|
James Saville wrote:
But hopefully, by the time IIS6 comes out, you wont be using VBscript
Didn't they say something similar about COBOL once?
Thanks for the lockdown stuff BTW, never heard of it but am sure to try it out now.
|
|
|
|
|
Paul Watson wrote:
Thanks for the lockdown stuff BTW, never heard of it but am sure to try it out now.
I think that is the same thing that says if your webserver is connected to a network port, it is not safe. DOPE!
"There are no stupid question's, just stupid people."
|
|
|
|
|
I am considering buying a editor control form a web project I am doing that will allow people to post text to a site and format it using HTML. I know how hazzardous this can be if someone places a nasty javascript tag or somethign in the message, that's why I am asking this here.
I want to allow the formatting tages (bold, ul, lists, tables, etc...) but strip out all the tags that can cause troubles (IE Javascript and vbscript).
Does anyone have a good listing of what I would have to strip out before I store the text?
Also, this has more to do with the actual storeage... Does anyone have a list of the characters that I have to watch out for that can give SQL a headache? I know about '"' already but are there any others that I will need to escape?
|
|
|
|
|
I tend to allow people to use tags like [b][/b] for bold rather than <b></b>. If they enter HTML-looking tags then it gets converted to use lt/gt tags.
The basic tags I allow are headers, bold, italic, underline. I also allow [link *url*], [mail *url*] and [font *face* *color* *size*] (I keep meaning to improve this last one so that you don't need to enter face and color to change the size but I haven't done it yet).
I also replace line feeds with "<br>", except after a header close and translate ampersand, less than, greater than, pound and quote.
Here's some C# code... it's far from perfect coding (serious lack of comments for one thing and I didn't know about Regex when I wrote this - in fact it was adopted quickly from an old VBScript where RegEx wasn't an option) but it works and you can fiddle it to your needs.
private string Format2Html(string Formatted)
{
string[] hdrTags = {"h1", "h2", "h3", "h4", "h5"};
string[] nmlTags = { "b", "i", "u", "center" };
string[][] splTags = { new string[] { "link", "a", "href=\"%\"" },
new string[] { "mail", "a", "href=\"mailto:%\"" },
new string[] { "font", "font", "face=\"%\"", "color=\"%\"", "size=\"%\"" } };
string rtn = Formatted.Replace("&", "&").
Replace("<", "<").
Replace(">", ">").
Replace("£", "£").
Replace("\"", """).
Replace(Environment.NewLine, "<br>" + Environment.NewLine);
int next = 0, start = 0;
for (start=rtn.IndexOf('['); start > -1; start=rtn.IndexOf('[', start + 1))
{
string replacement = "";
next = rtn.IndexOf('[', start + 1);
int end = rtn.IndexOf(']', start + 1);
if (end == -1) end = rtn.Length - 1;
if (end > next && next > -1) end = next;
int length = (end - start) + 1;
string tag = rtn.Substring(start, length).TrimEnd(']').TrimStart('[').Trim(' ');
string[] tkn = tag.Split(' ', ',');
for (int i = 0; i < hdrTags.Length; i++)
{
if (hdrTags[i] == tkn[0])
{
replacement = "<" + hdrTags[i] + ">";
}
else if (hdrTags[i] == tkn[0].TrimStart('/'))
{
replacement = "</" + hdrTags[i] + ">";
if (rtn.Substring(end + 1, 4) == "<br>") end += 4;
}
}
for (int i = 0; i < nmlTags.Length; i++)
{
if (nmlTags[i] == tkn[0])
{
replacement = "<" + nmlTags[i] + ">";
}
else if (nmlTags[i] == tkn[0].TrimStart('/'))
{
replacement = "</" + nmlTags[i] + ">";
}
}
for (int i = 0; i < splTags.Length; i++)
{
if (splTags[i][0] == tkn[0])
{
replacement = "<" + splTags[i][1];
for (int j = 1, k = 2; (j < tkn.Length) && (k < splTags[i].Length); j++, k++)
{
while (tkn[j].Length == 0) j++;
replacement += " " + splTags[i][k].Replace("%", tkn[j]);
}
replacement += ">";
}
else if (splTags[i][0] == tkn[0].TrimStart('/'))
{
replacement = "</" + splTags[i][1] + ">";
}
}
if (replacement.Length > 0)
rtn = rtn.Remove(start, (end - start) + 1).Insert(start, replacement);
}
return rtn;
} HTH
Paul
Why don't you take a good look at yourself and describe what you see - Led Zeppelin, Misty Mountain Hop
|
|
|
|
|
C# code to remove HTML tags:
System.Text.RegularExpressions.Regex r = new System.Text.RegularExpressions.Regex(@"<[^>]*>|</[^>]*>");
r.Replace(s, "");
|
|
|
|
|
Daniel Turini wrote:
"<[^>]*>|]*>"
God don't those RegEx patterns make your eyes bleed? RegEx pattern builders are a must IMO.
