Wrox Programmer Forums
|
BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0
This is the forum to discuss the Wrox book ASP.NET 2.0 Website Programming: Problem - Design - Solution by Marco Bellinaso; ISBN: 9780764584640
Welcome to the p2p.wrox.com Forums.

You are currently viewing the BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 section of the Wrox Programmer to Programmer discussions. This is a community of software programmers and website developers including Wrox book authors and readers. New member registration was closed in 2019. New posts were shut off and the site was archived into this static format as of October 1, 2020. If you require technical support for a Wrox book please contact http://hub.wiley.com
 
Old October 13th, 2007, 05:42 PM
Authorized User
 
Join Date: Jul 2007
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default Couple Errors on AddEditArticles page

First, I'm getting an error when I submit my article and its because my article body has some html added to it by the FCKEditor.

Quote:
quote:A potentially dangerous Request.Form value was detected from the client (ctl00$cphMiddleColumn$dvwArticle$txtBody="<p>Caro lina Panthers...").
Am I missing where the article body gets encoded in the sample code or in the book? Is this a configuration setting in FCKEditor.

I'm aware that I can turn off Request Validation in the web.config, but it doesn't appear that the sample code is doing this.


Second, I'm getting an error using the configuration section from the sample code. When the FCKEditor loads, I'm getting a javascript saying that 'UniveralKey' is undefined.

 
Old October 14th, 2007, 03:11 AM
Friend of Wrox
 
Join Date: Mar 2006
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
quote:I'm aware that I can turn off Request Validation in the web.config, but it doesn't appear that the sample code is doing this.
You shouldn't need to write your html code... You have fckbuttons to allow you to wrote you code.
Still, you can turnoff request validator only in this page but remember to decode all textboxes to prevent some attacks...

Quote:
quote:Second, I'm getting an error using the configuration section from the sample code. When the FCKEditor loads, I'm getting a javascript saying that 'UniveralKey' is undefined.
Delete all you browser cached items, cookies, etc. Then try again!

 
Old October 14th, 2007, 04:42 AM
Friend of Wrox
 
Join Date: Sep 2003
Posts: 143
Thanks: 0
Thanked 1 Time in 1 Post
Default

I had the UnieralKey error, too. If I remember correctly you have to edit the fckconfig.js file (in the FCKEditor folder).

At the very bottom, there's the FCKConfig.ToolbarSets["TheBeerHouse"] bits where two toolbars were defined. Just remove the UniversalKey entries in both of them and you're all set again.

Incidently, while we're discussing the FCKEditor. Has anybody tried adding some functionality? Specifically, I signed up for websnapr, and I'd love to get my links to include previews of the webpages. I've been trying to add the functionality to the FCKLink file, but so far without succes.

http://entropia-online.blogspot.com/
 
Old October 14th, 2007, 05:21 AM
Friend of Wrox
 
Join Date: Mar 2006
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Yes peter... I did try to add some custom plugin!

For example, when I "quote" some post, I will (dynamically) add this html into "body.value":

Code:
txtBody.Value = String.Format("<div class=""Forums_Quote""><div class=""Forums_Quote_Header"">{0} wrote:</div>{1}</div><br /><br />", quotePost.AddedBy, quotePost.Body)
the css for this is:
Code:
.Forums_Quote
{
margin:0 2px 2px 15px;
background-color:#D9E6F0;
border:solid 1px white;
padding:3px;
}

.Forums_Quote_Header
{
margin:0 0 0 0;
padding:2px 2px 2px 4px;
background-color:white;
}
see the result HERE
(i think it's prettier that TBH quoted hr bars !!

But this only result if I'm on "browseThread.aspx" and click on "quote this message".
I'll try to add some plugin on fckeditor that allow user to click in one button and insert the quote divs...
The page for this is:
http://wiki.fckeditor.net/Developer's_Guide/Customization/Plug-ins

I didn't that already because now I'm using all my head to make my css layout!

