In my application I need to allow users to cut 'n' paste stuff from
various sources, some of which might include dodgy characters such as
"<". Natch, IE interprets these as potentially dangerous and provides
a mechanism to encode/decode them. However I can't seem to get it to
work:
....
<asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
TextMode="MultiLine"></asp:textbox>
....
<script language="vb" runat=server>
Public Sub ReplaceScriptCode()
txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
End Sub
</script>
The app. barfs, telling me that "Server is undefined". Thoughts?
Thanks
Edward 6  4364  te********@hotmail.com wrote:
In my application I need to allow users to cut 'n' paste stuff from
various sources, some of which might include dodgy characters such as
"<". Natch, IE interprets these as potentially dangerous and provides
a mechanism to encode/decode them. However I can't seem to get it to
work:
...
<asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
TextMode="MultiLine"></asp:textbox>
...
<script language="vb" runat=server>
Public Sub ReplaceScriptCode()
txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
End Sub
</script>
The app. barfs, telling me that "Server is undefined". Thoughts?
Thanks
Edward
You are mixing server code and client code. The code in the onblur event
doesn't call the VB subroutine that you have put in the server code, it
calls the client side function with the same name.
As you don't get the error message that ReplaceScriptCode is undefined,
I assume that you also have a Javascript or VBScript function with that
name?
If you have put the same code in that function as in your VB server side
subroutine, that will obviously not work, as there is no Server object
on the client side.
What is it that you are trying to do, really? There is nothing dangerous
about pasting markup code into a textbox. ASP.NET won't let you post
stuff that contains markup code to the server by default, but that is a
completely different thing, and has a completely different solution.
--
Göran Andersson
_____ http://www.guffa.com
Edward
I think your problem is that the OnBlur event, which is calling your
ReplaceScriptCode is a client side event, whereas the Server object is server
side. The code works fine if executed from from code behind:
<asp:TextBox ID="txtDescription" Style="z-index: 102; left:
111px; position: absolute;
top: 124px" TabIndex="29" runat="server" onblur="return
ReplaceScriptCode()"
Width="553px" Height="52px" CssClass="STANDARD"
Font-Names="Arial" Font-Size="8pt"
TextMode="MultiLine"></asp:TextBox>
<script language="vb" runat="server">
Protected Overrides Sub OnLoad(ByVal e As System.EventArgs)
MyBase.OnLoad(e)
txtDescription.Text =
Server.HtmlEncode(txtDescription.Text)
End Sub
</script>
<asp:Button ID="Button1" runat="server" Text="Button" /></div>
Just hit the button to test it.
Hope this helps
Tom
"te********@hotmail.com" wrote:
In my application I need to allow users to cut 'n' paste stuff from
various sources, some of which might include dodgy characters such as
"<". Natch, IE interprets these as potentially dangerous and provides
a mechanism to encode/decode them. However I can't seem to get it to
work:
....
<asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
TextMode="MultiLine"></asp:textbox>
....
<script language="vb" runat=server>
Public Sub ReplaceScriptCode()
txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
End Sub
</script>
The app. barfs, telling me that "Server is undefined". Thoughts?
Thanks
Edward
On 4 Jul, 12:09, Göran Andersson <g...@guffa.comwrote:
teddysn...@hotmail.com wrote:
[...]
What is it that you are trying to do, really? There is nothing dangerous
about pasting markup code into a textbox. ASP.NET won't let you post
stuff that contains markup code to the server by default, but that is a
completely different thing, and has a completely different solution.
As you say. The problem comes when the user tries to post the text
(dumb of me, I know, I should have mentioned that).
The user wants to be able to paste stuff into text boxes which is then
sent to the server for processing (generally, storage in a database
and later retrieval).
I don't want to remove validation at page level - in fact I doubt the
clients would let me. I rolled my own client-side jscript to strip
out markup code which was called from the OnBlur event, but I thought
I could improve on it using built-in functions.
In short, the requirement is:
ASP.NET with VB code behind.
User pastes stuff into an ASP TextBox
Presses "Save" button. Save button is asp:Button running server-side.
Remove/replace "dangerous" code with HtmlEncoded stuff and save to
database.
Thoughts?
Thanks,
Edward
On 4 Jul, 15:58, Göran Andersson <g...@guffa.comwrote:
teddysn...@hotmail.com wrote:
On 4 Jul, 12:09, Göran Andersson <g...@guffa.comwrote:
teddysn...@hotmail.com wrote:
[...]
What is it that you are trying to do, really? There is nothing dangerous
about pasting markup code into a textbox. ASP.NET won't let you post
stuff that contains markup code to the server by default, but that is a
completely different thing, and has a completely different solution.
[...]
Thanks for all your help so far - it really is appreciated.
