tried adding a using statement to the top of the page. It tells me that the object could not be found (are you missing a using directive or an assembly reference?)Can anyone tell me what I'm doing wrong?
View 3 RepliesI installed ASP MVC 3, but when I go to tools I can't see the Library Package Manager, it was supposed to install along ASP MVC 3, how come I cannot see it?
View 2 RepliesI have a .dat file which I was given to use for a test application. I would like to distribute this file with my library. How can I do this without needing to tell them copy this here to this folder etc.
View 3 RepliesI am using Enterprise library for my data access. when I am running the application, at the CreateDatabase() statement I am getting this exception:
Microsoft.Practices.ObjectBuilder2.BuildFailedException was unhandled by user code Message="The current build operation (build key Build Key[Microsoft.Practices.EnterpriseLibrary.Data.Database, null]) failed: The value can not be null or an empty string. (Strategy type Microsoft.Practices.EnterpriseLibrary.Common.Configuration.ObjectBuilder.ConfiguredObjectStrategy,index 2)" Source="Microsoft.Practices.ObjectBuilder2"
Now, I googled a bit and I found that I have to place
<dataConfiguration defaultDatabase="LocalSqlServer"/>
but I don't know where. Is it the right solution? Also, at the time of installing enterprise library I didn't see any connection string statement? So, I wonder how it will take the connection string from web.config file. In the connection string section of my web.config file I have:
<remove name="LocalSqlServer"/>
<add name="LocalSqlServer" connectionString="Data Source=MSTR;Initial Catalog=USERDb;Integrated Security=true;" providerName="System.Data.SqlClient"/>
I wanted to get any feedback (put out a feeler) for how the enterprise library plays with linq-to-sql generated classes. I was considering using the validation handler to provide validation logic/display to the UI level. I am considering the caching handler, validation, and authorization handlers primarily.
View 1 RepliesI have read a couple of older threads on PDF creation but I want to know what is the best free or relatively inexpensive library for PDF creation out there today?
I am looking to create PDF files using C# and they will contain lots of tables and images.
Do we have any free 3rd party library that we can use in asp.net for download Excel sheets?
View 5 Replies I have a question about validation. Basically how the MVC framework is setup it can use DataAnnotations. It calls TryValidate in a controller which does some other black magic, and poof, you have a ModelState with validation results. Now to extend this validation you can create a validator and then provide custom validation on both server and client side. Here is the problem... what if you dont want to hard code all of the validation in the classes? I would like to use what Microsoft has already provided in the Enterprise Library [URL]for validation. I will be using both DataAnnotations and configured rule sets. Of course I could just put the code in each action, but that is so 1999. As I see it the MVC framework falls short by not allowing us to use the config for such things. Why is the validation so specific for MVC? Why could it now have used the Enterprise Validation? I wrote my own abstract controller and put in Enterprise Library validation and it worked GREAT!!! So why am I here? Well, surly there must be a better way... do I really have to write my own controller abstract class to change the validation?
So if you think you know how to solve this problem, you must provide a solution that does this:
Uses DataAnnotations AND Configuration RulesCan validate the SAME in a console application (could really be any non-web app) and MVCI do see that MVC 3 adds a little more support for validation which was really needed. It supports IValidatableObject, which allows you to validate the whole Model... its nice, but now we have 3 ways to do that same thing... granted the former 2 (DataAnnotation on the class, and a Validator for the DataAnnotation) could not pass the error to the correct place in the view. Now if we could just support all of this validation in a place what any type of application could use it. In my use case I will run validation on the MVC app, perhaps some other apps, and on an ESB.
I'm trying to learn the Enterprise Library. I found this useful code sample to get data from a SQL database. But I tried to send data via a parameter. I'm also using the UPDATE, DELETE, and SAVE methods. Can you give me a similar sample? I'm using Enterprise Library 4.0.
[code]....
Recently i have joined a new project that is to be build from scratch.(goal of the project is to reach the users across boundaries : windows, web & mobile)
I follow architecture having following layers:1.Presentation Layer 2. Logic Layer(BLL) 3. Business Objects 4. Data Access Layer.
But this time i wanted to use new technologies Microsoft have introduced like Entity Framework 4.0 , WCF services.
So i have thought of creating the layers like
1.Presentation 2. BLL 3.Services 4.Business Objects 5.DAL
but i am in confusing state how to use Entity Framework. in the above layered diagram.If there any flaws in the above layered diagram do guide me.I have heard of Microsoft Enterprise Library(MEL) 5.0. What exactly it is?
Will i get benefited with MEL 5.0.
i have a class library that get a xml file and read it and set some property from that data
may code is like:
[Code]....
the problem is this code is in class library and the file is in web form application.
When you can simply encode the data using HttpUtility.HtmlEncode, why should we use AntiXss.HtmlEncode? Why is white list approach better than black listing?Also, in the Anti XSS library, where do I specify the whitelist?
View 3 RepliesI use the Global Resources feature, not only to centralize all my output strings but to make it easy when using Localization (witch is almost 90% of the time).But I spread out my project into, not only the ASP.NET website, but with 2 Library projects as well How can I use the ASP.NET Global Resource file in those Library projects
View 1 RepliesI'm working on an ASP.NET MVC application, but I'm trying to remove everything but Controller code from my project and put it in it's own Class Library. I've got some code that is using System.Web.Mvc; But it doesn't seem to be letting me access it. I have Referenced the System.Web Namespace in the project. Bassically I'm getting errors on the iActionFilter and the FilterAttribute stuff.
View 2 RepliesDo they work with webmatrix and vb coding?this is from asp net webpages with razor in c#
<div>
@if (Request["TwitterUser"].IsEmpty()) {
@Twitter.Search("microsoft")
}
else {
@Twitter.Profile(Request["TwitterUser"])
}
</div>
[code]...