BTH, about the cookies Ajax problem:
I changed my webconfig file in order to use AJAX but I didn't made (yet) anything in AJAX!
BUT I CONFIRM WHAT YOU SAID :(
I login and click on "remember me..."
Than I close the browser, and if I wait some time (10...15 minuts) I loose my login! :(

Did you find some hawsers for this already?
I saw that the guilty of this was the lines that I inserted in my web.config



 
Old October 14th, 2007, 05:44 AM
Friend of Wrox
 
Join Date: Sep 2003
Posts: 143
Thanks: 0
Thanked 1 Time in 1 Post
Default

Maxxim,

Your quoted text looks good. I might have a go at that as well at some point :) I tried messing with things a bit as well, but it didn't quite work out the way I planned. Yours looks good, though, and it'd definitely add something.

I did manage to get the links working, though. It's seriously easy. I followed the instructions as they were posted by Websnapr (you edit and then add their javascript to your project, and then added the reference to the script in my template.master heading), and in the .js file for FCK, I simply added the following:

SetAttribute( oLink, 'class' , 'previewlink' ) ;

I added it right below the definition of the Advanced properties. Line number 588 or so in the file called FCKeditor\editor\dialog\fck_link\fck_link.js.

Resulting in the following :

http://www.entropiaonline.com/images/linkpreview.JPG

I.e. you add a link to a site, and when you hover your mouse cursor over the link, it will show you a neat little preview link of the site.

Cheers,

Peter

http://entropia-online.blogspot.com/
 
Old October 14th, 2007, 08:53 AM
Friend of Wrox
 
Join Date: Mar 2006
Posts: 310
Thanks: 0
Thanked 0 Times in 0 Posts
Default

hello peter!

This previewlink is very useful... I didn't have time yet to play around with fck. I'm in trouble with css!

I decided to have this days to make all my css layout! I have all designed in photoshop but it's difficult to arrange things to work in IE.
But with some time I'll do it :)
---------------
edit:
I did something like this in all textbox that receive a URLstring from upload controller.
After textbox I used a hyperlink, with the name: "see img" and a javascript "onMouseHover" to display the preview of the image!
You don't like to use javascript but without it the fck would be useless...
----------------

BTH, did you read my last words in my last post to this thread about AJAX+Cookies ?
Maybe oooshola could help us with it. He have ajax on his site... but i don't know if he already already saw if browser preserve the cookies after 10-15 minutes without activity
 
Old October 14th, 2007, 06:53 PM
Authorized User
 
Join Date: Jul 2007
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
quote:You shouldn't need to write your html code... You have fckbuttons to allow you to wrote you code.
I'm not writing any html code, the body of the FCKEditor has nothing but text when I submit it. But, the error that I'm getting makes me think that the FCKEditor is placing <p> tags around what is in the body of the control

Quote:
quote:Server Error in '/CheatSheetWarRoom' Application.
--------------------------------------------------------------------------------

A potentially dangerous Request.Form value was detected from the client (ctl00$cphMiddleColumn$dvwArticle$txtBody="<p>Hous ton placekick...").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (ctl00$cphMiddleColumn$dvwArticle$txtBody="<p>Hous ton placekick...").
So I'm still trying to figure out what this error means. I assume I'm getting this error because ASP is noticing that the form is submitted with html tags inside of it. Is my only option to turn off request validator? Neither the book nor the sample code reference this issue so I'm wondering if I'm doing something wrong.

 
Old October 15th, 2007, 01:42 AM
Friend of Wrox
 
Join Date: Sep 2003
Posts: 143
Thanks: 0
Thanked 1 Time in 1 Post
Default

If i remember correctly, the book does mention it. Very obscurely, but it does. I ran into the same error as you. And you are correct in assuming it's due to HTML being generated.

I was unable to find any other way of solving things then setting the validateRequest to false. Howver, seeing that the rest of TBH is coded in a way that ensures the input will be validated (either through validation controls, and by exlpicitely denying SQL Injection), I wouldn't worry too much about it, if I were you.