Thanks for the pattern BTW, quite a useful one.
|
|
|
|
|
UGH! But all I want to do is remove things like ... as well as any of the inline code that can be inserted.
I assume that I could just so a regex.replace on all the ... stuff, but then I have to deal with all the inline code as well...
The other problem I see is what heppens if someone wants to post code (in a
... block.. that I would want to leave...
UGH!
|
|
|
|
|
Regular expressions is the way to go. You need to escape all script , object , applet , embed and param tags, and remove any event handlers on other tags.
using System.Text.RegularExpressions;
...
static bool IsLikeRe(string src, string pattern)
{
return Regex.IsMatch(src, pattern,
RegexOptions.IgnoreCase | RegexOptions.Singleline);
}
static string ReReplace(string src, string pattern, string replace)
{
return Regex.Replace(src, pattern, replace,
RegexOptions.IgnoreCase | RegexOptions.Singleline);
}
static string ReReplaceAll(string src, string pattern, string replace)
{
string ret = src;
while (IsLikeRe(ret, pattern))
ret = ReReplace(ret, pattern, replace);
return ret;
}
static string StripScript(string html)
{
string res = ReReplaceAll(html, "<script(.*)>", "<script$1>");
res = ReReplaceAll(res, "</script(.*?)>", "</script$1>");
res = ReReplaceAll(res, "<(object|applet|embed|param)([^>]*)>",
"<$1$2>");
res = ReReplaceAll(res, "</(object|applet|embed|param)([^>]*)>",
"<$1$2>");
res = ReReplaceAll(res,
@"<([^>]+?)\son(?:[^>]+?)=(['""])(?:[^>]+?)\2([^>]*?)>",
"<$1$3>");
return res;
}
|
|
|
|
|
In an asp file,
First the following in the html head section:
<% if request.querystring("action") = "postupload" and bError = False then %>
<META HTTP-EQUIV="refresh" content="1;URL=<%=sValidatedBaseURL%>/thread-view.asp?threadid=<%=iThreadID%>">
<% end if %>
second in the body section:
<% if not ( request.querystring("action") = "postupload" and bError = False ) then %>
<div align="center"><a href="<%=sValidatedBaseURL%>/thread-view.asp?threadid=<%=iThreadID%>"><img src="<%=sValidatedBaseURL%>/images/back-button.gif" border="0"></a></div>
the whole body part:
<body style="margin ">
<!-- #include file="includes/header.asp"-->
<% if vForumInfo(FI_showquotes) = 1 then%><hr width="90%" size=1><div align="center" class="smalltext"><%=sBBSRandomQuoteText%> <%=GetRandomQuote%></div><% else %><BR><% end if %>
<hr width="90%" size=1>
<div align="center" class="error"><%=sError%></div><BR><BR>
<% if not ( request.querystring("action") = "postupload" and bError = False ) then %>
<div align="center"><a href="<%=sValidatedBaseURL%>/thread-view.asp?threadid=<%=iThreadID%>"><img src="<%=sValidatedBaseURL%>/images/back-button.gif" border="0"></a></div><BR>
<form ENCTYPE="multipart/form-data" method="post" action="attach-file.asp?threadid=<%=iThreadID%>&action=postupload">
<table align="center" width="50%">
<tr><td colspan="2" class="messagecellheader">Attach a file</td></tr>
<tr><td colspan="2" class="messagecellbody2">Thread: "<%=ValidateField(sThreadSubject)%>"</td></tr>
<tr><td class="messagecellbody">File:</td>
<td class="messagecellbody"><input type="file" name="attachment" size="40"></td></tr>
<tr><td class="messagecellbody2">Instructions:</td>
<td class="messagecellbody2">Attachments must be less than <%=vForumInfo(FI_MaxAttachSize)%>KB<BR><BR>If this thread already has an attachment,<BR>uploading a new attachment will overwrite the old one.<BR><BR>If you leave the file blank, the attachment will be deleted.</td></tr>
<tr><td class="messagecellbody"> </td>
<td class="messagecellbody"><input type="image" src="<%=sValidatedBaseURL%>/images/submit-button.gif"></td></tr>
</table>
</form>
<% end if %>
<!-- #include file="includes/footer.asp"-->
</body>
please I want help,maybe the questions are very simple,so take some trouble to answer me.
