[CLOSED] Special symbols escaping problem

[acrossdev]

Hi,

I have the following code:

<form id="form1" runat="server">
    <ext:ScriptManager id="ScriptManager1" runat="server" />
    <ext:TextField runat="server" ID="Field1" Text="<abc>" />
    <ext:Button ID="Btn1" runat="server" Text="ClickMe" >
        <AjaxEvents>
            <Click OnEvent="OnButtonClicked" />
        </AjaxEvents>
    </ext:Button>
</form>

When I click the button, I get "NORESPONSE" error message. This happens, because textfield contains < and > symbols. When I remove this symbols, everything is ok.
I also noticed similar problem in combobox, it does not correctly display items, containing < and &gt symbols.

[geoffrey.mcgill]

Hi acrossdev,

When I click the Button I get a RequestValidationException because the input field contains an html string.

A potentially dangerous Request.Form value was detected from the client (Field1="<abc>").

It's probably best to encode your values before sending to the client, and decode them on the server.


Hope this helps.

[acrossdev]

Hi, *Geoffrey

Sorry for bothering, you are right. The problem was in request validation. When I disasbled it, problem has gone.

But I still have problems with combobox.

Consider the following code:

<script runat="server">
*
****protected void Page_Load(object sender, EventArgs e)
****{
***** * Combo1.Items.Add(new Coolite.Ext.Web.ListItem("a[B]c", "1"));
********Combo1.Items.Add(new Coolite.Ext.Web.ListItem(Server.HtmlEncode("a[B]c"), "2"));
****}
</script>
<body>
<form runat="server">
****<asp:Label runat="server" ID="Label1" />
****<ext:ScriptManager ID="ScriptManager1" runat="server" />
****<ext:ComboBox runat="server" ID="Combo1" />
</form>
</body>

As you can see, combobox contains two similar items, second item is html encoded.

Please, try running the code, and selecting items in combobox.

You will see, that first item is shown incorrectly in drop down list, but shown correctly when selected.

While second item is shown correctly, in dropdown list, but incorrectly when selected.

So, how can I correclty show "a[B]c" item, in combobox?

One more related question. As I understood, coolite server controls assume, that I will encode texts by myself, before passing them to the control. For example: if any company name for array grid willl contain "<" ">" symbols, it will be displayed incorrectly. So, I have to encode all text items, passed to datasource of the grid store. Would not it be more handy and more secure, if coolite html-encoded such things by itself?*

BTW, I did not try it, but when I use SQL data source, I have no ability to encode items recieved from database. Will coolite grid correctly show database records, containing "<" and ">" symbols?

[geoffrey.mcgill]

Hi acrossdev,

I ran some experiments with the ComboBox + encoding and there are a few encoding issues.

I was able to work around the problem by setting a custom <Template>.

Example

<%@ Page Language="C#" ValidateRequest="false" %>

<%@ Register Assembly="Coolite.Ext.Web" Namespace="Coolite.Ext.Web" TagPrefix="ext" %>

<script runat="server">
    protected void Page_Load(object sender, EventArgs e)
    {
        this.ComboBox1.Items.Add(new Coolite.Ext.Web.ListItem("a[B]c", "1"));
        this.ComboBox1.Items.Add(new Coolite.Ext.Web.ListItem("d<e>f", "2"));
    }

    protected void Button1_Click(object sender, AjaxEventArgs e)
    {
        this.Label1.Text = this.ComboBox1.SelectedItem.Text;
    }
</script>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" 
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml">

<head id="Head1" runat="server">
    <title>Title</title>
</head>
<body>
<form id="form1" runat="server">
    <ext:ScriptManager runat="server" />
    
    <ext:ComboBox ID="ComboBox1" runat="server">
        <Template>
            <tpl for=".">
                <div class="x-combo-list-item">{text:htmlEncode}

            </tpl>
        </Template>
    </ext:ComboBox>
    
    <ext:Button ID="Button1" runat="server" Text="Submit">
        <AjaxEvents>
            <Click OnEvent="Button1_Click" />
        </AjaxEvents>
    </ext:Button>
    
    <ext:Label ID="Label1" runat="server" />
</form>
</body>
</html>

I'm going to investigate maybe making this the default <Template> for the ComboBox, although I have to think this through a bit more and perform more testing.

At least for now, the above <Template> should help with the angle-bracket rendering.

[acrossdev]

Hi Geoffrey,
Thanks for the answer. I'll use this template for combobox.
But what about my second question? I could not understand Coolite policy for html encoding. When I should encode values passed to coolite, and when coolite encodes them by itself?
I took SqlDataSource Example, and filled one of database fields with "A" value.
This value was shown in the grid as bold "A" letter. So, grid does not html-endode texts, retrieved from sql datasource. Is it a bug?

[acrossdev]

Hi all,
Can you, please, reply to my previous post?
I still want to know how coolite is intended to work with encoding.
Should I encode values, passed with different types of stores, or coolite will automatically encode data in next versions?
Why SqlDataSource example does not encode data, retrieved from database?

Actually I do not deal with any particular problem, I just want to understand coolite encoding policy and adopt my code correspondingly.

[Vladimir]

Hi,

I am not ready to say about policy yet. Just want to clear some questions.


1. At this moment all Coolite controls don't encode/decode values (except HtmlEditor)


2.

new Coolite.Ext.Web.ListItem("a[B]c", "1")

"You will see, that first item is shown incorrectly in drop down list, but shown correctly when selected."

new Coolite.Ext.Web.ListItem(Server.HtmlEncode("a[B]c"), "2")

"While second item is shown correctly, in dropdown list, but incorrectly when selected."


What is combobox? It contains from two UI elements: textbox and dropdown list. Textbox is object of user OS (it is not pure html element and can't view html code). Therefore textbox shows html code as is (i mean without any transformation). Dropdown list is div tag with absolute position. Therefore it shows html with transformation (html should be well formed)


So,

a[B]c

will be correctly displayed in TextBox (because it shows html as simple text) and incorrectly in dropdown list (because it shows html using html transformation rules and that html is not well formed)


Encoded version have vice-versa behaviour (I think you understand why)


3. About GridPanel. GridPanel's cell is display value as html ("a" will be displayed as bold 'a'). If you want to show it as is you need use:
- use renderer which will encode value

<Renderer Handler="return Ext.util.Format.htmlEncode(value);" />

- set AutoEncode for GridPanel to automatically decode/encode value on pre/post edit

[acrossdev]

Hello Vladimir,
So, for now I will encode all values by myself and use custom renderers.
Thanks for your answer.

Topic is solved now.