Basically I have an asp.net website with login and search pages.
Currently, I have no idea why, when ever a user hits enter in either of the login text boxes (user name/password) or in the Seach text box, the website is redirected to the default page.
I have no idea why this is happening, I've tried setting defaultButton on both the panel containing the search and the login panel but that doesnt seem to work.
I've also tried catching the key press event with javascript which isnt working either.
I have no idea what event is being fired and why, or why it seems to override everything I try to do.
Anyone seen anything like this before?
---------------Edit-------------------
<div class="searchBar" onkeypress="javascript:return
WebForm_FireDefaultButton(event,'ctl00_MainContent_logView1_LogRepeater_ctl02_lbSearch')">
<input name="ctl00$MainContent$logView1$LogRepeater$ctl02$ctl02" type="text" />
<a id="ctl00_MainContent_logView1_LogRepeater_ctl02_lbSearch" href="javascript:__doPostBack('ctl00$MainContent$logView1$LogRepeater$ctl02$lbSearch','')">
Search</a>
</div>
Ok so here is the code generated by ASP.net that is getting ignored.
---------------Update----------------
I have tried adding a hidden button and setting that button as the defaultbutton of the form and that has stoped it from redirecting to the default page each time but this does mean that pressing enter in a text box just reloads the page, which is better but still isnt Ideal.
This may not be an ASP.NET quirk as much as it is a web-browser quirk.
When you press enter in a single-line text field, the browser will submit the form to the action specified in the form tag.
ASP.NET "helpfully" creates a form tag just inside the body tag and puts all body elements inside it...
As far as I know, you can safely remove this form tag; the HTML specification allows fields outside of form tags for use in JavaScript/AJAX operations.
I have seen this behaviour before, it occurred when the first button on the form was the LoginControl. Everytime enter was pressed it would fire the click event for the login and essentially log the user out. Are you using the LoginControl?
In the end I had to add a hidden button before the login control. The hidden button didn't do anything but it prevented the LoginControl from executing.
I had this same problem once. We had a login form that worked fine when a user hit enter. Then at one point we added a search box/button in the menu bar at the top of the page. Suddenly when users would hit enter they would attempt to perform a search. I resolved it by setting the .DefaultButton of the Form for the page to my login button.
Related
I am trying to implement login and logout in asp.net(web forms). In my web form I have two pages namely Default and Main. From Default page when I login with username and password it redirects to the Main page. When I press back button it directly redirects to the default page. For this I copied javascript code to my default page
<script type = "text/javascript" >
function preventBack() { window.history.forward(); }
setTimeout("preventBack()", 0);
window.onunload = function () { null };
source from stackoverflow question
After login when I click on back button in my browser(chrome) first it shows the Default page and then it shows the Main page. i.e page blinks when I click the back button.
It shows main page successfully with the issue.
What should I implement to stop showing the Default page when I click on back button
Update:
<script type = "text/javascript" >
history.pushState(null, null, 'Default.aspx');
window.addEventListener('popstate', function (event) {
history.pushState(null, null, 'Default.aspx');
});
</script>
I placed this code in default page
There is one important thing that you ought to know here.
One cannot disable the browser back button functionality only thing that can be done is prevent it.
You can't, in anyway diasble that button. What you can however do, is to put some logic and prevent that button from doing what it is meant to do.
Now for the script that you have shown, it should serve fine and the other thing to try here is to put a mediator page between your default and main page. So when you login, the control will flow to mediator page and it will then redirect to main page. Now when the user presses back button on the main page, the control will flow to mediator page which will again redirect the user to his main page.
The effect will be the same as your script, but putting a page can help you write Session handling code and some server side checks if you want.
But one thing is sure, the browser back button will be as it is.
Hope this helps.
As Matt said you can't disagree the back behaviour. However you can check if the user is logged in and redirect them to the main page easily.
All you need to do is, on the default page check if the user is logged in, if they are then redirect them to the main page, this way even if the user clicks back, they will be taken back to the main page. And also the can go to the Default page after logging out.
Another way could be using location.replace("...."), which replace the existing document and user can't "go back" using back button as the page doesn't exist in the url history.
Src: https://developer.mozilla.org/en-US/docs/Web/API/Location/replace
I have a disturbing popup that breaks automation test. It is client side validation popup appended to a textfield that only takes number, if I input a text and click the submit button, the popup will suddenly appear and stop the test. How do I overcome this? Appreciate. It is the one having a yellowish bos with exclamation mark, that reads "Please enter a number". When I viewed the source of the page, I found nothing to reference on this popup.
Since you have mentioned it is not a pop up window I think switching the focus to the activeElement should be sufficient.
Driver.SwitchTo().ActiveElement();
The popup appears because the text you put in the input field of "Institution Code" is a letter (o) while it expects a number.
Basically, your script puts the number of the "Institution Code" into the Username field.
Try correcting the Strings that you send.
For negative tests, if you want to get rid of the popup, you need force the input value of the "Institution Code" to be a number and then trigger onBlur() event. This way, the validation would pass.
