Here is my Default.aspx
<%# Page Language="C#" AutoEventWireup="true" CodeFile="Default.aspx.cs" Inherits="_Default" ValidateRequest="false" %>
<html>
<head runat="server">
<title>xss demonstration</title>
</head>
<body>
<form id="form1" runat="server">
<div>
We are looking for your feedback.
<asp:TextBox ID="txtFeedback" runat="server" TextMode="MultiLine" />
<br />
<asp:Button ID="submit" runat="server" Text="Submit" onclick="submit_Click" />
<br />
Comment:
<br />
<asp:Literal ID="ltlFeedback" runat="server" />
</div>
</form>
</body>
</html>
And below is Default.aspx.cs
public partial class _Default : System.Web.UI.Page
{
protected void submit_Click(object sender, EventArgs e)
{
this.ltlFeedback.Text = this.txtFeedback.Text;
}
}
When I run the application and enter following in the text box.
<script>alert('Hello')</script>
I get following error.
A potentially dangerous Request.Form value was detected from the
client (txtFeedback="alert('Hello...").
My question is why I get this error even though ValidateRequest is set to false in the page?
In .net framework 4.0 you have to set <httpRuntime requestValidationMode="2.0"/> markup in web.config.
<system.web>
<compilation debug="false" targetFramework="4.0" />
<httpRuntime requestValidationMode="2.0"/>
</system.web>
Have a look at reference article - ASP.NET 4 Breaking Changes #1: requestValidationMode cause ValidateRequest=False to fail.
you just need to Add following code in your web config
<system.web>
<compilation debug="false" targetFramework="4.0" />
<httpRuntime requestValidationMode="2.0"/>
</system.web>
but take care by doing this you can be victim of cross site scripting attack
Disable ValidateRequest on any pages retrieved via Server.Execute
I recently ran into a rather esoteric version of this error. In order to include shared content across pages in different sites, I call Server.Execute on another ASPX page. By default, Server.Execute will forward the POST data along to the child request, so this page also needs ValidateRequest="false".
As long as <httpRuntime requestValidationMode="2.0"/> in web.config is set, the exception's stack trace will indicate which page class raised the error.
Related
Hi can someone help me how to call (or refresh) below control from code behind?
Currently it is working when I click my btnUpdate button. Along with I want to refresh the same usercontrol when I press another button also (ex: btnrefresh).
<telerik:RadAjaxManager ID="RadAjaxManager1" runat="server">
<AjaxSettings>
<telerik:AjaxSetting AjaxControlID="btnUpdate">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="Panel1" LoadingPanelID="RadAjaxLoadingPanel1" />
</UpdatedControls>
</telerik:AjaxSetting>
</AjaxSettings>
<ClientEvents OnRequestStart="RequestStart" OnResponseEnd="ResponseEnd" />
</telerik:RadAjaxManager>
<telerik:RadAjaxLoadingPanel ID="RadAjaxLoadingPanel1" runat="server" Skin="Default" />
<asp:Panel ID="Panel1" runat="server" Width="100%">
<uc:EmpEnrollment runat="server" ID="EmpEnrollment" />
</asp:Panel>
Just add another AjaxSetting for your btnrefresh in your AjaxSettings like below:
<AjaxSettings>
<telerik:AjaxSetting AjaxControlID="btnUpdate">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="Panel1" LoadingPanelID="RadAjaxLoadingPanel1" />
</UpdatedControls>
</telerik:AjaxSetting>
<telerik:AjaxSetting AjaxControlID="btnrefresh">
<UpdatedControls>
<telerik:AjaxUpdatedControl ControlID="Panel1" LoadingPanelID="RadAjaxLoadingPanel1" />
</UpdatedControls>
</telerik:AjaxSetting>
</AjaxSettings>
I am making simple login page and trying to validate it using struts ValidatorForm but its not working. But same code worked for DynaValidatorForm. Not able to understand what's problem.
It is not showing any error when I click login button.
Here is my code.
