The Web can be an evil place, especially if you're a Web Developer blissfully unaware of Cross Site Script Attacks (XSS). Even if you are aware of XSS in all of its insidious forms, it's extremely complex to deal with all the issues if you're taking user input and you're actually allowing users to post raw HTML into an application. I'm dealing with this again today in a Web application where legacy data contains raw HTML that has to be displayed and users ask for the ability to use raw HTML as input for listings. The first line of defense
of course is: Just say no to HTML input from users. If you don't allow HTML input directly and use HTML Encoding (HttyUtility.HtmlEncode() in .NET or using standard ASP.NET MVC output @Model.Content) you're fairly safe at least from the HTML input provided. Both WebForms and Razor support HtmlEncoded content, although Razor makes it the default. In Razor the default @ expression syntax:@Model.UserContent automatically produces HTML encoded content - you actually have to go out of your way to create raw HTML content (safe by default) using @Html.Raw() or the HtmlString class. In Web Forms (V4) you can...(Read whole news on source site)
Readers, I have been blogging quite less lately but really working on bouncing back soon. Meanwhile, I am speaking at the Great Indian Developer Summit (GIDS) 2012 on Windows Azure Access Control Service Usage Patterns. My session is on 17th April, 10 a.m. IST. Infact, this is my 4th presentation at GIDS conference, having presented [...]
This coming Monday (April 16th) I’m doing another online LIDNUG session. The talk will be from 10am to 11:30am (Pacific Time). I do these talks a few times a year and they tend to be pretty fun. Attendees can ask any questions they want to me, and listen to me answer them live via LiveMeeting. We usually end up having some really good discussions on a wide variety of topics. Any topic or question is fair game. You can learn more and register to attend the online event for free here. I’ll update this post
with a download link to a recorded audio version of the talk after the event is over. Hope to get a chance to chat with some of you there! Scott P.S. In addition to blogging, I am also now using Twitter for quick updates and to share links. Follow me at: twitter.com/scottgu...(Read whole news on source site)
This post is a small cry for help along with an explanation of a problem that is hard to describe on twitter or even a connect bug and written in hopes somebody has seen this before and any ideas on what might cause this. Lots of helpful people had comments on Twitter for me, but they all assumed that the code doesn't run, which is not the case - it's a designer issue. A few days ago I started getting some odd problems in my MVC 4 designer for an app I've been working on for the past 2 weeks.
Basically the MVC 4 Razor designer keeps popping me errors, about the call signature to various Html Helper methods being incorrect. It also complains about the ViewBag object and not supporting dynamic requesting to load assemblies into the project. Here's what the designer errors look like: You can see the red error underlines under the ViewBag and an Html Helper I plopped in at the top to demonstrate the behavior. Basically any HtmlHelper I'm accessing is showing the same errors. Note that the code *runs just fine* - it's just the designer that is complaining with Errors....(Read whole news on source site)
If you are one of those users who use command prompt more frequently , then below are different ways to open the Command Prompt in Windows 8 . Different ways to open the Command Prompt in Windows 8 in Metro UI ? 1. Press the Windows Key + R and type cmd in the “Run” [...]
- How to Retrieve Phone Number from Contacts in WP7 using the PhoneNumberChooserTask?
- Friday 13th High Noon – An early BETA of the Branching Guide is released - Visual Studio ALM + Team Foundation Server Blog - Site Home - MSDN Blogs
- Acceptance Testing UI using Visual Studio 2010 Microsoft Test Manager and Fit style tables - Visual Studio ALM + Team Foundation Server Blog - Site Home - MSDN Blogs
- Generated AssemblyVersion for NuGet package on TFS Build