First, it's good idea to put also your testing code, because I think the main problem will be there. But If you would like to remove this yellow warning popup:
Add to your submit button attribute "formnovalidate"
f.e.:
<input type="submit" value="submit" formnovalidate />
This warning popup is native browser HTML5 validation invoked by submit action.
Reference:
https://www.w3.org/TR/html5/sec-forms.html#element-attrdef-form-novalidate
I'm making a simple website that lists files from a certain folder. If the user has admin rights, the user can delete files by clicking the "Delete" button.
In my .aspx file, I have the following code:
<asp:Button runat="server" Text="Delete" OnCommand="FileList_Delete"
CommandArgument='<%#Eval("FilePath")%>' Visible='<%CurrentUserIsAdmin()%>' />
So the button will not be rendered if CurrentUserIsAdmin() returns false.
The button is rendered like this:
<input type="submit" name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17" value="Delete" />
My question is: Can I be sure that this method is safe against a known-code attack if the user modifies the webpage client-side aiming to click this invisible button? Or do I have to take precautions in the code-behind and verify the user's rights in the button-clicked event?
Yes, setting a button's Visible property to false is enough to prevent its Click and Command events from being raised, as long as you don't turn off the default WebForms security features.
You can easily test this by temporarily adding an always-visible <input> element to your .aspx with the same name as the rendered <asp:Button>:
<input type="submit"
name="ctl00$ctl00$MainContent$LocalMainContent$FileList$ctrl0$ctl17"
value="Fake Delete" />
Click the fake Delete button when the real Delete button is invisible. You should get an "Invalid postback or callback argument. Event validation is enabled..." exception.
Important notes:
Don't set a button's Visible property to false within an if (!IsPostBack) block because it's possible for an attacker to bypass that check. See this answer for more information.
ASP.NET event validation must be enabled (which it is by default). So don't turn it off by adding EnableEventValidation="False" to the #Page directive or <pages enableEventValidation="false" /> to Web.config.
Never ever ever disable view state validation by adding EnableViewStateMac="False" to the #Page directive or <pages enableViewStateMac="false" /> to Web.config. This would allow an attacker to tamper with the hidden __EVENTVALIDATION field and do other nasty things.
If you choose a derive a custom Button server control from the standard Button control, make sure you add the [SupportsEventValidation] attribute to the derived class.
If you choose to create a custom Button server control from scratch, call RegisterForEventValidation and ValidateEvent in the appropriate places.
They simply won't see the button or even 'recieve' it. Your server will not generate any button code sent to the person.
You have to think of it this way. The user never sees any asp code or is able to process it. They only receive html. You can further ensure this by looking at the html and seeing what has been generated.
So in that regard you are safe.
My question is: can I be sure that this method is safe against known-code attack if user modifies the webpage client-side aiming to click this invisible button? Or I have to make precautions in CodeBehind and verify user rights in button clicked event?
I personally would also put another piece of code in the click event. Verifying that click comes from the user who is authorized to click that button.
What you could also do is to add a button from code behind as this (Assuming you are putting this button into a panel called pnlButtons):
Button btnDeleteList = new Button();
btnDeleteList.Text = "Delete List";
btnDeleteList.Click += btnDeleteList_Click;
pnlButtons.Controls.Add(btnDeleteList);
In other words, if user is Admin - add a button, if user is not an admin - do not add. In this case you do not have to play around with visibility.
hope this helps.
I need help in my asp.net project. I have a "Cancel" button on my page. But it does not work. I have a onclick-function that refers it to a specific page, but when i press it, it askes for validation in the boxes on that page. Whats the problem?
Just add this attribute
CausesValidation="False"
to you Cancel button server side control. This way when the cancel button gets clicked, it will not force validation for the values of your form and you will get what you want.
For further documentation on how this works, please refer to this link:
How to: Disable Validation for ASP.NET Server Controls
I have an Index.aspx with a button inside which that button will call a controller, doing some logic and returning to a PartialView control - let's named it PopUpPartialView.ascx (as a popup). So to make it clear, the popup windows(PopUpPartialView) actually stays ON the top of Index.aspx when user clicks on the button.
In PopUpPartialView.ascx, there is another button, that returns say a GenerateList and now the problem is - how do I pass the thing back to the same popup windows in PopUpPartialView.ascx on the top of Index.aspx as it was before? How should my controller codes look like?
Here's what I have on the return:
return PartialView("PopUpPartialView", GenerateList);
this clearly NOT working as what I want, because it doesn't point back to Index page. I was thinking perhaps to use ajax so that I could stay on that popup ascx page. Confused~~ Someone please guide me.
Thanks.
My advice is to use a plugin which handles all the popup plumbing for you.
My poison of choice is jqModal.
It's very easy to work with - essentially a hidden container on the page, and you can load contents in there either on the initial render, or on a click event via AJAX.
So in your example, you could handle the button event click, show the dialog and load the contents of your partial view into the hidden container.