Using MVC4 with client-side & unobtrusive validation enabled, I'm trying to understand how the validation determine if an entered DateTime value is valid or not.
In my application this formatted date is valid: 01/31/2013,
while if I enter: 31/01/2013, I get:
The field [fieldId] must be a date
How does it determined what is a valid date?
How does it determined what is a valid date?
It uses the current culture defined on your client browser to determine the correct format. For example if your browser is configured to use en-US as default language then the correct format is M/d/yyyy. If you client browser is configured to use fr-FR language the correct format is dd/MM/yyyy.
It will all depend on what language is your browser configured to use.
Great Question. This seems to be an ongoing issue from MVC 3. I see it all the time. There are countless complaints about the issue like this http://forums.asp.net/t/1831712.aspx/1
Darin Dimitrov wrote a great post in which he uses DataStringFormat to force it.
Format datetime in asp.net mvc 4
I highly recommend it. Great read. If you use it, give a +1 to his answer.
For my $$$ I will stick to and swear by JQuery date pickers populating uneditable controls for the user's benefit.
Related
I'm using Kentico CMS v10, and the Scrolling News widget (for Corporate Site). The underlying news articles display with the date in UK format, as per our site culture and user culture, but the "Scrolling News" widget always displays in US date format.
I am guessing I just haven't found the correct place to configure the Culture/TimeZone for this widget... but I cannot find anywhere to do so!
Any ideas gratefully received.
Firstly I would advise to NOT use the default sample elements (if they ever get updated or removed by official upgrade or hotfix it might break your site). I suggest you make a clone of the widget and create your own custom transformation.
Apart from the above in the sample it uses transformation "CorporateSite.Transformations.NewsHome"
which you can locate in the page type application:
here you can update it to a format you please.
By default TMonthCalendar shows date in the format that is set in Windows control panel (Short Date). I want to override this setting and force TMonthCalendar to always display my format regardless of Windows setting. Is it possible ?
As far as I know, you can not change the date format settings of TMonthCalendar.
The reason for this is the fact that TMonthCalendar is actually just a wrapper around a calendar API from the OS. That is why not only is the date format in the form that is set in OS regional settings, but the whole look of the calendar matches the look of the OS on which you are running your application on.
So, I'm afraid you will have to look at some third party components for this. For instance, TMS Software has several calendar and date-time picking components as part of TPlannerCalendar.
No, this control is a wrapper for the native Month Calendar Control. As the documentation states:
The month-calendar control gets its format and all strings from
LOCALE_USER_DEFAULT.
I have CMS system where I am using CK Editor to enter data. Now if user types in <script>alert('This is a bad script, data');</script> then CKEditor does the fair job and encodes it correctly and passes <script>alert('This is a bad script, data')</script> to server.
But if user goes into browser developer tools (using Inspect element) and adds this inside it as shown in the below screen shot then this is when all the trouble starts. Now after retrieving back from DB when this is displayed in Browser it presents alert box.
So far I have tried many different things one them is
Encode the contents using AntiXssEncoder [HttpUtility.HtmlEncode(Contents)] and then store it in database and when displaying back in browser decode it and display it using MvcHtmlString.Create [MvcHtmlString.Create(HttpUtility.HtmlDecode(Contents))] or Html.Raw [Html.Raw(Contents)] as you may expect both of them displays JavaScript alert.
I don't want to replace the <script> manually thru code as it is not comprehensive solution (search for "And the encoded state:").
So far I have referred many articles (sorry not listing them all here but just adding few as proof to show I have put sincere efforts before writing this question) but none of them have code which shows the answer. May be there is some easy answer and I am not looking in right direction or may be it is not that simple at all and I may need to use something like Content Security Policy.
ASP.Net MVC Html.Raw with AntiXSS protection
Is there a risk in using #Html.Raw?
http://blog.simontimms.com/2013/01/21/content-security-policy-for-asp-net-mvc/
http://blog.michaelckennedy.net/2012/10/15/understanding-text-encoding-in-asp-net-mvc/
To reproduce what I am saying go to *this url and in the text box type <script>alert('This is a bad script, data');</script> and click the button.
*This link is from Michael Kennedy's blog
It isn't easy and you probably don't want to do this. May I suggest you use a simpler language than HTML for end user formatted input? What about Markdown which (I believe) is used by Stackoverflow. Or one of the existing Wiki or other lightweight markup languages?
If you do allow Html, I would suggest the following:
only support a fixed subset of Html
after the user submits content, parse the Html and filter it against a whitelist of allowed tags and attributes.
be ruthless in filtering and eliminating anything that you aren't sure about.
