I am working on a simple ASP.NET application to prove the use of AntiXss library. The library is very powerful and it is working fine with me except with Eval() in aspx pages. For example, if I have a label control like the following:
<asp:Label runat="server" ID="CommentsLabel" Text='<%# Eval("Name") %>' />
How will I be able to use AntiXss with it?
I followed this example mentioned HERE, and I added the library to the label control by doing the following:
<asp:Label runat="server" ID="CommentsLabel" Text='<%#Microsoft.Security.Application.AntiXss.HtmlEncode(((System.Data.DataRowView)Container.DataItem)["Comments"].ToString()) %>'/>
And my instructor is still telling me it is vulnerable and I don't know why. Then, instead of using AntiXss.HtmlEconde() , I used Encoder.HtmlEncode() in the previous line
<asp:Label runat="server" ID="CommentsLabel" Text='<%#Microsoft.Security.Application.Encoder.HtmlEncode(((System.Data.DataRowView)Container.DataItem)["Comments"].ToString()) %>'/>
EDIT:
And based on the scanning tool which my instructor is using it, he is still telling me that it is vulnerable. So how to use this library with Eval or Data Binding in general?
Related
My code is like this
<asp:Repeater ID="rptEvaluationInfo" runat="server">
<ItemTemplate>
<asp:Label runat="server" Id="lblCampCode" Text="<%#Eval("CampCode") %>"></asp:Label>
</ItemTemplate>
Everything looks okay to me, But it generates an error in the runtime. When I remove this part
Text="<%#Eval("CampCode") %>"
error goes.
SO I assume the issue is with databind. So I tried an alternative like this
<asp:Repeater ID="Repeater1" runat="server">
<ItemTemplate>
<label><%#Eval("CampCode") %> </label>
</ItemTemplate>
And it also works good. Can any one tell me what is the issue with my first code?
Note: I don't have access to the error message due to the special
reasons on my project , that's why I have not posted it here.
And I want to use ASP controls itself on the case that's why i haven't
gone with my second solution
The problem is with quotes. Currently you have double quotes everywhere, so ASP.NET is not able to parse this. Change outer ones to single quotes like this:
Text='<%#Eval("CampCode") %>'
I have a Gridview and the columns defined like below.
When I run the program I get the error
Literal content is not allowed within a System.Web.UI.WebControls.DataControlFieldCollection
<Columns>
<asp:CommandField ButtonType="Image"
ControlStyle-Height="20"
ControlStyle-Width="30"
SelectImageUrl="tar.png"
SelectText="Select"
ShowSelectButton="true"/>
<asp:TemplateField HeaderText="Target Date">
<EditItemTemplate>
<asp:TextBox ID="TextBox1" runat="server"
Text='<%# Bind("tar_date") %>'>
</asp:TextBox>
</EditItemTemplate>
<ItemTemplate>
<asp:Label ID="lbl1" runat="server"
Text='<%# Bind("tar_date") %>'>
</asp:Label>
</ItemTemplate>
<ItemStyle HorizontalAlign="Right" />
</asp:TemplateField>
</Columns>
Can anyone help me solving this?
Nothing seems to be wrong with your markup.
The only thing I would recommend is ending the Label control immediately and trying it again.
<asp:Label ID="lbl1" runat="server" Text='<%# Bind("tar_date") %>' />
// OR
<asp:Label ID="lbl1" runat="server" Text='<%# Bind("tar_date") %>'></asp:Label>
In the past I have seen issues when Tab, or some unintentional characters come in between some of the templated controls. Check if you have any such characters by redoing every line from scratch.
This question is a little old, but for the others who encounter this problem:
This problem can caused by not putting white space between properties. For example:
<asp:TextBox ID="TextBox1" runat="server"Text='<%# Bind("tar_date") %>'> </asp:TextBox> //wrong (no space before Text)
This was such a frustrating error to run into. I wasted about 4 hours on this and there are surprisingly few resources I could find on Google to help me troubleshoot it. I was updating a legacy application, so the intricacies of a GridView were a bit hazy since I haven't created one from scratch in a while.
At the end of it, the fix was a result of a suggestion by Raja to rewrite the control. Visual Studio wasn't highlighting a very important issue and the ambiguous nature of the error message had me looking at the wrong grid columns. Despite the error pointing to an issue with the TemplateField, the issue for me was actually in a BoundField.
During a conversion from Telerik RadGrid to GridView, the BoundField control had an orphaned <ItemStyle> tag nested inside of it, but the BoundField control doesn't allow this.
