Category Archives: Xss

Xss

VS10's Ajax Control Toolkit Does not work in the same way as in VS08. Help??

I am using Visual Studio 2010 Ultimate. The problem that  am Facing is when I drag a component such as the "AsyncFileUpload" control upon the designer what i get instead of a textbox, as I used to get in VS08 is this chunk of code. I dont see the control
working nor the bin folder which was a part of the VS08 Solution Explorer when you use Ajax. 

<SOAP-ENV:Envelope xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:xsd="http://www.w3.org/2001/XMLSchema" xmlns:SOAP-ENC="http://schemas.xmlsoap.org/soap/encoding/" xmlns:SOAP-ENV="http://schemas.xmlsoap.org/soap/envelope/" xmlns:clr="http://schemas.microsoft.com/soap/encoding/clr/1.0"
SOAP-ENV:encodingStyle="http://schemas.xmlsoap.org/soap/encoding/">

<SOAP-ENV:Body>
<a1:WebControlToolboxItem id="ref-1" xmlns:a1="http://schemas.microsoft.com/clr/nsassem/System.Web.UI.Design/System.Design%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db03f5f7f11d50a3a">
<Locked>true</Locked>
<Filter href="#ref-5"/>
<Bitmap href="#ref-6"/>
<AssemblyName href="#ref-7"/>
<Company id="ref-8">Microsoft</Company>
<DisplayName id="ref-9">AsyncFileUpload</DisplayName>
<Description id="ref-10"></Description>
<TypeName id="ref-11">AjaxControlToolkit.AsyncFileUpload</TypeName>
<DependentAssemblies href="#ref-12"/>
<PropertyNames href="#ref-13"/>
<ToolData id="ref-14"><{0}:AsyncFileUpload runat="server"></{0}:AsyncFileUpload></ToolData>
<PersistChildren>0</PersistChildren>
</a1:WebControlToolboxItem>
<SOAP-ENC:Array id="ref-5" SOAP-ENC:arrayType="a2:ToolboxItemFilterAttribute[3]" xmlns:a2="http://schemas.microsoft.com/clr/nsassem/System.ComponentModel/System%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089">
<item href="#ref-15"/>
<item href="#ref-16"/>
<item href="#ref-17"/>
</SOAP-ENC:Array>
<a3:Bitmap id="ref-6" xmlns:a3="http://schemas.microsoft.com/clr/nsassem/System.Drawing/System.Drawing%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db03f5f7f11d50a3a">
<Data href="#ref-18"/>
</a3:Bitmap>
<a4:AssemblyName id="ref-7" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<_Name id="ref-19">AjaxControlToolkit</_Name>
<_PublicKey href="#ref-20"/>
<_PublicKeyToken xsi:null="1"/>
<_CultureInfo>127</_CultureInfo>
<_CodeBase id="ref-21">file:///C:/Users/shiva/Software/AjaxControlToolkitBinary/AjaxControlToolkit.dll</_CodeBase>
<_Version href="#ref-22"/>
<_HashAlgorithm xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SHA1</_HashAlgorithm>
<_HashAlgorithmForControl xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">None</_HashAlgorithmForControl>
<_StrongNameKeyPair xsi:null="1"/>
<_VersionCompatibility xsi:type="a6:AssemblyVersionCompatibility" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SameMachine</_VersionCompatibility>
<_Flags xsi:type="a4:AssemblyNameFlags" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">17</_Flags>
<_HashForControl xsi:null="1"/>
</a4:AssemblyName>
<SOAP-ENC:Array id="ref-12" SOAP-ENC:arrayType="a4:AssemblyName[4]" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<item href="#ref-23"/>
<item href="#ref-24"/>
<item href="#ref-25"/>
<item href="#ref-26"/>
</SOAP-ENC:Array>
<SOAP-ENC:Array id="ref-13" SOAP-ENC:arrayType="xsd:string[8]">
<item id="ref-27">Filter</item>
<item id="ref-28">Bitmap</item>
<item id="ref-29">AssemblyName</item>
<item id="ref-30">Company</item>
<item id="ref-31">DisplayName</item>
<item id="ref-32">Description</item>
<item id="ref-33">TypeName</item>
<item id="ref-34">DependentAssemblies</item>
</SOAP-ENC:Array>
<a2:ToolboxItemFilterAttribute id="ref-15" xmlns:a2="http://schemas.microsoft.com/clr/nsassem/System.ComponentModel/System%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089">
