I need to add dynamic content to an iFrame, and I do not know in advance if this content will be plain text, HTML, JavaScript or a mix. I know that in most instances there will be some JavaScript payload to be executed as part of this content.
I am using a method similar to the one explained by Thomas Bindzus in his blog. This used to work like a charm until a few weeks ago, where it suddenly stopped working in Internet Explorer. Any attempts to do document.write by the content beeing loaded failed. The funny thing is that the payload scripts did execute, but any attempt to add something to the document was ignored by the browser.
After what seems to be hours of playing around, I found out that IE has a problem when closing the document. I modified th logic a bit to avoid closing the document if we are dynamically adding content in IE.
function AddContent(content, frameId)
{
var iframe = document.getElementById(frameId);
var doc = null;
if(iframe.contentDocument) { // Firefox, Opera
doc = iframe.contentDocument;
} else if(iframe.contentWindow) { // Internet Explorer
doc = iframe.contentWindow.document;
var ie = true;
} else if(iframe.document) { // Others?
doc = iframe.document;
}
doc.open();
doc.write(content);
if (!ie) { // Only close the document for all other browsers, not for IE
doc.close();
}
}
Friday, February 20, 2009
Tuesday, February 17, 2009
Unescaping unicode characters in C# encoded in JavaScript
JavaScript escape and unescape are very powerful functions, but they do have its various idiosyncrasies that do not work appropriately with the standard escaping methods in the serverside C# code.
The regualr methods we have on C# to handle escaping/unescaping are:
string Microsoft.JScript.GlobalObject.unescape(string escapedString)
To use it in your code:
The regualr methods we have on C# to handle escaping/unescaping are:
- Uri.EscapeDataString
- Uri.EscapeUriString
- HttpUtility.UrlEncode
- HttpUtility.URLPathEncode
string Microsoft.JScript.GlobalObject.unescape(string escapedString)
To use it in your code:
- Reference Micrtosoft.JScript.dll in your project
- Use the static methods in GlobalObject to do the escape/unescape
Localization in ASP.NET markup
To localize HTML or ASP.NET controls on the markup:
<asp:checkbox runat="server" id="chkOrderable" text=""><%$ Localize:Page_Property_Orderable %>" />
You must have the a resource named Page_Property_Orderable in your String.resx file.
If you are in need to localize JavaScript content (when the code is inline on the ASP.NET markup), see Rick Strahl's blog post on the subject.
<asp:checkbox runat="server" id="chkOrderable" text=""><%$ Localize:Page_Property_Orderable %>" />
You must have the a resource named Page_Property_Orderable in your String.resx file.
If you are in need to localize JavaScript content (when the code is inline on the ASP.NET markup), see Rick Strahl's blog post on the subject.
Friday, February 6, 2009
SuppressMessage in code for CAT.NET
If you are using Microsoft's CAT.NET threat vulnerability static analysis tool, you may find that sometimes it is giving you false positives. If you need to suppress a vulnerability, it gives you several options:
- Manual Suppression of found vulnerabilities in the CAT.NET UI
- A Suppresions.xml file (located in the current project directory) - Entries in the Suppress tab of the UI get saved here
- Method and Asemmbly level suppresions in code, using the SuppressMessageAttribute class.
I find the Method and assembly Level suppressions to be most helpful when you want to suppress a false positive from your code, when preparing it for Security Review by some other team or developer. In code suppressions are also a good way of documenting your code, and can be easily searched for.
Prerequisites for In Code suppression:
#define CODE_ANALYSIS
using System.Diagnostics.CodeAnalysis;
Assembly level suppresion:
[assembly: SuppressMessage("Microsoft.ACESec.CATNet.Core.Rules", "ACESEC05"]
namespace Project.Common
{...
Method Level Suppresion:
public class SomeClass
{
[SuppressMessage("Microsoft.ACESec.CATNet.Core.Rules", "ACESEC05")]
public string MyFalsePositiveMethod()
{...
VSTS Check-in: Internal error in Changeset Comments Policy
I recently rebuilt my machine, and while using Visual Studio Team System 2008, I was getting Policy not met errors every time I wanted to do a Check-in into our TFS source control environment, regardless of the fact that I was consistently meeting all the policies.
I blatantly ignored the issue for several days, until it became a true nuisance to be overriding the check-in policies every time. Here are the two errors I was getting consistently:
Solution:
Assuming you have Visual Studio Team System 2008, install the Visual Studio Team System 2008 Team Foundation Server Power Tools - October 2008 Release. You do not need to install the optional components (PowerShell, etc...). And this works for both x86 and x64 OS versions.
You must restart Visual Studio to see the changes reflected.
Happy coding.
I blatantly ignored the issue for several days, until it became a true nuisance to be overriding the check-in policies every time. Here are the two errors I was getting consistently:
Policy Failures:
- Internal error in Changeset Comments Policy
- Internal error in Custom Path Policy
Solution:
Assuming you have Visual Studio Team System 2008, install the Visual Studio Team System 2008 Team Foundation Server Power Tools - October 2008 Release. You do not need to install the optional components (PowerShell, etc...). And this works for both x86 and x64 OS versions.
You must restart Visual Studio to see the changes reflected.
Happy coding.
Subscribe to:
Posts (Atom)