Thursday, 29 November 2007

XmlNode and how to add CDATA to it

All I needed to do was create via C# an XML file that included some CDATA sections:

<description><![CDATA[<P>hello world</P>]]></description>

After looking at the XmlDocument MSDN pages, it looked to be as simple as I had hoped. I ventured forth and created the following c#:

XmlNode itemDescription = doc.CreateNode("cdatasection", "description", "");
itemDescription.InnerText = post.PostedText;

But that code created this monstrosity:

<![CDATA[<P>hello world</P>]]> .... weird??!

After some experimenting I finally cracked it:

XmlNode itemDescription = doc.CreateElement("description");
XmlCDataSection cdata = doc.CreateCDataSection("<P>hello world</P>");
itemDescription.AppendChild(cdata);
item.AppendChild(itemDescription);

This code creates exactly what I need:

<description><![CDATA[<P>hello world</P>]]></description>

Hope this saves someone some time :)

Tuesday, 20 November 2007

HttpRequestValidationException

You may stumble across the following exception when working with inputing html through a form:

Exception type: HttpRequestValidationException Exception message: A potentially dangerous Request.Form value was detected from the client

This is .Net attempting to protect us from a potentially malicious input form value, which is sweet ...but sometimes unwanted. To avoid the exception being thrown you need to do two simple things:

1. Add the validateRequest page directive to the aspx page, and set to false OR to disable for your entire web application update your web.config:

<%@ Page language="c#" validateRequest="false" Codebehind="TestForm.aspx.cs" ... %>
... OR ...
<configuration>
 <system.web>
   <pages validaterequest="false">
 </system.web>
</configuration>

2. Manually diffuse any potentially malicous input form values in the code behind:

string formFieldValue = Server.HtmlEncode(Request[ "FormKeyValue"]);
string queryValue = Server.UrlEncode(Request.Query["QueryKeyValue"]);

All step 2 does is escape characters, e.g. < is replaced with &lt;

WARNING !!! If you don't validate the input data manually, like in step 2, you could leave your application vulnerable to cross site scripting or injection attacks. Infact, I recommend that you validate input data manually anyway, as the request validation performed by .Net isn't bullet proof

Friday, 16 November 2007

Web App Security - Top 5 Vulnerabilities You NEED to Know About

Security was a hot topic at TechEd Developers 2007 and I was keen to attend some of the talks related to Web App security in particular. A couple of talks conveyed well the importance of security and showed first hand a number of top vulnerabilities that web apps can be left open to. Below are what I think are the top 5 vulnerabililties you need to be aware of when developing web apps:

  1. Cross Site Scripting (XSS) : Takes user supplied data and sends to a browser without validation/encoding of the data [more info on cross site scripting].
  2. Injection Flaws : Again user supplied data is consumed typically as a query string (or any command/query input), tricking the app into running malicous/unwanted commands on data. This usually manifests as SQL injection [more info on inject flaws].
  3. Insecure Communications : Web apps not encrypting communications of a sensitive nature. Sensitive communication between client and server (i.e. for logging customers in) should force a https connection to protect the user from sniffers and man in the middle attacks (if certificate is signed) [more info on https].
  4. Improper Error Handling : The leaking of sensitive information as a result of an application error. For a .Net web app ensure customErrors in the web.config does NOT have the value Off on a live web server (default value is RemoteOnly) [more info on customErrors]
  5. Object Serving Handlers : Allowing users to manipulate a URL or form parameter to gain access to a restricted internal object such as a file, folder, database record, etc. [more info on object serving vulnerabilities]

A top community/site for all security concious web developers is the Open Web Applciation Security Project. I particularly like their top 10 project (10 most critical web application security flaws), which is a great place to spruce up your web app security awareness.

MS ASP.Net AJAX Cheat Sheets

Just stumbled across some concise and extremely helpful MS AJAX Javascript Library cheat sheets. Definitely worth a look if you work with AJAX in .Net, you'll soon wonder how you lived without them :)

Tuesday, 6 November 2007

TechEd Europe 2007 Keynote

Keynote Speech : As expected, there was the usual build up of upcoming Microsoft releases (VS 2008, Microsoft Expression, Silverlight, .Net framework 3.5 to name but a few) present in the opening speech, and although this was interesting, I felt most impressed with Somasegar's achievements and commitments to much needed MSDN improvements. Somasegar (who is VP of Microsoft's Developer Division incase you didn't know) seems to have a desire to create a real community for real developer input, making it a primary port of call for many rather than few.

Another thing I was impressed with was the newly introduced Software + Services Blueprints that contain a framework with source code access, guidance and tools that work with Visual Studio to enable you to easily build software + services solutions. Although many software companies have their own patterns etc for building software solutions, it seems like a great place to get your teeth into add-ins for Microsoft products (such as the first in the series of such blueprints: creating an Outlook 2007 add-in ). He has also now posted a blog entry related to his TechEd Europe keynote speech online which might be of interest to those not here in person.

Sunday, 4 November 2007

Microsoft TechEd Developers 2007 @ Barcelona

I’ve finally reached beautiful, vibrant and diverse Barcelona. With it’s remarkable two thousand years of history leave parts of this city like a grand scale museum, you can’t help but notice the drive for change and renovation also present here. A perfect setting perhaps to be given the opportunity of hundreds of learning activities, opportunities and resources of all varieties from the technology giant that is Microsoft @ TechEd Developers 2007 Conference.

I’m looking to focus on the Web Development areas of the conference mainly, although I'm open to any of the new technology developments that are on offer here, so watch this space over the next 5 days :)