<filterType>Require</filterType>
<filterString id="ref-35">System.Web.UI</filterString>
<typeId id="ref-36">System.ComponentModel.ToolboxItemFilterAttributeSystem.Web.UI</typeId>
</a2:ToolboxItemFilterAttribute>
<a2:ToolboxItemFilterAttribute id="ref-16" xmlns:a2="http://schemas.microsoft.com/clr/nsassem/System.ComponentModel/System%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089">
<filterType>Allow</filterType>
<filterString href="#ref-11"/>
<typeId xsi:null="1"/>
</a2:ToolboxItemFilterAttribute>
<a2:ToolboxItemFilterAttribute id="ref-17" xmlns:a2="http://schemas.microsoft.com/clr/nsassem/System.ComponentModel/System%2C%20Version%3D2.0.0.0%2C%20Culture%3Dneutral%2C%20PublicKeyToken%3Db77a5c561934e089">
<filterType>Allow</filterType>
<filterString id="ref-37">ReferencesAssembly:System.Web.Extensions, Version=3.5.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35</filterString>
<typeId xsi:null="1"/>
</a2:ToolboxItemFilterAttribute>
<SOAP-ENC:Array id="ref-18" xsi:type="SOAP-ENC:base64">iVBORw0KGgoAAAANSUhEUgAAABAAAAAQCAYAAAAf8/9hAAAAAXNSR0IArs4c6QAAAARnQU1BAACxjwv8YQUAAAAJcEhZcwAADsIAAA7CARUoSoAAAAKYSURBVDhPhVPfT1JxFOePqSez0raykVYPLp3p1LuFoiK4JeDSMu5FCXFqQSqmIFaCm6CQM3VrqSmKOBDxB6kb64dtmvNBN5/qpQfT7NPx0iBb5nm527nn8+N8zr4CwTHV1LgCs2kVDfXLqNEu47i5aN/vW4fDsQNT2wY/bHi4hCkPMD72A2KRg+81N81CoXyJYokLXm8oRjo39x7m9i2MvdnD5MRPaDQhcGwAbgIPv/4O7QMfSmS9YFVuWCzbqK4OgMm1/UnwDllZHowM7/KqkxMHcI9HwIMD3+B0foHVuoMOAre0bOJ+5TQuJJYdXSsQCENa7CHL+wQ+QFvrKtLTjEi70YjHhjApb/FgjgvgTJwkBnbYX8Gg30CL8ROePd3E2OgeLO1rUCp6SHkZLtcKqqoGyb4Pj/RrZH8FYrEToludyM42QcCqLDAYNuD3HVAG+2R7F+npJgwMfIiq2LsXkSeyQlf7EZw6jDJlELk53bh+rQ4Cju0gB5+jgR3unJysQ39/OEpgswWJoIvsh1FesYRS+Txkslmk0JzAbO5DgXgc4vwhFBWOwtn7FZpqPximCXZ7CF1d8zA2z0Aud/8GL0AofILLSfdw6WLF0SDvlI2g8/k2fyqOnYFM6iJSBxSKiagyw7xAYsLto0CbNYj6ulmyOMWDD9PW69eh00V2jtheINsBFBROkzqLhoahGImx2QuJpC96qpqat2C5IL9zBYHlBGYYSj5vFIVFfuSLJ8n+3RhBb48fmTeNqFL7odUuIi6uGAnnlZCXenjl1FQTTp/KJGUVcnL66aumU9IJ/66rKZVISqrkfwiFImRktEJKacfHS/meWj2Nc2cVKC/vPvlxlZTUEpkKV4RqAkUI/lkQnEz2v6f8C/bh45ox9mXoAAAAAElFTkSuQmCC</SOAP-ENC:Array>
<SOAP-ENC:Array id="ref-20" xsi:type="SOAP-ENC:base64">ACQAAASAAACUAAAABgIAAAAkAABSU0ExAAQAAAEAAQCPK9TDyQ7IhUYTfpE2AHQf3d2SnwXQMtUv0WBriGCYmbP3N6DmiBxfO7oKGPxgUoeQ9lLmSkGGh/tTjDyG0yWGbW2wch4W30ixt8brsHvIg9ShGeherOERCEL1lxI4Xr5q4qAiniBe+OKEzsCiF84e7L1jwb9HR4VV/J42rx7xsw==</SOAP-ENC:Array>
<a5:Version id="ref-22" xmlns:a5="http://schemas.microsoft.com/clr/ns/System">
<_Major>3</_Major>
<_Minor>0</_Minor>
<_Build>30930</_Build>
<_Revision>28736</_Revision>
</a5:Version>
<a4:AssemblyName id="ref-23" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<_Name id="ref-38">AjaxControlToolkit</_Name>
<_PublicKey href="#ref-39"/>
<_PublicKeyToken xsi:null="1"/>
<_CultureInfo>127</_CultureInfo>
<_CodeBase id="ref-40">file:///C:/Users/shiva/Software/AjaxControlToolkitBinary/AjaxControlToolkit.dll</_CodeBase>
<_Version href="#ref-41"/>
<_HashAlgorithm xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SHA1</_HashAlgorithm>
<_HashAlgorithmForControl xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">None</_HashAlgorithmForControl>
<_StrongNameKeyPair xsi:null="1"/>
<_VersionCompatibility xsi:type="a6:AssemblyVersionCompatibility" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SameMachine</_VersionCompatibility>
<_Flags xsi:type="a4:AssemblyNameFlags" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">17</_Flags>
<_HashForControl xsi:null="1"/>
</a4:AssemblyName>
<a4:AssemblyName id="ref-24" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<_Name id="ref-42">System.Web.Extensions</_Name>
<_PublicKey xsi:null="1"/>
<_PublicKeyToken href="#ref-43"/>