<small><b>this is my signature for forums quoted from shog*9:</b>
<b><u>I can't help but feel, somewhere deep within that withered, bitter, scheming person, there is a small child, frightened, looking a way out.</u></b></small>
|
|
|
|
|
I want to set up my home page in such a way that, it should go to the localhost or to the website, depending on the net connection availability.
Any idea?? I use dial up serviece.....
Tahnks in advance,
SPS
|
|
|
|
|
howdy all,
busy designing a new web application that would be perfectly suited to a webclass application.
ie. one template page that defines the layout and within that layout tokens to define where runtime generated content should be placed.
my question is this ...
how should we be doing this kind of thing in asp.net ?
should we build server controls and drop these onto the aspx pages ?
should we build one page that serves as a template and the other pages inherit from this ?
should we still use something similar to token substitution ?
please help, any ideas ... suggestions ... guidance would be hugely appreciated
cheers
Ryan
|
|
|
|
|
Page Templates in ASP.NET[^]
ASP.NET is far more powerful in this manner than vb6 webclasses
You can also use user/custom/server controls for this, but in reality you will find yourself using both technologies.
|
|
|
|
|
thanks ... i have been toying with some ideas, of which some are good - others seem better.
has anybody had experience in implementing this type of thing ? which method is best ?
i am currently toying with the idea of using a base class that all pages inherit from. this base class will use user controls to dynamically build their content at runtime. each page will then only be concerned with what needs to be placed in the content section, the base class will handle the rest.
is there an equivalent to visual inheritance in asp.net ?
cheers
Ryan
|
|
|
|
|
ryancrawcour wrote:
which method is best
Both... lol.
When you need a consistent "style" for a bunch of pages sitewide then use a template. But then in your template also make use of custom controls.
They are not mutually exclusive.
ryancrawcour wrote:
is there an equivalent to visual inheritance in asp.net ?
Not sure officially what visual inheritance is but Google has some links.
|
|
|
|
|
Is it possible to put user control in datalist to bind one of its propeties to database?
Mazy
"If I go crazy then will you still
Call me Superman
If I’m alive and well, will you be
There holding my hand
I’ll keep you by my side with
My superhuman might
Kryptonite"Kryptonite-3 Doors Down
|
|
|
|
|
Hi, everyone!
When I use the following statments in JSP to
connect to DB2, I meet with a trouble,
--------
Connection con = DriverManager.getConnection(url, user, password);
--------
The error is:
--------
java.sql.SQLException: No suitable driver
at
java.sql.DriverManager.getConnection(DriverManager.java:543)
at
java.sql.DriverManager.getConnection(DriverManager.java:183)
... ...
--------
Here url is a String whose value is jdbc:db2://localhost/MYTEST
But when I change the value to
jdbc:db2:MYTEST, then everything is OK!
I do not know why.
I want to know the format of the url of a DB2 database when
I want to connect to a DB2 database on a remote machine.
Cheers,
George
|
|
|
|
|
Alright this has driven me mad and I am sick of reading other answers which get 99% of the way there and then fall over at the last step for me. I am sure I am missing something fundamental, but simple, here.
Basically I have a custom/server/whatever control which dynamically adds controls to itself in an overriden Render method. It adds three controls; two image buttons and a panel. They all render fine and look lovely, but what I want is for an event to be fired when I click either of the image buttons. When clicked the image buttons will set a member var. of the control.