login.jsp
<body>
<div style="color:red">
<html:errors />
</div>
<html:form action="/Login" >
User Name : <html:text name="LoginForm" property="username" /> <br>
Password : <html:password name="LoginForm" property="password" /> <br>
<html:submit value="Login" />
</html:form>
</body>
LoginAction.java
public class LoginAction extends Action
{ public ActionForward execute(ActionMapping mapping, ActionForm form,
HttpServletRequest request, HttpServletResponse response)
throws Exception {
LoginForm loginForm=(LoginForm) form;
String userName = loginForm.getUsername();
String password = loginForm.getPassword();
if(userName.equals("sumeet") )
{
return mapping.findForward("success");
}
else
{
return mapping.findForward("failure");
}
struts.config
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE struts-config PUBLIC "-//Apache Software Foundation//DTD Struts Configuration 1.3//EN" "http://struts.apache.org/dtds/struts-config_1_3.dtd">
<struts-config>
<form-beans>
<form-bean name="LoginForm" type="com.ibm.Forms.LoginForm" >
</form-bean>
</form-beans>
<global-exceptions>
</global-exceptions>
<global-forwards>
</global-forwards>
<action-mappings>
<action name="LoginForm" path="/Login" scope="session" input="/login.jsp" type="com.ibm.Action.LoginAction" cancellable="true" validate="true">
<forward name="success" path="/success.jsp"/>
</action>
</action-mappings>
<message-resources parameter="test2.resources.ApplicationResources"/>
<plug-in className="org.apache.struts.validator.ValidatorPlugIn">
<set-property property="pathnames" value="/WEB-INF/validator-rules.xml,/WEB-INF/validation.xml"/>
</plug-in>
</struts-config>
valdiation.xml
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE form-validation PUBLIC "-//Apache Software Foundation//DTD Commons Validator Rules Configuration 1.1.3//EN" "http://jakarta.apache.org/commons/dtds/validator_1_1_3.dtd" >
<form-validation>
<formset>
<form name="LoginForm">
<field property="username" depends="required">
</field>
<field property="password" depends="required,minlength">
<arg1 key="${var:minlength}" name="minlength" resource="false"/>
<var>
<var-name>minlength</var-name>
<var-value>6</var-value>
</var>
</field>
</form>
</formset>
</form-validation>
Thank you.
You are missing the .do in the action attribute of the html form. You don't need the name attribute in both inputs.
<html:form action="/Login.do" >
User Name : <html:text property="username" /> <br>
Password : <html:password property="password" /> <br>
<html:submit value="Login" />
</html:form>
I'm trying to embed flowplayer in my clients vbulletin forum and have succeeded with basic videos in the s3 bucket but am having trouble trying to implement rtmp. I've set up the distribution ok and can stream to a plain html page outside of vbulletin but am hitting a wall trying to write a custom bbcode to embed in posts.
My code for basic embed looks like this in my cusotom bbcode...
<object id="flowplayer" width="624" height="352" data="http://www.MY_DOMAIN.com/forums /flowplayer/flowplayer-3.2.14.swf" type="application/x-shockwave-flash">
<param name="movie" value="http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer-3.2.14.swf" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" />
<param name="quality" value="autohigh" />
<param name="flashvars" value='config={"clip":{"autoPlay":false,"accelerated":true,"url":"{param}"}}' />
</object>
And my working rmtp streaming looks like this...
<HTML>
<HEAD>
<TITLE>
Streaming Video with Flowplayer
</TITLE>
</HEAD>
<BODY>
<H1>HSL501 Observation Video</H1>
<script type="text/javascript" src="http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer-3.2.11.min.js"></script>
<div id="page">
<div id="rtmpPlayer" style="display:block;width:1000px;height:500px;"></div>
<script language="javascript">
// our custom configuration is given in third argument
flowplayer("rtmpPlayer", "http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer-3.2.14.swf",{
plugins: {
rtmp: {
url: 'http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer.rtmp-3.2.11.swf',
netConnectionUrl: 'rtmp://XXXX.cloudfront.net/cfx/st'
}
},
clip: {
url: 'mp4:entries%207.mp4'',
provider: 'rtmp'
}
});
</script>
</div>
</html>
Any help would be much appreciated
Steve
Finally figured it out and hopefully this will help somebody else and save them having to search for hours like I did.
<object width="656" height="420" data="http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer-3.2.14.swf" type="application/x-shockwave-flash">
<param name="movie" value="http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer-3.2.14.swf" />
<param name="allowfullscreen" value="true" />
<param name="allowscriptaccess" value="always" /><param name="flashvars" value='config={"clip":{"url":"mp4:{param}","bufferLength":1,"provider":"dtfl"},"plugins":{"dtfl":{"url":"http://www.MY_DOMAIN.com/forums/flowplayer/flowplayer.rtmp-3.2.11.swf","netConnectionUrl":"rtmp://XXXXX.cloudfront.net/cfx/st"},"controls":{"backgroundGradient":[0.1,0.3,0,0,0],"bufferGradient":"none","sliderColor":"#272727","backgroundColor":"#000","sliderGradient":"small","buttonOverColor":"#272727","borderRadius":"0px","buttonColor":"#565656","timeColor":"#CCCCCC","progressColor":"#565656","durationColor":"#ffffff","bufferColor":"#CCCCCC","progressGradient":"medium","opacity":1}}}' />
</object>
Steve, in Clip --> url , you are giving My_Domain, whereas it should be URI of your file present in S3. Let me know exactly what is happening when you load the page and play video, as we also faced issues in making it work , but finally did it after few fixes.