<_CultureInfo>127</_CultureInfo>
<_CodeBase xsi:type="xsd:anyType" xsi:null="1"/>
<_Version href="#ref-44"/>
<_HashAlgorithm xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SHA1</_HashAlgorithm>
<_HashAlgorithmForControl xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">None</_HashAlgorithmForControl>
<_StrongNameKeyPair xsi:null="1"/>
<_VersionCompatibility xsi:type="a6:AssemblyVersionCompatibility" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SameMachine</_VersionCompatibility>
<_Flags xsi:type="a4:AssemblyNameFlags" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">None</_Flags>
<_HashForControl xsi:null="1"/>
</a4:AssemblyName>
<a4:AssemblyName id="ref-25" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<_Name id="ref-45">System.Web</_Name>
<_PublicKey xsi:null="1"/>
<_PublicKeyToken href="#ref-46"/>
<_CultureInfo>127</_CultureInfo>
<_CodeBase xsi:type="xsd:anyType" xsi:null="1"/>
<_Version href="#ref-47"/>
<_HashAlgorithm xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SHA1</_HashAlgorithm>
<_HashAlgorithmForControl xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">None</_HashAlgorithmForControl>
<_StrongNameKeyPair xsi:null="1"/>
<_VersionCompatibility xsi:type="a6:AssemblyVersionCompatibility" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SameMachine</_VersionCompatibility>
<_Flags xsi:type="a4:AssemblyNameFlags" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">None</_Flags>
<_HashForControl xsi:null="1"/>
</a4:AssemblyName>
<a4:AssemblyName id="ref-26" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">
<_Name id="ref-48">mscorlib</_Name>
<_PublicKey xsi:null="1"/>
<_PublicKeyToken href="#ref-49"/>
<_CultureInfo>127</_CultureInfo>
<_CodeBase xsi:type="xsd:anyType" xsi:null="1"/>
<_Version href="#ref-50"/>
<_HashAlgorithm xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SHA1</_HashAlgorithm>
<_HashAlgorithmForControl xsi:type="a6:AssemblyHashAlgorithm" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">None</_HashAlgorithmForControl>
<_StrongNameKeyPair xsi:null="1"/>
<_VersionCompatibility xsi:type="a6:AssemblyVersionCompatibility" xmlns:a6="http://schemas.microsoft.com/clr/ns/System.Configuration.Assemblies">SameMachine</_VersionCompatibility>
<_Flags xsi:type="a4:AssemblyNameFlags" xmlns:a4="http://schemas.microsoft.com/clr/ns/System.Reflection">None</_Flags>
<_HashForControl xsi:null="1"/>
</a4:AssemblyName>
<SOAP-ENC:Array id="ref-39" xsi:type="SOAP-ENC:base64">ACQAAASAAACUAAAABgIAAAAkAABSU0ExAAQAAAEAAQCPK9TDyQ7IhUYTfpE2AHQf3d2SnwXQMtUv0WBriGCYmbP3N6DmiBxfO7oKGPxgUoeQ9lLmSkGGh/tTjDyG0yWGbW2wch4W30ixt8brsHvIg9ShGeherOERCEL1lxI4Xr5q4qAiniBe+OKEzsCiF84e7L1jwb9HR4VV/J42rx7xsw==</SOAP-ENC:Array>
<a5:Version id="ref-41" xmlns:a5="http://schemas.microsoft.com/clr/ns/System">
<_Major>3</_Major>
<_Minor>0</_Minor>
<_Build>30930</_Build>
<_Revision>28736</_Revision>
</a5:Version>
<SOAP-ENC:Array id="ref-43" xsi:type="SOAP-ENC:base64">Mb84Vq02TjU=</SOAP-ENC:Array>
<a5:Version id="ref-44" xmlns:a5="http://schemas.microsoft.com/clr/ns/System">
<_Major>3</_Major>
<_Minor>5</_Minor>
<_Build>0</_Build>
<_Revision>0</_Revision>
</a5:Version>
<SOAP-ENC:Array id="ref-46" xsi:type="SOAP-ENC:base64">sD9ffxHVCjo=</SOAP-ENC:Array>
<a5:Version id="ref-47" xmlns:a5="http://schemas.microsoft.com/clr/ns/System">
<_Major>2</_Major>
<_Minor>0</_Minor>
<_Build>0</_Build>
<_Revision>0</_Revision>
</a5:Version>
<SOAP-ENC:Array id="ref-49" xsi:type="SOAP-ENC:base64">t3pcVhk04Ik=</SOAP-ENC:Array>
<a5:Version id="ref-50" xmlns:a5="http://schemas.microsoft.com/clr/ns/System">
<_Major>2</_Major>
<_Minor>0</_Minor>
<_Build>0</_Build>
<_Revision>0</_Revision>
</a5:Version>
</SOAP-ENV:Body>
</SOAP-ENV:Envelope>