I reaslise that there's no danger to the database from the text, or
markup code (actually, in the scenario at present, it's simply users
copying and pasting e-mail messages wholesale, including the reply
prefixes e.g. >as seen above which are the main problem). I just
want to allow the users to copy and paste what they want and save this
text to the database without incurring "A potentially dangerous
Request.Form value ... " error. So it seems to make sense to htlm-
encode the text, whatever it is, save it, and then un-html-encode it
when the data is retrieved and displayed.
I can't be the only person in history to have encountered this problem
yet I can't seem to find any examples that satisfy my requirements. I
thought this page: http://www.asp.net/faq/RequestValidation.aspx#5
had it, but I can't make it work.
Any further ideas before you lose patience completely?
Edward te********@hotmail.com wrote:
On 4 Jul, 15:58, Göran Andersson <g...@guffa.comwrote:
>teddysn...@hotmail.com wrote:
>>On 4 Jul, 12:09, Göran Andersson <g...@guffa.comwrote:
teddysn...@hotmail.com wrote:
[...]
What is it that you are trying to do, really? There is nothing dangerous
about pasting markup code into a textbox. ASP.NET won't let you post
stuff that contains markup code to the server by default, but that is a
completely different thing, and has a completely different solution.
[...]
Thanks for all your help so far - it really is appreciated.
I reaslise that there's no danger to the database from the text, or
markup code (actually, in the scenario at present, it's simply users
copying and pasting e-mail messages wholesale, including the reply
prefixes e.g. >as seen above which are the main problem). I just
want to allow the users to copy and paste what they want and save this
text to the database without incurring "A potentially dangerous
Request.Form value ... " error. So it seems to make sense to htlm-
encode the text, whatever it is, save it, and then un-html-encode it
when the data is retrieved and displayed.
No, that doesn't make sense. Encoding only makes sense if you use an
encoding that is relevant for where you put the data. Html-encoding data
that goes into the database and then decode it when you read it is a
total waste of time, space and code. It serves no purpose at all.
Also, as you were trying to encode the text on the client side, that
doesn't make it any safer. On the contrary, as you would later decode
this text that you can't safely say that you know is properly encoded,
you would instead open up the security hole that the validation is meant
to help prevent.
I can't be the only person in history to have encountered this problem
Of course not. I have handled the problem myself several times.
yet I can't seem to find any examples that satisfy my requirements. I
thought this page:
http://www.asp.net/faq/RequestValidation.aspx#5
had it, but I can't make it work.
Just pick that single property from that page and put in your @Page
directive. That turns the validation off.
Then you just handle the data as normal, just store it in the database
at it is. When you later put it on a page, make sure that it's properly
html encoded.
--
Göran Andersson
_____ http://www.guffa.com This thread has been closed and replies have been disabled. Please start a new discussion. Similar topics
by: JKop |
last post by:
Would you classify the following code as "Undefined Behaviour" or as "Non-
portable"?
signed main()
{
signed char chedder = 130;
}
Relevant information:
|
by: Don Vaillancourt |
last post by:
What's going on with Javascript.
At the beginning there was the "undefined" value which represented an
object which really didn't exist then came the null keyword. But
yesterday I stumbled...
|
by: Nitin Bhardwaj |
last post by:
Well, i'm a relatively new into C( strictly speaking : well i'm a
student and have been doing & studying C programming for the last 4
years).....and also a regular reader of "comp.lang.c"
I...
|
by: SibAndela |
last post by:
Is there a way that I can attach the uploaded file from a client web site to the web server without first storing the uploaded file on the server?
Currently on my local PC (local host) the...
|
by: ADavidson |
last post by:
I'm getting a {"Parser Error: The Runat attribute must have the value
Server." } error when I try to get the Server.GetlastError() in the
Global.asax codebehind.
Why am I getting this?
I...
|
by: matty |
last post by:
Hi,
I recently got very confused (well that's my life) about the
"undefined" value. I looked in the FAQ and didn't see anything about
it. On...
|
by: Klaus Johannes Rusch |
last post by:
IE7 returns "unknown" instead of "undefined" when querying the type of
an unknown property of an object, for example
document.write(typeof window.missingproperty);
Has "unknown" been defined...
|
by: teddysnips |
last post by:
In my application I need to allow users to cut 'n' paste stuff from
various sources, some of which might include dodgy characters such as
"<". Natch, IE interprets these as potentially dangerous...
|
by: CloudSolutions |
last post by:
Introduction:
For many beginners and individual users, requiring a credit card and email registration may pose a barrier when starting to use cloud servers. However, some cloud server providers now...
|
by: Faith0G |
last post by:
I am starting a new it consulting business and it's been a while since I setup a new website. Is wordpress still the best web based software for hosting a 5 page website? The webpages will be...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: Sonnysonu |
last post by:
This is the data of csv file
1 2 3
1 2 3
1 2 3
1 2 3
2 3
2 3
3
the lengths should be different i have to store the data by column-wise with in the specific length.
suppose the i have to...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
| |