Visually, you wouldn't know or even suspect this, unless you have recent familiarity with GridView. You couldn't run into it by debugging. Visual Studio and the compiler were not reporting this either. So troubleshooting it was a beast.
The thing that worked was rewriting the grid, line-by-line. Thanks, Raja!
The autocomplete feature in Visual Studio wouldn't let me close the BoundField control to add any other tag/control of any kind. This is when I finally realized where the issue was.
I hope this helps another unlucky Googler. :)
Placing the following code inside the 'markup' section on a web form does not work
Have I messed the syntax up or is something like this not possible on 'server side' controls?
<asp:TextBox runat="server" ID="txt" Text='<%#System.Configuration.ConfigurationManager.AppSettings["foo"] %>' />
Use $ expression.
<asp:TextBox
runat="server"
ID="txt"
Text='<%$ AppSettings: foo %>'
In Insert Mode I want to show one kind of Template and Edit Mode I want to show another Kind of Template in Devexpress Control in C#.NET
This can be implemented using the following approach:
You should define the EditFormTemplate so that it contains a different set of editors for the Insert and Edit functionality. Handle the HtmlRowCreated event to hide non required editors based on the ASPxGridView's IsNewRowEditing property value.
Check out the sample project on this issue which demonstrates the solution based on user controls and binding expressions. In this solution, the EditForm template contains two user controls with the Visible property bound to the ASPxGridView.IsNewRowEditing property:
[HTML]
<uc1:Edit id="Edit1" runat="server" Visible="<%# !Container.Grid.IsNewRowEditing %>"></uc1:Edit>
<uc2:Insert id="Insert1" runat="server" Visible="<%# Container.Grid.IsNewRowEditing %>"></uc2:Insert>
Btw, this issue might also be helpful. If you need more help, please contact the DevExpress support team here.
Use an ASP template field and individual item templates inside your gridview
<asp:TemplateField id="test" runat="server">
<ItemTemplate>
<ItemTemplate>
test
</ItemTemplate>
<EditItemTemplate>
<asp:TextBox Text="test" runat="server"/>
</EditItemTemplate>
</ItemTemplate>
</asp:TemplateField>
I did the above from memory. Heres a link to an example i found as well:
http://programming.top54u.com/post/ASP-Net-GridView-Edit-ItemTemplate-Mode.aspx
This may be a very dumb question but I can't seem to get it working. I use at many places the following syntax for dynamically binding a property of a control in aspx file to the resource entry, e.g.
<SomeFunnyControl Text="<%$ Resources : ResClass, ResEntry %>" />
I want to do a similar thing with a class containing some constants, something like
<SomeFunnyControl Text="<%= MyConstantsClass.MyStringConstant %>" />
But this doesn't seem to work, it simply sets the text to the exact expression without evaluating it. I am using ASP.NET 3.5 btw.
I have tried the databinding approach but I get an HttpParseException saying
Databinding expressions are only
supported on objects that have a
DataBinding event.
This article: The CodeExpressionBuilder might be interesting/helpful (although written for ASP.NET 2.0).
It (seems) to enable you to write ... Text="<%$ Code: DateTime.Now %>" .... That might help, no? It is quite a bit of overhead, though.
Your code should look like this:
<asp:Label ID="lblMyStringConstant" runat="server" Text='<%# MyConstantsClass.MyStringConstant %&>'></asp:Label>
You also need to call DataBinding on that control, like this:
lblMyStringConstant.DataBind();
(It is not necessary if you are calling DataBind on entire Page or parent container of this label, because it will call DataBind for all its children)
<asp:Label ID="lbl" Text="<%# SomeText %>" runat="server" />
Then call lbl.DataBind(); or databind some container of the label.
If you have it like this it should work actually:
public static class MyConstantsClass
{
public static string MyStringConstant = "Hello World!";
}
or alternatively
public class MyConstantsClass
{
public const string MyStringConstant = "Hello World!";
}
If you declare it like
<asp:Label ID="Label1" runat="server" Text="<%= MyNamespace.MyConstantsClass.MyStringConstant %>"></asp:Label>
it won't work and the output will be "<%= MyNamespace.MyConstantsClass.MyStringConstant %>".
What you could do alternatively is to write it like this:
<asp:Label ID="lblTest" runat="server"><%= MyNamespace.MyConstantsClass.MyStringConstant %></asp:Label>
This works perfectly for me, but note you have to provide the fully qualified namespace to your class in the ASPX definition. At least otherwise it didn't work for me.