I really don’t understand what to do with this code. This toolkit was by default present with the VS10 Ultimate Package. The code gets fully compiled but the screen is full of such codes. I am in a middle of completing an application and am stuck due to
this . Pls help as son as possible. 

Gracious,

Shiv Kumar.

Reset your visual studio 2010 ultimate settings and then it will work.

Cheers,

Jalpesh P. Vadgama

Reset your visual studio 2010 ultimate settings and then it will work.

Cheers,

How can I actually do that…. I don’t Know… ??Frown

But i tried something else… I found Ajax Control Toolkit for .NET framework 4.0. I installed by creating a new tab and adding up the .dll file. As a result I got all the components as it used to be in VS08 and working all fine but the default library as
in the set of tools that I was talking about went away…… Is that fine??? 

This is the link to the package I downloaded.

http://ajaxcontroltoolkit.codeplex.com/releases/view/43475#DownloadId=116534 

Kindly assist whether this is a proper toolkit that I am using. It is compatible with the AJAX Extensions ScriptManager. I suppose this should work fine…. please let me know if any issue exists & do tell how to reset VS10.

Thanks,

Regards,

Shiv

[RESOLVED]VS 2010 controlRenderingCompatibilityVersion Issue with LinkButton

Found an interesting little issue with the controlRenderingCompatibilityVersion in .NET 4.0 with the LinkButton.  When targeting the 4.0 framework and setting controlRenderingCompatibilityVersion="3.5" the link button gets rendered as:

<a id="lbTest" href="javascript:__doPostBack('lbTest','')">Link Button Test</a>

When targeting the 3.5 framework, a link button gets rendered as:

<a id="lbTest" href="javascript:__doPostBack(‘lbTest’,”)">Link Button Test</a>

Interestingly enough, both render fine in IE and FF.  However, we put all our .NET apps into Oracle’s WCI, which cannot recognize the 4.0 rendering.

Anyone know how I can submit this for review to Microsoft?

Okay, this is much, much worse than just the link button.  Every control event that the framework converts to javascript has the encoding munged like this.  And it happens whether or not we are using controlRenderingCompatibilityVersion="3.5" or "4.0". 
Not sure if this is a bug or a new standard?

