Friday, 26 November 2010

AJAX - ASP.NET : Call WebMethod defined in User Control

If you have welcomed the joys of AJAX into your ASP.NET application, you may or may not have come across this problem.

With AJAX calls, I tend to store the WebMethod within the ASPX pages rather than services; so that I can keep my logic relating to the page separate from everything else. There is nothing worse than having a global service with tens or hundreds of methods in that get called every time. (well maybe there is, but you see my point!)

However, where user controls are concerned, we have a slight problem. A limitation of the framework prevents us from calling a WebMethod defined in a User Control (as of .NET 3.5). Some people have suggested adding a proxy method to the page which hosts the user control to call a method within the user control. This is wrong on many levels as it ties the page to the control and defeats the purpose or re-usability with ease.

Instead of a page method, add a service method instead. Either an ASMX or an SVC, it doesn't really matter. These are useful to hosting WebMethods that can be reused by many pages within the application OR user controls (which are re-usable by design anyway).

Thursday, 25 November 2010

asp:menu - Fix submenu appearing as a white box [IE8+]

If you have an asp:menu control as part of your ASP.NET application, you will notice that the sub menu appears as a white box and your content isn't visible. This is quite crucial if this is the only access point to your web pages!

1. Add z-index: 100; within a CSS class bound to the DynamicMenuItemStyle property on the menu control. This is the easiest fix. What IE8+ browsers are doing here is in theory correct, it more of a shortfall of the control. [Best Solution]

2. Use CSS friendly adapters. Requires a total re-design, why not take a look anyway.

3. Making your browser emulate IE7 by using the following meta tag in the appropriate pages.
<meta http-equiv="X-UA-Compatible" content="IE=EmulateIE7" />

Note: The 3rd solution is not the best idea as it goes against the principles of moving forward with the technology!

SQL Server Management Studio - Edit Query Results

This is a useful way to edit results of queries in SQL Server Management Studio 2005 and 2008.

SQL Server 2005
1. Right click table
2. Open Table
3. Right click anywhere in the results > Pane > SQL
4. SQL query windows pops up, enter query here.

SQL Server 2008
1. Right click table
2. Edit Top 200 Rows
3. Right click anywhere in the results > Pane > SQL
4. SQL query windows pops up, enter query here.

XSS: Cross style scripting attacks in ASP.NET [Examples]

Recently I have been looking at vulnerabilities in ASP.NET applications where XSS attacks are concerned. In recent years, integration with ASP.NET and AJAX has become more apparent as it offers many benefits; including partial page refreshes. However, this opens our applications up to potential attacks, one of which is the main area of focus for this topic: XSS (Cross-style scripting).

Must Read: The XSS Wiki

When creating pages in ASP.NET, you may have stumbled upon the ValidateRequest property of the Page directive before. If not, it's a useful .NET feature that analyses page submissions for potentially unsafe mark up. You can test this yourself by entering <script>alert('Xss Vector!')</script> into a textbox control and hitting submit on the form. You will receive an exception informing you that the submission is potentially unsafe. Try setting this to false (default is true if not specified) and you'll see that this is no longer picked up by the framework on submit.

So why not leave this set to true for all pages, what's the problem?
1. User's may want to enter markup into a text area control for example.
2. AJAX calls to WebMethod's do not follow this process.
3. Sessions/Cookies/application variables can be hijacked that also do not follow this process.

The three reasons above present a clear reason of why we should add protection to our ASP.NET applications against XSS attacks. Especially as ASP.NET AJAX is becoming more and more common. We have three options for protection against these kinds of attacks.

1. Write your own utility to strip out potentially unsafe markup upon each potentially dangerous call.
2. Include the Microsoft Anti-Cross Site Scripting Library into your solution. This is the same as step 1, but without the "Write your own" bit. It's around 700kb (V1.5).
3. Do not make any of this calls where this becomes an issue [not realistic]

For steps 1 and 2... We need to analyse our code or potential code (I.e. in the design process!) where these issues arise. You refer to the 3 potentially unsafe areas above as a starting point as these area areas where XSS attacks can occur. This Microsoft page gives a good description on how to do this.

Once this areas are known, we can makes all inbound calls safe by stripping out or parsing incoming data using a bespoke tool or Microsoft's Anti-Cross Site Scripting Library.

Here is a typical example where we make an AJAX call to the server and we use Microsoft's library to parse the incoming data. The example also includes a vulnerable option so the two approaches can be compared.

The example can be downloaded here [Requires .NET 3.5]

Useful links:
XSS Cheat Sheet
Test your XSS Attack skills here!

Tuesday, 23 November 2010

ASP.NET/AJAX - Client-side validation with server validation controls

With web applications getting more and more complex, it becomes necessary to make them more per-formant. It is quite easy to create an ASP.NET web application and within little or no time, most of the logic exists on the server. This is all good and well for a simple application, but as complexity increases, we need to start handing process to the client where client-side operations need to exist.

One good example is validation. For example, there is no reason why we should have required field validation on the server (I.e. checking if a field exists in the code behind after submitting a form to the server). We can easily use a RequiredFieldValidator in this case, and this will be processed on the client-side.

Ok, now for more complex examples, and this is the main vocal point of this article... What if we are using a custom validator and we need to check if, for example; an email exists dynamically without submitting the whole form? The common thing developers do here is override the OnServerValidate property of a CustomValidator, then this will take care of things when the form is submitted. I am now going to discuss how we can avoid this....

The old method

- Requires whole page postback
- Less per-formant

The new method

- Partial page postback
- Asynchronous, can be performed on-the-fly (dynamically)

With the old method, you can see that we must submit the form to the server in order to use our server side validation method. Server side validation is useful if you wish to use a database for example (check if email exists), something that your Javascript cannot do alone.

With the new method, we override the ClientValidationFunction of the CustomValidator and set it to a javascript function. This javascript function then wraps up some data using JSON; this data refers to what we are validating (I.e. email address), then passes it to a WebMethod on the server. The server method will behave exactly like the previous OnServerValidate method previously, and pass back the results of our validation process. The CustomValidator will then use this to trigger an error if necessary.

I have attached the project files used in this example (written in ASP.NET 3.5). If you open the Javascript file, you can see that a page method is being referenced. You can also reference a service (.asmx) by uncommenting the line below in the script, and commenting out the page method reference. Both work exactly the same but present two alternate mechanisms.

Download the project files here

If the Web Service in different Namespace you can refer it before the class name this Main formula may help you :

NameSpaceName.ClassName.WebMethdName(Parameters , Success callback function, Error callback function);

Parameters: you can pass one or many parameters.

Success callback function :handles returned data from the service .

Error callback function :Any errors that occur when the Web Service is called will trigger in this function. Using Error Callback function is optional.

Note: In this example, I am using the $.ajax command of JQuery to call the WebMethod. So in the url section, we need to specify the method as a URL relative to where it's being called from.


+ javascript
--- callwebservice.js < the script calling the service
+ Services
--- service.asmx < the service being called

Then your url will be "../Services/service.asmx/NameOfTheWebMethod"

Tuesday, 9 November 2010

Multiple Versions of IE - With IE7, IE8 and IE9!!!

Here is a really good tool for emulating versions IE from 5.5 to 9. For those of you that have used a similar tool in the past (Multiple IE's) you'll notice that this has been discontinued and there are a few difficulties getting it to work with Windows Vista and Windows 7.

Here is a better tool, IETester

Wednesday, 3 November 2010

CSS: Corner Radius

Really good article!