What's New?

[CLOSED] Script tag HTML rendering on first page load

  1. #1
    Aug 03, 2010, 9:26 AM

    [CLOSED] Script tag HTML rendering on first page load

    Run the supplied example to see the error. To stop the error from occuring remove the script tags from the text.
    The issue is that the user could enter <script>alert('hello')</script> in a field such as a description where the text length may be as much as 2000 characters. All text entered by the user is encoded using Server.HTMLEncode before it is stored in the database and where nessessary decoded before it is used to populate a control. I could use a RegEx to prevent the user entering <script> tags but I would prefer it if the user could enter any text without limitation.

    Could you supply a work arround for this issue please.

    Note: This error only occurs the first time the page is loaded if the page is re-populated via a direct method it is not an issue.



    <%@PageLanguage="C#" %>
<!DOCTYPEhtmlPUBLIC"-//W3C//DTD XHTML 1.0 Transitional//EN""http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<scriptrunat="server">
protectedvoid Page_Load(object sender, EventArgs e)
{
if (!IsPostBack && !X.IsAjaxRequest)
{
string zpText = Server.HtmlDecode("&lt;script&gt;alert('Argh');&lt;/script&gt;");
txtTest.Text = zpText;
lblUserUserCreated.Text = "bob the builder";
lblUserUserUpdated.Text = "bob's mate";
}
}
</script>
<htmlxmlns="http://www.w3.org/1999/xhtml">
<headrunat="server">
<title></title>
</head>
<body>
<formid="form1"runat="server">
<ext:ResourceManagerid="smrMain"runat="server"></ext:ResourceManager>
<ext:viewportrunat="server"id="vwDefault">
<Items>
<ext:borderlayoutID="Borderlayout1"runat="server">
<center>
<ext:formpanelrunat="server">
<items>
<ext:rowlayoutID="Rowlayout1"runat="server">
<Rows>
<ext:LayoutRowRowHeight="1">
<ext:formPanellabelwidth="150"runat="server"forcelayout="true"id="frmUser"padding="5"border="false">
<items>
<ext:textfieldwidth="150"id="txtTest"maxlength="50"allowblank="true"fieldlabel="Test"runat="server"></ext:textfield>
</items>
</ext:formPanel>
</ext:LayoutRow>
<ext:layoutrow>
<ext:formPanellabelwidth="80"ID="FormPanel1"forcelayout="true"runat="server"padding="5"border="false">
<Items>
<ext:displayfieldid="lblUserUserCreated"FieldLabel="User Created"runat="server"></ext:displayfield>
<ext:displayfieldid="lblUserUserUpdated"FieldLabel="User Updated"runat="server"></ext:displayfield>
</Items>
</ext:formPanel>
</ext:layoutrow>
</Rows>
</ext:rowlayout>
</items>
</ext:formpanel>
</center>
</ext:borderlayout>
</Items>
</ext:viewport>
</form>
</body>
</html>
    Attached Files
    Last edited by Daniil; Aug 05, 2010 at 1:00 PM.
  2. #2
    Aug 03, 2010, 2:12 PM
    Hello, seanwo!

    I would prefer it if the user could enter any text without limitation
    It needs to turn off the request validation.

    <%@ Page Language="C#" ValidateRequest="false"%>
  3. #3
    Aug 03, 2010, 2:32 PM

    That doesn't work for me

    I get "unterminated string constant at line X" javascript error

    and this rendered to the screen

    ",autoCreate:{"tag":"input","type":"text","maxlength":50,"autocomplete":"off"},maxLength:50},{id:"chkShowSchematicTooltips",xtype:"checkbox",fieldLabel:"Schematic Tooltips",inputValue:"chkShowSchematicTooltips"}],border:false,padding:5,renderFormElement:false,url:"/PowerBook/test/test.aspx"},{id:"FormPanel1",xtype:"form",labelWidth:80,forceLayout:true,items:[{id:"lblUserUserCreated",xtype:"displayfield",fieldLabel:"User Created",value:"bob the builder"},{id:"lblUserUserUpdated",xtype:"displayfield",fieldLabel:"User Updated",value:"bob's mate"}],border:false,padding:5,renderFormElement:false,url:"/PowerBook/test/test.aspx"}],layout:"ux.row",renderFormElement:false,url:"/PowerBook/test/test.aspx"},layout:"border"});});Ext.net.ResourceMgr.init({id:"smrMain",BLANK_IMAGE_URL:"/PowerBook/extjs/resources/images/default/s-gif/ext.axd",aspForm:"form1"}); //]]>
  4. #4
    Aug 03, 2010, 4:40 PM
    I would suggest you to set default value of TextField as it's in this sample code.
    <%@ Page Language="C#" ValidateRequest="false" %>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Ext.Net Example</title>
    <script type="text/javascript">
        function afterRender(tf) {
            TextField1.setValue("<script>alert('Argh');<" + "/script>");
        }
    </script>

</head>
<body>
    <form runat="server">
    <ext:ResourceManager runat="server" />
    <ext:FormPanel runat="server">
        <Items>
            <ext:TextField runat="server" Width="200">
                <Listeners>
                    <AfterRender Fn="afterRender"/>                    
                </Listeners>
            </ext:TextField>
        </Items>
    </ext:FormPanel>
    </form>
</body>
</html>
    But it needs to handle properly some situations. For example, when Enter is pressed.
    What is your scenario? I think we could work this problem out together.
  5. #5
    Aug 03, 2010, 8:31 PM
    Hi,

    Please do not use script tags in the string literals
    Please see
    http://www.herongyang.com/JavaScript...g-Literal.html
    http://webcache.googleusercontent.co...&ct=clnk&gl=ru

Similar Threads

  1. [CLOSED] Loader with Html renderer and Window rendering
    By paulc in forum 2.x Legacy Premium Help
    Replies: 33
    Last Post: Jun 25, 2013, 7:43 AM
  2. [CLOSED] Rendering html in a user control
    By fordprefect in forum 1.x Legacy Premium Help
    Replies: 4
    Last Post: Mar 14, 2012, 7:42 PM
  3. [CLOSED] When page load, how to first a script after ViewReady event in GridPanel fire
    By leon_tang in forum 1.x Legacy Premium Help
    Replies: 4
    Last Post: Jan 10, 2012, 10:21 AM
  4. [CLOSED] return html server response instead of just long extjs script!
    By webclouder in forum 1.x Legacy Premium Help
    Replies: 5
    Last Post: May 17, 2011, 8:38 AM
  5. How to show html content in a textfield as text value no html rendering
    By lordofthexings in forum 1.x Help
    Replies: 1
    Last Post: May 28, 2010, 1:13 PM

Posting Permissions