Kentico vs ValidateRequest

It seems Kentico are insisting on not encoding html sent to the server from the fckEditor. Instead, Kentico advises to turn ValidateRequest off.

That’s pretty fckEd. In this post, Kentico assure us they take security seriously;

we do a lot of investigating on this issue and fix every potentially dangerous part of the system during development stage as well as later during testing stage”

It would seem to me that encoding html from the fckEditor, in order to allow ValidateRequest not to break, would be high on their list. Apparently not.

The issue I have is, not all of the website in question is the work of kentico. In fact, the bulk of the solution is custom built, while using Kentico to leverage it’s content management. Obviously then, it would be unwise to turn off ValidateRequest for the whole site.

So enough ranting about Kentico, here’s the solution. Short of hacking the entire Kentico site to htmlencode all instances of the fckEditor, we can localise turning off ValidateRequest just to Kentico pages via directory-level web.configs and keep ValidateRequest = true at the root web.config.

Add this section to Directory level web.configs for all things kentico (ie. CMSAdminControls, CMSDesk, CMSFormControls, CMSMasterPages, CMSModules, CMSPages, CMSSiteManager)

<system.web>
 <pages ValidateRequest="false" />
</system.web>

Kentico have advised they will look at fixing this issue in later releases. However, I wouldn’t hold your breath, they’ve been saying this since 2006.

So, in short, Kentico are fckEd.

Windows Phone 7 Dev Xmass drinks in Sydney

Courtesy of Nick Harrris .NET:

 

Event:
WP7Dev XMass Drinks meet and greet

Please indicate your attendance here – http://events.linkedin.com/Windows-Phone-7-Developer-XMass-Drinks/pub/496913

Purpose:
Let’s get together for some XMass Drinks and/or dinner to trade some WP7 Dev stories and demos. Event will be informal, i.e around bar tables, so bring along your device or laptop if you wish to show people what you have been up to.

Date, Time, Location:

6-8pm
Tues 14th Dec 2010
City Hotel,
Corner of King and Kent St, Sydney CBD.

Courtesy of Nick Harris .NET

Script Helper

Good ol’ Glavy boy has posted a ScriptHelper for MVC and WebForms here.

“For example, in the page you can do

<%= ScriptHelper.RequiresScript(ScriptName.jqueryValidateUnobtrusive) %>Or

<%= ScriptHelper.RequiresScript(“jQuery-validate-unobtrusive”) %>

And you would get

<script type='text/javascript' src='/Scripts/jquery-1.4.1.js'></script>
<script type='text/javascript' src='/Scripts/jquery.validate.js'></script>
<script type='text/javascript' src='/Scripts/jquery.validate.unobtrusive.js'>

The library is currently hosted on bitbucket here http://bitbucket.org/glav/mvc-script-dependency-extension. Thanks Glavvy boy.

Password Strength Ajax Component

While going through some of the examples in the Microsoft .NET Framework 3.5 – ASP.NET Application Development Self-Paced Training Kit, I came accross a nice Ajax component for evaluating the strength of password.

Add a JS file to the scripts folder and add this code:


///
Type.registerNamespace("AjaxEnabled");

//create constructor
AjaxEnabled.PasswordStrengthComponent = function() {
    AjaxEnabled.PasswordStrengthComponent.initializeBase(this);
}

//define class
AjaxEnabled.PasswordStrengthComponent.prototype = {
  initialize: function() {
    //add custom initialization here
    AjaxEnabled.PasswordStrengthComponent.callBaseMethod(this, 'initialize');
  },

  returnPasswordStrength: function(password) {
    var strPass = new String(password.toString());
    if (strPass.length <  5) {
      return "Weak";
    }
    else {
      if (strPass.length < 9) {
        return "Medium";
      }
      else {
        return "Strong";
      }
    }
  },

  dispose: function() {
    //add custom dispose actions here
    AjaxEnabled.PasswordStrengthComponent.callBaseMethod(this, 'dispose');
  }
}

//register class as a Sys.Component
AjaxEnabled.PasswordStrengthComponent.registerClass(
  'AjaxEnabled.PasswordStrengthComponent', Sys.Component);

//notify script loaded
if (typeof(Sys) !== 'undefined') Sys.Application.notifyScriptLoaded();

Add reference to the JS in the page using the script manager:

      <asp:ScriptManager ID="ScriptManager1" runat="server">
        <Scripts>
          <asp:ScriptReference Path="~/AjaxComponent.js" />
        </Scripts>
      </asp:ScriptManager>

Wire up the OnKeypress() event:

      <script language="javascript" type="text/javascript">

          function _OnKeypress() {
              var checker = new AjaxEnabled.PasswordStrengthComponent();
              var pass = document.getElementById("txtPassword").value;
              var strength = checker.returnPasswordStrength(pass);
              document.getElementById("lblStrength").innerText = strength;
          }

      </script>