Since I install TinyMCE on my asp.net mvc2 project,
I got this error
A potentially dangerous Request.Form value was detected from the
client
To get rid of it, I need to put this attribute on each controllers
[ValidateInput(false)]
[AllLocationAuthorizeAttribute]
public class LocationController : Controller
{
First question. Is it secure to do this ?
AllowHtml attribute is best to fit.
ASP MVC automatically protects possible script inputs and throw exception. You can turn off it by using AllowHtmlAttribute or ValidateInputAttribute(false).
Razor engine will automatically encode strings like #model.SomeProperty, as it do HtmlHelper.Methods().
After encoding <script> will be <script> So in most cases there is no way to panic.
Helpfull links: ValidateInput and AllowHtml, Prevent XSS attacks
Related
We use footable in a Asp.net Mvc app. It works fine when running on http.
But when we run thr same app on https from Azure it fails with the error:
(function ($, w, undefined) {
if (w.footable === undefined || w.footable === null)
throw new Error('Please check and make sure footable.js is included in the page and is loaded prior to this script.');
Some ideas?
And what is the best practice for footable in bundles, and where to place it in the _Layout-file?
That error seems to be coming from one of the FooTable extensions (pagination, filtering, etc). The error is likely caused by one of these extensions loading before the FooTable core script itself.
What version of FooTable are you using? It seems likely that you are using V2?
If so, try including the footable.all.min.js as that includes the core footable and the base extensions in a single file
We're thinking of converting our PHP Webapp from using no framework (which is killing us) to use Zend Framework. Because of the size of the application I don't think starting from scratch is going to be a viable option for management so I wanted to start researching how to slowly convert from the current site structure to one using Zend Framework but there isn't a lot of information on this process.
So far my plan is to dump the current code base into the public/ directory of the Zend Application, fix the numerous problems that I'm sure this will crop up and then start rewriting modules one at a time.
Has anyone had experience doing this in the past and how did it work out for you?
I've done a few of these now. What worked best for me was putting ZF 'around' the old app, so all requests go through ZF. I then have a 'Legacy' controller plugin, which checks whether the request can be satisfied by ZF, and if not, sends it to the old app:
class Yourapp_Plugin_Legacy extends Zend_Controller_Plugin_Abstract
{
public function preDispatch(Zend_Controller_Request_Abstract $request)
{
$dispatcher = Zend_Controller_Front::getInstance()->getDispatcher();
if (!$dispatcher->isDispatchable($request)) {
// send to the old code...
}
}
}
exactly how you then send the request to your old app depends a bit on how it is implemented. In one project, I examined the request, determined what file from the old code the request would have gone to, and then required that in. It sounds like this might be appropriate for you. In another project my solution was to route all these requests to a LegacyController in the ZF project, which ran the old code to get the resulting HTML and then rendered it inside the Zend_Layout from the new project.
The advantages of this approach are that you can gradually introduce ZF modules as you rewrite parts of the old app, until you reach the point where 100% of requests can be served by ZF. Also, since the ZF project has initialized before your old code is run, your old code can use the ZF autoloader, so you can start replacing classes in the old code with models written in a more ZF-style, and have them used by both parts of the app.
Im new about this technology, but I would like to know if is possible to create new object (html elements, such div/span/and so on...) dinamically on server and send it to the client, or if i can just load the ones made on client-side when i develop it in the application.
I don't ask how to do it (i think its a delicate argument), but if I can, and (if yes) where i can get some stuff/example/tutorial to do this.
Example
What i usually do :
...
public void onSuccess(Boolean result) {
if(result) {
myFunction();
}
}
...
myFunction() {
InlineLabel label=new InlineLabel();
this.add(label)
}
What im looking for :
...
public void onSuccess(InlineLabel result) {
this.add(result)
}
So, i don't need to load in advance the Object, but load them only if i click on some button (or if i perform an action). This will save a lot of code (that is inutil, if i don't do any action) loaded (as JavaScript) on the client.
As usual, thanks for your time!
GWT does not support the pattern you showed, but you can achieve a similar effect with "code splitting": read http://code.google.com/webtoolkit/doc/latest/DevGuideCodeSplitting.html
With code splitting, the client only downloads the script it needs right away (configured by the developer). If, for example, the user navigates to a more complex area of the UI that requires more widgets, additional code will be downloaded.
I'm not entirely sure I understand your question, but please feel free to amend your question or post a comment if I've missed the mark.
