April 7th, 2009
by Stefy
No Comments
As I said in my previous post, I’m working on an ASP .NET project and I’m learning new things about this technology
I had to integrate a WYSIWYG editor in my project and after doing that I got the classic ‘A potentatially dangerous Request.Form value was detected from the client’ exception at runtime. This error appears because I tried to post a string that was recognized by the server as a potential cross-site scripting attack. In classic ASP .NET in order to resolve this problem you can either encode the string and decode it back when using it, or you can add the ValidateRequest=”false” in you Page directive.
So I went for the second choice, but I was still having the same problem. After a little digging on Google I found what was the actual problem. In ASP .NET MVC all the validation is made at the controllers level. That’s quite logic because when the controller is executing we don’t know what view is going to be rendered. Additionally, if a user posts a malicious script by the time the view is rendered it’s too late to do anything about it. So in order to resolve the problem you have to decorate your controller or action with the attribute [ValidateInput(false)]. That way we can tell the controller or the action to surpress any validation.
April 7th, 2009
by Stefy
No Comments
I’m currently working on a project made with ASP .NET MVC and I had one problem the other day: How can I get the value of a dynamic generated input control in a controller? For example, let’s say that you have to put a number controls (textboxes, checkboxes etc.) on a view based on your applications logic. When the page is posted back to the server you want to be able to check the values of those controls in order to process them. To get those value you’ll have to look in the Request.Form collection after the name of your control.
October 4th, 2008
by Stefy
No Comments
Hello,
The second episode from our ASP .NET tutorials in Romanian is online. This episode covers the standard ASP .NET controls, masterpages, themes and web parts. You can also find a really interesting section for advanced users.
September 17th, 2008
by Stefy
No Comments
Hi there. Me and Mihai Tataran, director of HPC Consulting (the company where I work) are writing some ASP. NET tutorials for the Romanian ASP .NET developer community. Each tutorial will cover the basis of ASP .NET, but we also have a section for advanced developers. Our first tutorial is presenting an introduction to ASP .NET and the advanced developers section features an interesting article about UrlRewrite. Each of these articles has a screencast. To read the first tutorial press here (text and screencasts are in Romanian).
September 13th, 2008
by Stefy
No Comments
This article would like to explain the functionality of the postback mechanism in ASP .NET and how the pages can be posted to the server from client code.
Let’s suppose we have a simple ASP .NET page which contains a LinkButton:
<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="Default.aspx.cs" Inherits="WebApplication1._Default" %>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
<title></title>
</head>
<body>
<form id="form1" runat="server">
<div>
<asp:LinkButton ID="lnkTest" runat="server" />
</div>
</form>
</body>
</html>
When this page is render if we take a look at the source of the page (any modern browser has this feature, just press right click on the page and select View Source or View Page Source) it’s going to look like this:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml" >
<head><title>
</title></head>
<body>
<form name="form1" method="post" action="Default.aspx" id="form1">
<div>
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJNTc5OTI5MzM1ZGRIdK4YuAGq1dppJ0EPmqso2jMx1g==" />
</div>
<script type="text/javascript">
//<![CDATA[
var theForm = document.forms['form1'];
if (!theForm) {
theForm = document.form1;
}
function __doPostBack(eventTarget, eventArgument) {
if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
theForm.__EVENTTARGET.value = eventTarget;
theForm.__EVENTARGUMENT.value = eventArgument;
theForm.submit();
}
}
//]]>
</script>
<div>
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAgLrmfXzCgKSw44DvJoR+Ww1XMuknKIlXE7tgDogJ9c=" />
</div>
<div>
<a id="lnkTest" href="javascript:__doPostBack('lnkTest','')"></a>
</div>
</form>
</body>
</html>
First of all we can see that our LinkButton is rendered as an anchor element (<a> tag). Also the reference of that link points to a javascript function named __doPostBack, which is defined earlier in the page. This method has 2 parameters: eventTarget (this is the id of the control that determines the function to be executed) and eventArgument (this is an optional argument which can be set up if needed).
If we inspect the code of the __doPostBack function we can see that it first sets the values of two hidden fields created by ASP .NET named __EVENTTARGET and __EVENTARGUMENT with the two parameters passed to the function. After this the page is submitted back to the server.
When a page is posted back to the server ASP .NET inspects __EVENTTARGET and __EVENTARGUMENT values and this way it can decide which of the controls caused the page to be postedback and what is the event that has to be handled.