Cheers,

Peter

http://entropia-online.blogspot.com/
 
Old October 15th, 2007, 01:11 PM
Authorized User
 
Join Date: Jul 2007
Posts: 17
Thanks: 0
Thanked 0 Times in 0 Posts
Default

Quote:
quote:I was unable to find any other way of solving things then setting the validateRequest to false.
Thanks Viagra. I did the same and everything appears to be working correctly now.

Quote:
quote:Howver, seeing that the rest of TBH is coded in a way that ensures the input will be validated (either through validation controls, and by exlpicitely denying SQL Injection), I wouldn't worry too much about it, if I were you.
Now that I have turned off request validation, what is to prevent a user from putting malicious code in the body of an article? From what I've been able to tell the sample site does not perform any encoding of this data does it?

I am only at Chapter 5, but where is this explicit denying of SQL injection that you're referring to?

 
Old October 15th, 2007, 01:23 PM
Friend of Wrox
 
Join Date: Mar 2007
Posts: 488
Thanks: 2
Thanked 11 Times in 10 Posts
Default

Quote:
quote:Originally posted by pinch
 
Quote:
quote:I was unable to find any other way of solving things then setting the validateRequest to false.


Thanks Viagra. I did the same and everything appears to be working correctly now.

Quote:
quote:Howver, seeing that the rest of TBH is coded in a way that ensures the input will be validated (either through validation controls, and by exlpicitely denying SQL Injection), I wouldn't worry too much about it, if I were you.
Now that I have turned off request validation, what is to prevent a user from putting malicious code in the body of an article? From what I've been able to tell the sample site does not perform any encoding of this data does it?

I am only at Chapter 5, but where is this explicit denying of SQL injection that you're referring to?

pinch,

the main way that sql-injection is prevented is thru' using strongly typed parameters on the DAL, i.e.

        public override List<ArticlesEntity> GetArticlesAddedBy(string addedBy, string sortExpression, int startRowIndex, int maximumRows)
        {
            using (SqlConnection cn = new SqlConnection(this.ConnectionString))
            {
                string SQLString = "SELECT TOP(@End) * FROM ("
                    + string.Format("SELECT *, ROW_NUMBER() OVER (ORDER BY {0}) AS RowNum FROM tbh_Articles where addedBy = @AddedBy",
                    sortExpression != "" ? sortExpression : "AddedBy ASC")
                    + ") AS Alltbh_Articles WHERE RowNum BETWEEN @Start AND @End ORDER BY RowNum ASC";

                SqlCommand cmd = new SqlCommand(SQLString, cn);
                cmd.Parameters.Add("@Start", SqlDbType.Int).Value = startRowIndex + 1;
                cmd.Parameters.Add("@End", SqlDbType.Int).Value = startRowIndex + maximumRows;
                cmd.Parameters.Add("@AddedBy", SqlDbType.NVarChar).Value = addedBy;

                cn.Open();
                return this.GetArticlesCollectionFromReader(ExecuteReader (cmd));
            }
        }

therefpre, the addedBy is only queried as part of a paramenter in the stored procedure (or sql), rather than being an explicit part of the sql itself.

jimi

http://www.originaltalent.com





Similar Threads
Thread Thread Starter Forum Replies Last Post
Chapter 5 - AddEditArticles ViagraFalls BOOK: ASP.NET 2.0 Website Programming Problem Design Solution ISBN: 978-0-7645-8464-0 7 September 16th, 2007 10:51 AM
A couple of questions: czambran BOOK: Beginning CSS: Cascading Style Sheets for Web Design ISBN: 978-0-7645-7642-3 4 March 23rd, 2005 03:13 PM
a couple of problems... please help! Spaceman Spiff Access 6 March 24th, 2004 12:23 PM
done, but with errors on page bubblez Classic ASP Databases 4 September 11th, 2003 03:35 AM





Powered by vBulletin®
Copyright ©2000 - 2020, Jelsoft Enterprises Ltd.
Copyright (c) 2020 John Wiley & Sons, Inc.