Here is the code so far with what the event handling which I thought would work:
using System;
using System.Web.UI;
using System.Web.UI.WebControls;
using System.ComponentModel;
namespace bluegrass.content
{
public class resourcegallery : WebControl
{
public string View;
<code>private void view_thumbnail_Click(object sender, ImageClickEventArgs e)
{
this.View = "Thumbnail";
}</code>
<code>private void view_list_Click(object sender, ImageClickEventArgs e)
{
this.View = "List";
}</code>
protected override void Render(HtmlTextWriter output)
{
<code>ImageButton imgViewThumbnail = new ImageButton();</code>
imgViewThumbnail.ID = "view_thumbnail";
imgViewThumbnail.ImageUrl = "res/img/view_thumbnail.gif";
imgViewThumbnail.AlternateText = "Click for a Thumbnail view of the Resource Gallery";
imgViewThumbnail.CssClass = "viewbutton";
if (View == "Thumbnail") imgViewThumbnail.Visible = false;
<code>imgViewThumbnail.Click += new System.Web.UI.ImageClickEventHandler(this.view_thumbnail_Click);</code>
<code>this.Controls.Add(imgViewThumbnail);</code>
<code>ImageButton imgViewList = new ImageButton();</code>
imgViewList.ID = "view_list";
imgViewList.ImageUrl = "res/img/view_list.gif";
imgViewList.AlternateText = "Click for a List view of the Resource Gallery";
imgViewList.CssClass = "viewbutton";
if (View == "List") imgViewList.Visible = false;
<code>imgViewList.Click += new System.Web.UI.ImageClickEventHandler(this.view_list_Click);</code>
this.Controls.Add(imgViewList);
Panel panelResourceGallery = new Panel();
panelResourceGallery.ID="ResourceGallery";
panelResourceGallery.CssClass="resourcegalleryview";
panelResourceGallery.Controls.Add(new LiteralControl(View));
this.Controls.Add(panelResourceGallery);
base.Render(output);
}
}
}
The event handling and relevant imagebuttons are highlighted.
So in short when either imgViewList or imgViewThumbnail are clicked client side I want the view_list_Click and view_thumbnail_Click handlers to be fired.
Please remember this is a custome control, not a user control (I can raise events fine in a user control, but I need the capabilities of a custom control.)
Thanks for any help
|
|
|
|
|
I assume it's not working because the scope of imgViewThumbnail, imgViewList and panelResourceGallery are all lost when you leave Render(). Thus all the EventHandlers will be destroyed when you leave the function.
Have you tried making panelResourceGallery a property of resourceGallery?
[edit]Terminology failure error: by function I mean method and by property I mean member variable [/edit]
Paul
Life is just a sexually transmitted desease - Matthew Wright (ex-journalist, TV presenter) 10-Oct-02
I finally have a sig! - Paul Riley (part-time deity) 10-Oct-02
|
|
|
|
|
Paul Riley wrote:
I assume it's not working because the scope of...
Oh man the light just went on and owners arrived home (home being my brain.)
You are two inches from the answer. The answer is to do with the control life cycle rather than scope, but your scope idea twigged me to the life cycle bit. i.e. I need to be assigning the event handlers and everything else in the OnInnit method/event/function/whatever-the-right-label-is-but-who-really-cares-huh and not the Render. Render is done almost last, already past the event firing stage.
*sigh* One of those "lets be dumb" days
Thanks Paul.
|
|
|
|
|
You know what's really sickening? I just came to the same conclusion but you got in before I could post an extra reply.
Ho hum... doesn't matter as long as you got it working
Paul
Life is just a sexually transmitted desease - Matthew Wright (ex-journalist, TV presenter) 10-Oct-02
I finally have a sig! - Paul Riley (part-time deity) 10-Oct-02
|
|
|
|
|
Paul Riley wrote:
Ho hum... doesn't matter as long as you got it working
But it does, it is the thought that counts here, so thank you
I am just really glad my problem was something simple and not that I had to implement more delegates and interfaces and what not. Go .NET!
|
|
|
|
|
I'd like to test my ASP.NET app with SSL to make sure all the links work etc before I publish it on the main site.
Can I get or generate a test SSL certificate for this purpose?
When I go to my main site I can use a shared SSL certificate (cheaper) are there any known problems with using Shared SSL and an ASP.NET app (codebehind). Or should I use a full blown one (more costly).
TIA
Shaun
Stupidity dies.
The end of future offspring.
Evolution wins.
- A Darwin Awards Haiku
|
|
|
|
|
you can go to www.verisign.com[^] and register a "test" certificate. After a month they will email you and ask you to buy a proper one. Ignore them and carry on. We purchased one for our live server from them, but then needed to test the stuff on our dev server, so we did this. Our month has passed, but the test cert is still working nicely
Dave Goodman on funny error messages:
It is a definite no-no to run BITMAP as a user command. Your nose will grow, your lawn will die, your hair will fall out, and your first-born will marry an aardvark. Shame on you!
|
|
|
|
|
thanks megan
Stupidity dies.
The end of future offspring.
Evolution wins.
- A Darwin Awards Haiku
|
|
|
|
|
Pleasure
Dave Goodman on funny error messages:
It is a definite no-no to run BITMAP as a user command. Your nose will grow, your lawn will die, your hair will fall out, and your first-born will marry an aardvark. Shame on you!
|
|
|
|
|