Drop Down List with "OnSelectedIndexChanged" event renders as:

<select name="ddlDropDown" onchange="javascript:setTimeout('__doPostBack('ddlDropDown','')', 0)" id="ddlDropDown">
<option selected="selected" value="1">One</option>
<option value="2">Two</option>
</select>

Button with "PostBackUrl" renders as:

<input type="submit" name="btnClear" value="Clear" onclick="javascript:WebForm_DoPostBackWithOptions(new WebForm_PostBackOptions(&quot;btnClear&quot;, &quot;&quot;, false, &quot;&quot;, &quot;default.aspx&quot;, false, false))" id="btnClear" />


I tried finding some way to use the control’s PreRender to replace the encoded characters, but you can only add attributes, not manipulate existing attributes (which is probably a good thing from a security perspective).

Regardless, for those of us stuck developing .NET apps for Oracle WCI, looks like we’re sticking with .NET 3.5 for the foreseable future since Oracle WCI manipulates the "javascript:__doPostBack" (etc.).

I’m honestly not sure what the problem is. If you put this into an HTML file:

<a href="javascript:alert('Testing');">Click me!</a>

and click it, it does exactly what you’d expect it to do. The encoding of the HTML doesn’t matter to the Javascript execution engine, because by the time it gets down into Javascript, the browser will have decoded it.

The problem is that Oracle WCI expects it not to be encoded.  It goes through and manipulates all the javascript calls by updating the control IDs to match the IDs WCI assigns to the controls on the page.

I agree this works perfectly fine in any self-hosted .NET app.  However, all of our apps live as portlets inside Oracle WCI and this change to .NET 4.0 is a breaking change for us.

The official word from Oracle is that they do not currently support .NET 4.0 in the WCI platform and do not have a timeframe yet for supporting it.

You could use the new .NET 4 custom encoder feature, and write an encoder that doesn’t encode single quotes in attributes to replicate the 3.5 behavior. This should fix the problem until Oracle updates their software to be compliant.

For more information, see the
HttpEncoder page at MSDN
.

Thanks.  I’ll give that a try.

So, I have a working prototype using a custom encoder based off of the AntiXSS library in the WPL project (http://wpl.codeplex.com/).  I pulled down the source, then added to the white list the specific characters that Oracle WCI expects not to be encoded. 
Not sure if we’ll go with this or wait for Oracle to support 4.0.

Adding HtmlAgilityPackSanitizerProvider

I am having trouble with adding the required text to the web.config file for the HtmlAgilityPackSanitizerProvider.

Even when I open the sample site from the toolkit in Visual Web Developer I get an error.
The element ‘system.web’ has an invalid child element ‘sanitizer’.
Not sure how to get this to work. 

This is the section of the toolkit sample site:
<configuration>
<configSections>
<sectionGroup name="system.web">
<section name="sanitizer" requirePermission="false"
type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit" />
</sectionGroup>
</configSections>
<appSettings/>
<connectionStrings/>
<system.web>
<trust level="Full" />
<sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider">
<providers>
<add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"></add>
</providers>
</sanitizer>

I am also having this exact problem along with TonyLoco23 (on another post). This question is asked a lot in forums, but I have never found it answered.

The whole error is:

Warning 1 The element ‘system.web’ has invalid child element ‘sanitizer’. List of possible elements expected: ‘anonymousIdentification, authentication, authorization, browserCaps, clientTarget, compilation, customErrors, deployment, deviceFilters, fullTrustAssemblies,
globalization, healthMonitoring, hostingEnvironment, httpCookies, httpHandlers, httpModules, httpRuntime, identity, machineKey, membership, mobileControls, pages, partialTrustVisibleAssemblies, processModel, profile, roleManager, securityPolicy, sessionPageState,
sessionState, siteMap, trace, trust, urlMappings, webControls, webParts, webServices, xhtmlConformance, caching’. http://localhost/web.config 11 6 

And, as far as I can see, the people asking the questions post clean code that is easy to read, and the people attempting to answer them post cryptic code like they do not know how to cut and paste without the <div> garbage.

Here is another thread with the same issue that goes unanswered:

http://forums.asp.net/t/1739306.aspx/1

So far, I have built three different virtual machines (windows 7 on my work laptop, windows 7 on my home computer, windows server 2k8 r2 on my home computer) and I get the same exact issue every time whether it is HtmlAgilityPackSanitizerProvider or AntiXssSanitizerProvider.
That, and the fact that this question gets asked a lot, tells me that there might either be some new ‘bug’ or some assumed configuration change that old developers automatically know and new asp.net developers do not.