The host page
A GWT app is loaded in the following (simplified) process:
A host page (HTML) is loaded
A bootstrapping script is loaded
A compiled app script is loaded
The host page can contain any HTML you want. The only requirement is that you include a <script> element that loads the GWT bootstrapping script.
As a result, you can have the server return a page that contains any server-generated markup you like.
Server-rendered HTML at runtime
Once your app is running, you can send off asynchronous requests in your code to retrieve arbitrary data from the server. One option is to retrieve server-generated HTML and insert it into your application.
For this option, you'll want to instantiate an HTML widget, then use its setHTML method to insert the server-generated markup into the widget.
Client-generated
As an alternative, you can retrieve structured data from the server via GWT RPC. Objects created on a Java-based server are serialised by GWT on the server and deserialised on the client back into regular objects. You can then pull data out of these objects using accessor methods (getName, getId, etc.). At this point, you have several options:
Generate some HTML using StringBuilder and the like, then use setHTML on an HTML widget.
Generate DOM elements with the DOM class
Set the data into widgets and add them to panels or the root panel.
I have an application that started life as an MVC (1.0) app in Visual Studio 2008 Sp1 with a bunch of Silverlight 3 projects as part of the site. Nothing fancy at all. Using Ninject for dependency injection (first version 2 beta, now the released version 2 with the MVC extensions).
With the release of .Net 4.0, VS2010, MVC2 etc., we decided to move the application to the newest platform. The conversion wizard in VS2010 apparently took care of everything, with one exception - it didn't change references to mvc1 to now point to mvc2, so I had to do that manually. Of course, this makes me think about other MVC2 things that could be missing from my app, that would be there if I did File -> New Project... But that is not the focus of this question.
When I deploy this application to the IIS 7.5 server (running on Win2008 R2 x64), the application as such works. However, images, scripts and other static content doesn't seem to exist. Of course they are there on disk on the server, but they don't show up in the client web browser.
I am fairly new to IIS, so the only trick I knew is to try to open the web page in a browser on the server, as that could give me more information. And here, finally, we meet our enemy. If I try to go directly to the URL of one of the images (http://server/Content/someimage.jpg for instance), I get the following error in the browser:
The IControllerFactory 'Ninject.Web.Mvc.NinjectControllerFactory' did not return a controller for a controller named 'Content'.
Aha. The web server tries to feed this request to MVC, who with its' default routing setup assumes Content to be a controller, and fails.
How can I get it to treat Content/ and Scripts/ (among others) as non-controllers and just pass through the static content? This of course works with Cassini on my developer machine, but as soon as I deploy, this problem hits.
I am using the last version of Ninject MVC 2 where the IoC tool should pass missing controllers to the base controller factory, but this has apparently not helped. I have also tried to add ignore routes for Content etc., but this apparently has no effect either. I am not even sure I am addressing the problem on the right level.
Does anyone know where to look to get this app going? I have full control of the web server so I can more or less do whatever I want to it, as long as it starts working.
Thanks!
I had a similar problem with StructureMap and favorite.ico what I ended up doing was to add a route to ignore that path.
routes.IgnoreRoute("{resource}.axd/{*pathInfo}");
routes.IgnoreRoute("favicon.ico");
Keep in mind that I have absolutely no idea really but another thing that changed is the need for Default.aspx, also if you have any custom pages those would need to mapped. That's the only two problems I had with routing.
routes.RouteExistingFiles = false;
EDIT: I meant that the RouteExistingFiles should be false otherwise I get that exception in MVC2 :)
Turns out this was caused by some account settings - I was unaware of the IIS AppPool\sitename account automatically being created by IIS in Win2008 R2 server. After trying "everything", I came across this information, gave the proper rights, and stuff magically started working.
Pretty hard thing to debug, especially for someone (me) with very limited IIS experience.
I am working on a ASP .NET MVC2 project where i have to load data using $.get() but it doesn't works. Although if i call same method with $.post() even giving [AcceptVerbs(HttpVerbs.Post)] above of my controller method or not it works. So i just want to ask Does Microsft has put a restriction inn calling $.get() with ASP .NET MVC2. If yes then whats the reason behind it security or anything else.
What do you mean it doesn't work? What http status code do you get? Is there an error message? Try using firebug and open the net tab to watch the result to see any errors and to also make sure it is calling the url you are expecting. Also, have you tried using jQuery $.ajax() instead of $.get()?
Are you using .Net Framework 3.5 ?
Maybe you should consider creating an Ajax enabled WCF service,
the asp postback and autopostback model can be the reason why
it doesn't work nicely .
Firebug / fiddler is your friend