There are existing tools and libraries that do this. I haven't used it, but I did stumble on http://htmlpurifier.org/. I assume there are many others. Rick Strahl has posted one example for .NET, but I'm not sure if it is complete.
About ten years ago I attempted to write my own whitelist filter. It parsed and normalized the entered Html. Then it removed any elements or attributes that were not on the allowed whitelist. It worked pretty well, but you never know what vulnerabilities you've missed. That project is long dead, but if I had to do it over I would have used an existing simpler markup language rather than Html.
There are so many ways for users to inject nasty stuff into your pages, you have to be fierce to prevent this. Even CSS can be used to inject executable expressions into your page, like:
<STYLE type="text/css">BODY{background:url("javascript:alert('XSS')")}</STYLE>
Here is a page with a list of known attacks that will keep you up at night. If you can't filter and prevent all of these, you aren't ready for untrusted users to post formatted content viewable by the public.
Right around the time I was working on my own filter, MySpace (wow I'm old) was hit by an XSS Worm known as Samy. Samy used Style attributes with embedded background Url that had a javascript payload. It is all explained by the author.
Note that your example page says:
This page is meant to accept and display raw HTML by trusted
editors.
The key issue here is trust. If all of your users are trusted (say employees of a web site), then the risk here is lower. However, if you are building a forum or social network or dating site or anything that allows untrusted users to enter formatted content that will be viewable by others, you have a difficult job to sanitize Html.
I managed to resolve this issue using the HtmlSanitizer in NuGet:
https://github.com/mganss/HtmlSanitizer
as recommended by the OWASP Foundation (as good a recommendation as I need):
https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet#RULE_.236_-_Sanitize_HTML_Markup_with_a_Library_Designed_for_the_Job
First, add the NuGet Package:
> Install-Package HtmlSanitizer
Then I created an extension method to simplify things:
using Ganss.XSS;
...
public static string RemoveHtmlXss(this string htmlIn, string baseUrl = null)
{
if (htmlIn == null) return null;
var sanitizer = new HtmlSanitizer();
return sanitizer.Sanitize(htmlIn, baseUrl);
}
I then validate within the controller when the HTML is posted:
var cleanHtml = model.DodgyHtml.RemoveHtmlXss();
AND for completeness, sanitise whenever you present it to the page, especially when using Html.Raw():
<div>#Html.Raw(Model.NotSoSureHtml.RemoveHtmlXss())</div>
I want to check what are ALL the possible parameters for any existing website url. Assuming the site is working with parameters type query string "architecture" (and not MVC for example) something like:
http://www.foobar.com/p1&itemsPerPage=50&size=500
Let's say there are other parameters which I don't know exist, and I don't see them in the url at the moment. For example, parameters like max, day and OtherExoticVariable. Again, I don't know their names but want to know ALL of their names. Is there some way of requesting the server to respond will all possible url parameters?
I would prefer a method with Javascript that I could run quickly through a browser but could also do asp.net c# if necessary.
Thanks a lot!
Ray.
It is the script/app running on the server that decides what parameters are valid. Unless the app provides such a query mechanism you can't do it. The server has no idea what is valid and what isn't.
Not guaranteed to get you ALL query strings, but it is often helpful to Google
"foobar.com/p1& * ".
You will be able to see all the public occurrences of query strings for the foobar.com website.
(As the accepted answer says, there is no general method to access query strings unless the website provides an API.)
I do not think this is possible. Each Web application designer can decide on the parameters individually, and you only know them if you see them being used.
I use input type "date" with jquery mobile. But for each device it display different result.
+ Android operating system: choose input date the same type of android calendar
+ iOS: choose input date date the sam type of iOS
+ Desktop: choose input date the same type of operating system install on desktop
I want display dd/MM/yyyy format standard for all device. How to custom format default input date???
Thank you so much!
You can do this, but this is too much of a waste of time and involves cumbersome use of HTML5's localStorage api. For more info, look at this question. In this case also, it's not possible to make type=date behave uniformly in all browsers because each browser handles this differently and you don't have any control over it.
HTML5's standards indicate usage of YYYY-MM-DD format but the browsers sniff your local date format and use that. See this from w3:
The format used "on the wire", i.e. in HTML markup and in form submissions, is intended to be computer-readable and consistent irrespective of the user's locale. Dates, for instance, are always written in the format "YYYY-MM-DD", as in "2003-02-01". Users are not expected to ever see this format.
and this question at jquery Mobile site.
All this must tell you that doing this will take a lot of effort from you. Instead, it would be better if you use some other alternative to this, taken from this question like this : http://jsbin.com/ukelis/1/edit
you could change the dateformat in the altFormat option in the JS and make this work for you. You could also look at this - a mobile version for jquery UI's datepicker.