Asp.Net 4.5 Request Validation

In Asp.Net 4.5 there is a major improvement from point of view of security by RequestValidationMode.

Now with asp.net 4.5 requestvalidation for all HttpRequests (emphasis on "all") there is one flag set which checks all the request data for any malicious data which is hinting towards any malicious attacks in terms of XSS, or sql injection or any anonymous script block to be executed. 

Prior to 4.5 and 4.0 requestvalidation was available for only Page requests but now with 4.5 with all HttpRequests since nowdays httprequests comes in form RESTApi also and now Http is more prominent language of the web then the html istelf and web has started talking more in terms of Http then HTML.

In Asp.net 2.0 if we want to ever save any data with any special character like <b>Bob<./b> coming from any of the textbox we have to put whole page at risk by putting @ValidateRequest attribute to False but with asp.net 4.0 request validation you dont have to put whole page at risk since you can control it at request level, page level and yes not at control level also.

Asp.Net 4.5 has introduced concept of lazy request validation feature which says that request validation will be triggered only if the control which is accessed is code have some malicious code inside it like <b>Bob</b> if that control is not accessed it will not be validated thus improving upon the performance also since its last implementation.

In order to utilize lazy request validation feature of Asp.Net 4.5 one has to make following entry in web.config 

<system.web>
<httpRuntime requestValidationMode="4.5" />
</system.web>

Any value less then 4 for requestValidationMode like 3,3.9,2.5 will  make the requestValidation behave in 2.0 mode.Now if we want to access the value while taking benefit of request validation following the format to access the value. Using following we can access the unvalidated value of txtName.

Request.Unvalidated.Form["txtName"];

Another new feature which is very useful it ValidateRequestMode property which is set to Enabled by default so if for any control or set of control if you want that its values are not validated you can set ValidateRequestMode property to Disabled.

Best Practices for LOB applications

img input type on click and return

Yday I faced a very strange problem

there is one user control who have a image button:

<input type='image' src=<URL of the image> onlick=removrrow(190,120)>

definition of removerow function was returning false.

<script>
function removerow(j,k)
{
...
...

return false;
}
</script>

Now the problem which was occurring was that when ever this image button gets clicked its was reloading the page. This image button was inside a usercontrol which loaded on a page which is opened inside a iframe which in turn is hosted on another page.

So this click was actually reloading the iframe which was opened on a click on another image button.

In order to stop this behavior I have returned false from removerow function since I have read in order to stop the page to submit or postback(you guessed it correct Asp.Net background) one can return false which I was already doing in this function but still it was reloading the iframe content.

My mind was gobbling arround what suddenly went wrong in this I tried lot of methods stoppropogation and cancelBubble= true but it was till posting the form.

In the end what I did I changed the way it was called from button click

Before:   <input type='image' src=<URL of the image> onlick=removrrow(190,120);>

After:    <input type='image' src=<URL of the image> onlick=javascript: return removrrow(190,120);>

And it worked. Yes putting return keyword as shown above made all the difference.

Happy Coding !!

My Day 2 Day jQuery issues collections

Hi Folks!!

In this post I am trying to put my day 2 day jquery problems which I face and fix. Hope you will enjoy reading as much as I enjoyed collecting them for you:

Problem:

     Textbox which should only allow time in HH:MM format and textarea should be disabled till the value is        in correct format.

Solution:

$('#txtTimeInout').keypress(function()

{

var data  = $('#txtTimeInout').val();

var patter = /^\d{2,}:\d{2}:\d{2}$/

if(data.match(patter))

{

 $('#txtarea').prop('disabled',false);

}

else

{

 $('#txtarea').prop('disabled',true);

}

}

)

Problem:

There was a iframe inside a window and inside the page loaded in that window there was a javascript function SaveQuestion() which I was supposed to call from page outside the iFrame in which that window is hosted.

Solution:

So on page on a button click I had to call that method. Following was the solution I implemented/

$('#btnSave').click(function() {

 

   if( windows.frames.length >=1)

 {

    if(typeof(windows.frames[0].SaveQuestion) === "function")

    {

         //Here function is being reference as object so we need to call it using call()

         windows.frames[0].SaveQuestion.call();

    }

 }

});

Hope it will be of help to someone.

Happy Solving!!

Get Ready for getting project

As an IT freelancer I have lots of opportunities where I need to sent a proposal to my client for his o her project and if they like it they call me for an interview.

Interview which I do with my client is usually online through Skype video chat or any of the collaboration tools.

This is my first and last chance to convince client about my understanding of the project and prove my capability that I am fully 100% fit to do his or her job and its not only safe but will provide value for the money which he is going to invest in me.

So the journey of winning client starts from moment I see a job post on oDesk,elance, or in email or any direct client.

I am hereby trying to put steps which I keep in mind while approaching any opportunity.

(Note: I will cover steps which I normally follow once I am going for the interview with client)

Client Question: Tell me something about your self?

Preparation Plan: Go through your resume or CV thoroughly make main points of your experience which reflects your capability. This gives a first impression. Be confident in your reply.

Go through the post details thoroughly. For eg client wants a POS system.

1. Go through job post thoroughly and go through any sample application if you haven't worked on any that kind of application and understand its features thoroughly.

2. Never give any estimate on call no matter how small it is. Just ask client "I will review the requirement and discussion will come back to you with the effort estimation."

3. Discuss about UI. No matter if client is not particular about UI do provide him UI in next 2-3 days event client says default theme.

4. Make internal activities or ToDos list.

5. Send status reports to clients daily. Don't try to fool client as one day truth prevails so be better to be sure to be open in communication in day one.

6. Provide feedback and value to the client suggest him new ways or methods through which you can add value to the customer business process.

7. If you are going to create a public facing site always make sure to ask client which is his or her site to which he wants to compete with or wants to look like.


These few steps can improve your confidence a lot.

Happy Reading......





 

Special characters in action parameters : MVC handling

Special Characters in URL:

We have one scenario in which our complete sign up URL was containing encrypted key. Encrypted key was base64 encoded string which was generated by a crypto algorithm. This encrypted key was having special character like %,#,<,>,/,!,@&* any of them in one or more combinations.

So our sign up URL was forming something like this:

http://mysite/completesignup/ADSD$%@#$sdfdf?sdfsdf&^sdf++==/dfdfdfdf?/

And this link was sent to potential users in their email. So if user wants to complete its sign up operation.

But due to default request filter settings of IIS request pipeline user was getting error 404.1 Bad Request.

to fix this first step was to specify following in application web.config.


 <security>
            <requestFiltering allowDoubleEscaping="True" />
</security>

This fixed issue when ever we have double escaping

Another point to understand here is instead of passing special characters in action parameters we should pass it as query string.