Hey all i am having some problems with viewing a stream from the IP camera via its CGI commands:
http://192.168.1.99:99/videostream.cgi?user=UNhere&pwd=PWhere&resolution32=&rate=0
When creating the HTML page for the embedded code it looks like this:
<html>
<head><title>Demo of VLC</title></head>
<h1>Demo of VLC mozilla plugin - Example 1</h1>
<script type="text/javascript">
function mute()
{
vlc.audio.toggleMute();
}
function play()
{
vlc.playlist.play();
}
function stop()
{
vlc.playlist.stop();
}
function pause()
{
vlc.playlist.togglePause();
}
<body >
<!--[if IE]>
<object type="application/x-vlc-plugin" pluginspage="http://www.videolan.org"
version="VideoLAN.VLCPlugin.2" id="vlc" width="720px"
height="540px" events="True" classid="clsid:9BE31822-FDAD-461B-AD51-BE1D1C159921" >
<param name="MRL" value="http://192.168.1.99:99/videostream.cgi?user=UNhere&pwd=PWhere&resolution32=&rate=0" />
<param name="volume" value="50" />
<param name="autoplay" value="false" />
<param name="loop" value="false" />
<param name="fullscreen" value="false" />
</object>
<![endif]-->
<!--[if !IE]><!-->
<object type="application/x-vlc-plugin" pluginspage="http://www.videolan.org"
version="VideoLAN.VLCPlugin.2" id="vlc" width="720px" height="540px" events="True" >
<param name="MRL" value="http://192.168.1.99:99/videostream.cgi?user=UNhere&pwd=PWhere&resolution32=&rate=0" />
<param name="volume" value="50" />
<param name="autoplay" value="false" />
<param name="loop" value="false" />
<param name="fullscreen" value="false" />
</object>
<!--<![endif]-->
</div>
<br />
</div>
<iframe name="action_zone" style="display:none"></iframe>
<div id="controls">
<input type="button" onclick="play()" value="Play" />
<input type="button" onclick="pause()" value="Pause" />
<input type="button" onclick="stop()" value="Stop" />
<input type="button" onclick="mute()" value="Mute" />
</div>
</body>
</html>
Now if i load up that page using IE9 it asks me to enabled blocked content and once i do i can play the stream just fine with the page above. However, loading the same page up using webbrowser1 control in vb.net results in nothing being played or asked to have permission.
So my question is: How can i reproduce the same results when loading it up in IE9 standalone in my VB.net app? I just dont get what its doing wrong in the .net VS the standalone IE9?
I've enabled every activex/script/java in the internet options that i know how too and it still produces nothing in the .net app.
Here is a screen shot with it inside IE9 standalone:
Here is the .net version of the same page:
Any help would be great!
David
The Query:
<Where>
<Eq>
<FieldRef Name='Document Type' LookupId='True' />
<Value Type='Text'>Standards(STA)</Value>
</Eq>
</Where>
<OrderBy>
<FieldRef Name='Number' Ascending='False'/>
</OrderBy>
<RowLimit>1</RowLimit>"
Code Context:
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<%# Import Namespace="System.IO" %>
<%# Import Namespace="Microsoft.SharePoint" %>
<%# Page Language="C#" inherits="Microsoft.SharePoint.WebPartPages.WebPartPage, Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%# Register tagprefix="WebPartPages" namespace="Microsoft.SharePoint.WebPartPages" assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<%# Register tagprefix="SharePoint" namespace="Microsoft.SharePoint.WebControls" assembly="Microsoft.SharePoint, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71e9bce111e9429c" %>
<html>
<head>
<meta name="WebPartPageExpansion" content="full" />
<meta name="ProgId" content="SharePoint.WebPartPage.Document" />
<h1>T-Site</h1>
<script runat="server" type="">
protected void sevak(object sender, EventArgs e)
string lastitem;
try
{
using (SPSite objsite = new SPSite("http://..."))
{
using (SPWeb objWeb = objSite.OpenWeb())
{
SPList objList = objWeb.Lists["...."];
SPQuery objQuery = new SPQuery();
objQuery.Query = "<Where><Eq><FieldRef Name='Document Type' LookupId='True' /> <Value Type='Text'>Standards(STA)</Value></Eq></Where><OrderBy><FieldRef Name='Number' Ascending='False'/></OrderBy><RowLimit>1</RowLimit>";
objQuery.Folder = objList.RootFolder;
SPListItemCollection colItems = objList.GetItems(objQuery);
if (colItems.Count>0)
{
lastitem=colItems(0);
}
else
{
Label1.Text="noItem";
}
}
}
}
catch (Exception ex)
{
return ex;
}
Label1.Text= "lastitem";
<SharePoint:CssLink runat="server"></SharePoint:CssLink>
<SharePoint:ScriptLink runat="server" language="javascript" name="core.js">
</SharePoint:ScriptLink>
<body>
<form id="form1" runat="server" action="Page-2.aspx">
<p>
<asp:Button runat="server" Text="Submit" id="Button1" OnClick="sevak" ></asp:Button>
</p>
<p><asp:Label runat="server" id="Label1"></asp:Label></p>
</form>
</body>
</html>
I think the problem is the field reference "Document Type":
The FieldRef elements expects an internal name of the referenced field. If the column "Document Type" was created via the UI the internal name of this column is "Document_x0020_Type".
You specifed LookupId="True" which causes a lookup against the id of a lookup field, but you provided a text value. Depending of your field type you should either provider the numeric ID of the document type or omit the LookupId="True" part to query against the text of the lookup field.