I get this error attempting to follow Stephen Walther’s blog post here:

http://stephenwalther.com/archive/2011/08/17/adding-the-new-html-editor-extender-to-a-web-forms.aspx

Can this be explained like I am 5?

 

 

The <system.web> element section group definition isn’t valid because the system web section group uses a type, which means it has an explicit definition.  You can’t include your custom config section in the <system.web>; put it in your own sectionGroup
or at the root level instead.  You don’t need to define a sectionGroup type, but can just simply use a name to group your custom sections.

http://forums.asp.net/t/1739306.aspx/1

 

It is not my config file, it is the sample one provided with the toolkit.

The sectionGroup part goes in the the configuration section and works OK. It is the sanitizer part that is the problem. It does not work in system.web and as a new asp.net coder I and apparently a lot of others have no idea where to put the

<sanitizer defaultProvider="AntiXssSanitizerProvider">
		<providers>
			<add name="AntiXssSanitizerProvider" 
            type="AjaxControlToolkit.Sanitizer.
              AntiXssSanitizerProvider"></add>
		</providers>
	</sanitizer>
This gives the invalid child element error and I have no idea what to do about that.

Hello

This is an existing issue with the toolkit. I see you’ve created a track at

http://ajaxcontroltoolkit.codeplex.com/workitem/27236

For a walkaround, you can also use this library to sanitize the user’s input at code behind,
http://htmlagilitypack.codeplex.com/releases/view/90925

I used NuGet to add the HtmlAgilityPack as you suggested but I STILL get the same error in the web.config file.

Here are the steps to duplicate the error: download the tookit. Unzip the sample web site. Open the web.config file. The sanitizer is marked as an invalid child node in the config file.

I have the same problem. I have HTMLAgilitypack.dll in the Bin folder but when I add the required sections to the config file I get this:

 Description:
An error occurred during the processing of a configuration file required to service this request. Please review the specific error details below and modify your configuration file appropriately.

Parser Error Message: Unrecognized element ‘sanitizer’.
Source Error:

Line 63:     <compilation debug="true" strict="false" explicit="true" targetFramework="4.0">
Line 64:       <!-- Sanitizes for the HTML Editor Extender -->
Line 65: <sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider"> Line 66:         <providers>
Line 67:           <add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"></add>

Has this issue been resolved? 

I have the same issue as well.

  <system.web>

 
<sanitizer
defaultProvider="HtmlAgilityPackSanitizerProvider">

      <providers
<add
name="HtmlAgilityPackSanitizerProvider"
type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"
/> 
</providers>

    </sanitizer>

‘system.web’ has an invalid child element ‘sanitizer’.

Using Visual Studio 12/ .Net 4.5 – I updated AjaxControlToolKit 4.1.60919.0, HtmlAgilityPack 1.4.6.0, SanitizerProviders 1.0.0.0 using GuNET and installing using Package Manager Console.  Newest and updated everything.

What else can be done? I hope this thread re-opens.

thanks!

[RESOLVED]Is there a way to install AjaxControlToolkit??

Ok, guys.

I’m trying to install AjaxControlToolkit to VS 2010 and I’m really tired…

1) Create new web application (net 4.0).

2) Type "PM> Install-Package AjaxControlToolkit"

3) Starting application:

"Sanitizer provider is not configured in the web.config file. If you are using the HtmlEditorExtender with a public website then please configure a Sanitizer provider. Otherwise, set the EnableSanitization property to false."


4) Adding this to the web.config:

<configuration>
<configSections>
  <sectionGroup name="system.web">
	<section name="sanitizer"
      requirePermission="false"
      type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection,
        AjaxControlToolkit"/>
      </sectionGroup>
</configSections>
<system.web>
	<compilation targetFramework="4.0" debug="true"/>
	<sanitizer defaultProvider="AntiXssSanitizerProvider">
		<providers>
			<add name="AntiXssSanitizerProvider"
            type="AjaxControlToolkit.Sanitizer.
              AntiXssSanitizerProvider"></add>
		</providers>
	</sanitizer>
</system.web>
</configuration>

5) Starting application:

"Could not load type ‘AjaxControlToolkit.Sanitizer.AntiXssSanitizerProvider’"


Ok, what’s the next?

