As part of a project to secure Hunter HRMS application by Niloosoft I encountered a problem with ASP.NET's ValidateRequest feature. It seems to cause validation errors not only on characters such as < >, but also on special text characters from different languages. I didn't want to disable ValidateRequest (not for the entire application in web.config, and not even for the specific page), because it is a valuable security feature. So I found the following solution, to get around ValidateRequest for a specific text box:
On the client, I catch the submit button onclick event. I then put in the TextBox using Javascript the url-encoded values of the textbox. This would look something like this:
document.getElementById("txtName").value = encodeURIComponent(document.getElementById("txtName").value);
Note that encodeURIComponent() is a built-in javascript function. You can Google it for more information, but basically it does exactly what it says - applies url encoding to its input. It also encodes url-characters such as / & ?, because it is designed to encode a portion of a url string, thus these values are encoded.
Now, on the server side, all you need to do is decode the text using Server.UrlDecode().
Incidently, this may cause 2 problems: (1) While the page posts back, the user would see the value in the text-box changes to the encoded value (2) In case there is an error in the postback, the encoded value would remain in the text-box instead of the real value. To overcome these problems, what I did was this: (a) I put the encoded value in a hidden field instead of the original text-box. (b) I set the text-box to disabled to prevent its value from posting back to the server and causing an error (make sure the form's "SubmitDisabledControls" property is set to false) (c) On the page's OnPreLoad event I decoded the value in the hidden field, and put it back in the text-box. These handlings worked perfectly.
This is a great way to get around ValidateRequest for a specific text box. But note this: make sure to html-encode the value when you display it in labels - because it might include malicious script (as it bypassed the ValidateRequest check !) ! But this is another subject (you can look up anti-xss).
If this post helped you, please let me know by posting a comment !
Wednesday, May 18, 2011
Sunday, May 1, 2011
How to get rid of padded zeroes after decryption
This is how I got rid of padded zeroes after using RijndaelManaged encryption:
// Find the index of the last one appended zero
int i = plainbytes.Length - 1;
for (; i > 0; i--)
{
if (plainbytes[i] != 0)
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
return plainbytes.Take(i).ToArray();
// Find the index of the last one appended zero
int i = plainbytes.Length - 1;
for (; i > 0; i--)
{
if (plainbytes[i] != 0)
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
return plainbytes.Take(i).ToArray();
If you turn the byte[] first to string, then you can clean out the string as follows:
// Find the index of the last one appended zero
int i = decryptedString.Length - 1;
for (; i > 0; i--)
{
if (decryptedString[i] != '\0')
{
i++;
break;
}
}
// Here i means the number of bytes to take from the array.
decryptedString = decryptedString.Substring(0, i);
Wednesday, March 16, 2011
How to deal with ASP.NET Event Validation
I have encountered problems with the Event Validation mechanism in ASP.NET when I add values to a dropdown list using javascript - in this case I sometimes get an exception. How to deal with it? I found several solutions on the web, but none were very good. While this mechanism can be disabled, it is not good to do so for application secruity reasons. I found another solution which worked great for me:
First you must understand why the exception occured: It is because the value selected by the user did not exist in the original values in the drop-down list as originally created by the server. So what I did was to create a hidden field, and send the value to the server in the hidden field (put the selected value in a hidden field on the client using javascript). And, right before the postback (on the client using javacript), disable the drop-down element. Disabling this element prevents its value from being sent to the server, thus preventing the Event Validation exception.
Example how to disable:
var ddlProfField = document.getElementById("ddlProfessionalField");
ddlProfField.disabled = "disabled";
Another option, instead of disabling the element, is to clear its values like this:
ddlProfField.options.length = 0;
If this post helped you, please let me know by posting a comment !
For other solutions see this link: http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx
First you must understand why the exception occured: It is because the value selected by the user did not exist in the original values in the drop-down list as originally created by the server. So what I did was to create a hidden field, and send the value to the server in the hidden field (put the selected value in a hidden field on the client using javascript). And, right before the postback (on the client using javacript), disable the drop-down element. Disabling this element prevents its value from being sent to the server, thus preventing the Event Validation exception.
Example how to disable:
var ddlProfField = document.getElementById("ddlProfessionalField");
ddlProfField.disabled = "disabled";
Another option, instead of disabling the element, is to clear its values like this:
ddlProfField.options.length = 0;
If this post helped you, please let me know by posting a comment !
For other solutions see this link: http://odetocode.com/blogs/scott/archive/2006/03/21/asp-net-event-validation-and-invalid-callback-or-postback-argument-again.aspx
Subscribe to:
Posts (Atom)