Solved by using HtmlAgilityPack and changing web.config to the following content:

<configuration>
    <configSections>
        <sectionGroup name="system.web">
            <section name="sanitizer" requirePermission="false"
                     type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit" />
        </sectionGroup>
    </configSections>

    <system.web>
        <sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider">
            <providers>
                <add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"></add>
            </providers>
        </sanitizer>
      </system.web>
</configuration>

But that’s rather strange that this information is not provided on

http://www.asp.net/ajaxLibrary/AjaxControlToolkitSampleSite/Default.aspx

Thank you!

I have installed it few days ago, and here is everything you need

http://www.asp.net/ajaxlibrary/act.ashx

Good luck

You’re talking about installing toolbar.

I’ve tried this one: http://ajaxcontroltoolkit.codeplex.com/

"Visual Studio 2010 users, install the ASP.NET AJAX Control Toolkit
in seconds
via NuGet:

"

But this code:

<asp:ToolkitScriptManager runat="Server" />
<asp:TextBox
        ID="txtComments"
        TextMode="MultiLine"
        Columns="60"
        Rows="8"
        runat="server" />
 
<asp:HtmlEditorExtender
        TargetControlID="txtComments"
        runat="server" />

doesn’t work without installing HtmlAgilityPack and editing web.config.

[RESOLVED]Rich Text Editor

I went through the documentation and looked at the asp.net/webmatrix pages but could not find a RichTextEditor.

Is there one built into WebMatrix or can I just use the AjaxToolkit Html Editor or another 3rd party editor?

Thanks,

TFish, Raleigh, NC 

I ain’t a pro in webmatrix so dont know if something is really available there, however you can certainly use the ASP.Net Ajax control toolkits HTML editor or third party tools. Following is the link to HTML editor that you might be already knowing;

http://www.asp.net/ajax/ajaxcontroltoolkit/Samples/HTMLEditor/HTMLEditor.aspx

Thanks,

Anup 

 

Yup, nothing is included out of the box since there are so many 3rd part rich text boxes out there.  There is one problem right now though when adding your own. 
Request validation will catch any markup that’s submitted through a form.

Add a web.config file to your app and put this in it…

<configuration>
    <system.web>
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
</configuration>

Note that if you do this, it will set request validation back to the way it was in .NET 2.0, which knows nothing about cshtml or vbhtml files so it will effectively be turned off for the entire site so you’ll need to handle it yourself (like with the

AntiXss Library
).

The next version of ASP.NET Web Pages will have a way to turn it off on a page by page basis.

I recommend using CK Editor, which is a free Wysiwyg editor:

http://ckeditor.com/

It´s really good! :) 

Hi,

Just to be frank, I have never use anything else rather than tiny mce. you can definitely use it in your application, it’s free, customizable and of course very powerful.

For further details to know more about TinyMce, check this URL:

http://tinymce.moxiecode.com/

Thanks 

 

[RESOLVED]using the htmlEditorExtender safely – I can't protect vs XSS using the sanitizer they provide

I want to use the Ajax HTMLEditorExtender. The webpage on it strongly recommends protecting the website that uses this, from XSS (malicious scripting). So they say to modify the web.config as follows:

<configuration>
  <configSections>
    <sectionGroup name="system.web">
      <section name="sanitizer"
          requirePermission="false"
          type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection,
        AjaxControlToolkit"/>
    </sectionGroup>
  </configSections>
  
AND correspondingly:
    <system.web>
      <sanitizer defaultProvider="AntiXssSanitizerProvider">
        <providers>
          <add name="AntiXssSanitizerProvider"
                type="AjaxControlToolkit.Sanitizer.
              AntiXssSanitizerProvider"></add>
        </providers>
      </sanitizer>

 

 The problem is that the name "sanitizer" is not recognized (the part within System.web) even though the first part of the web.config creates a "section name" for it.

Is the documentation outdated? Thanks,

[RESOLVED]making html Editor extender control safe, without sanitizers

I was reading an article on the html Editor extender, which makes a textbox into an editor that produces html.   Its perfect for my site, except for a few problems.  First of all, my site is on a shared public server.  This means I don’t have "full trust",
which means that the safety against XSS (cross site scripting) can’t be put in.  (The safety is a "sanitzer dll that the control is connected to).  So my question is, can I capture the contents of the control in an ASP.net variable, then find some anti-XSS
library on the net and apply it to the variable contents, and then store the processed html in a database, for later display on a webpage?

If not, is there a safer alternative to the extender?  For instance, there is an older ajax HTML Editor Control, but I don’t know that it is safer.

If you are using an HTML Editor, you’ll just need to ensure that you are properly encoding all of the values that are being submitted through a mechanism such as one of the

HtmlEncode() methods

If you really are concerned about XSS, there is an openly available library to help prevent it, but according to

this article
if you have the latest version of the AJAX Html Extender Control through the
AJAX Control Toolkit, then specific measure have been integrated to help curb XSS attacks.

[RESOLVED]EnableSanitization removes all of the formatting

I am using HtmlEditorExtender latest version

http://www.asp.net/ajaxLibrary/AjaxControlToolkitSampleSite/HTMLEditorExtender/HTMLEditorExtender.aspx

I also enabled Sanitization

Here my webconfig

<sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider">
  <providers>
    <add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"/>
  </providers>
</sanitizer>

But it even removes

<br>

and it breaks whole formatting

What is the proper way of doing this ?

thank you

asp.net 4.5 c# 4.5

it is supposed to remove only dangerous things

Stephen Walther released a blog post discussing this topic and some of the changes related to the HtmlEditorExtender, which mentions
that the newest version of the Cross-Site Scripting Library that is included within the extender is far too aggressive (and will remove basically any tag that even remotely resembles a threat, include <br> tags)

I’m not sure if there is currently a fix available (although a bug report has been filed) as this behavior is geared specifically for preventing XXS attacks, so this may or may
not be working as intended. You may want to possibly consider looking for an alternate HTML editor, such as
CKEditor or one of the

numerous other HTML Editor options available
.

Rion Williams

Stephen Walther released a blog post discussing this topic and some of the changes related to the HtmlEditorExtender, which mentions
that the newest version of the Cross-Site Scripting Library that is included within the extender is far too aggressive (and will remove basically any tag that even remotely resembles a threat, include <br> tags)

I’m not sure if there is currently a fix available (although a bug report has been filed) as this behavior is geared specifically for preventing XXS attacks, so this may or may
not be working as intended. You may want to possibly consider looking for an alternate HTML editor, such as
CKEditor or one of the

numerous other HTML Editor options available
.

yes i read it and it does not provide any fix

so basically whole htmleditorextender is useless piece of software right now

so much wasted time

and still there is no fix

i did temporary fix via jquery

Sorry to hear that.

It is pretty odd that there is no method of handling how severe the sanitization for the library is, but I suppose that it is specifically geared to be a anti-XSS library so that is it’s primary concern. 

[RESOLVED]Is it possible to use pages/files created in asp.net razor and asp.net webforms and combine them into a single web application/project?

Lets say you will make the CRUD routine in ASP.Net Razor since it is a lot faster to do this in razor and make the printing module of your application asp.net webforms. You will be combining pages or files created in asp.net razor and webforms into a single
web application/project, is this possible at all? How will you be able to retrieve the record(s) from asp.net razor page and retrieve and print them on asp.net webforms page?

Can you guys show how to do this, if it is at all possible. many thanks.

Hi,

I never did but seems like possible .because I  found video which shows 
Mixing Razor Views and WebForms Master Pages with
ASP
.NET MVC 3

Scott
HanselmanASP.NET MVC

Regards

bertolini_fab

You will be combining pages or files created in asp.net razor and webforms

Yes, this is possible. You will need to bin deploy some of the dll files which are responsible for WebPages and Razor – unless they already exist on the hosting server – but there is no reason why you cannot have .cshtml files (or even .vbhtml files) side
by side with .aspx files. The web forms page will be responsible for retrieving its own records, in traditional webforms ways – SqlDataSource, ObjectDataSource, plain ADO.NET… Off the top of my head, I’d even say it should be possible using the WebMatrix
Database helpers (although I haven’t tried). Of course, you can’t use Razor in a web form.

I did an article on using the WebPages Helpers in a web forms application. It illustrates .aspx and .cshtml files living in the same app and lists the dlls you might need:

http://www.mikesdotnetting.com/Article/162/Using-Web-Pages-Helpers-in-ASP.NET-Web-Forms

thanks for the info.

regards,