Server.HtmlEncode fails with "Server is undefined"

Discussion in 'ASP .Net' started by teddysnips@hotmail.com, Jul 4, 2007.

  1. Guest

    In my application I need to allow users to cut 'n' paste stuff from
    various sources, some of which might include dodgy characters such as
    "<". Natch, IE interprets these as potentially dangerous and provides
    a mechanism to encode/decode them. However I can't seem to get it to
    work:

    ....
    <asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
    POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
    onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
    CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
    TextMode="MultiLine"></asp:textbox>

    ....

    <script language="vb" runat=server>
    Public Sub ReplaceScriptCode()
    txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
    End Sub
    </script>

    The app. barfs, telling me that "Server is undefined". Thoughts?

    Thanks

    Edward
    , Jul 4, 2007
    #1
    1. Advertising

  2. wrote:
    > In my application I need to allow users to cut 'n' paste stuff from
    > various sources, some of which might include dodgy characters such as
    > "<". Natch, IE interprets these as potentially dangerous and provides
    > a mechanism to encode/decode them. However I can't seem to get it to
    > work:
    >
    > ...
    > <asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
    > POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
    > onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
    > CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
    > TextMode="MultiLine"></asp:textbox>
    >
    > ...
    >
    > <script language="vb" runat=server>
    > Public Sub ReplaceScriptCode()
    > txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
    > End Sub
    > </script>
    >
    > The app. barfs, telling me that "Server is undefined". Thoughts?
    >
    > Thanks
    >
    > Edward
    >


    You are mixing server code and client code. The code in the onblur event
    doesn't call the VB subroutine that you have put in the server code, it
    calls the client side function with the same name.

    As you don't get the error message that ReplaceScriptCode is undefined,
    I assume that you also have a Javascript or VBScript function with that
    name?

    If you have put the same code in that function as in your VB server side
    subroutine, that will obviously not work, as there is no Server object
    on the client side.

    What is it that you are trying to do, really? There is nothing dangerous
    about pasting markup code into a textbox. ASP.NET won't let you post
    stuff that contains markup code to the server by default, but that is a
    completely different thing, and has a completely different solution.

    --
    Göran Andersson
    _____
    http://www.guffa.com
    =?ISO-8859-1?Q?G=F6ran_Andersson?=, Jul 4, 2007
    #2
    1. Advertising

  3. Edward

    I think your problem is that the OnBlur event, which is calling your
    ReplaceScriptCode is a client side event, whereas the Server object is server
    side. The code works fine if executed from from code behind:

    <asp:TextBox ID="txtDescription" Style="z-index: 102; left:
    111px; position: absolute;
    top: 124px" TabIndex="29" runat="server" onblur="return
    ReplaceScriptCode()"
    Width="553px" Height="52px" CssClass="STANDARD"
    Font-Names="Arial" Font-Size="8pt"
    TextMode="MultiLine"></asp:TextBox>

    <script language="vb" runat="server">
    Protected Overrides Sub OnLoad(ByVal e As System.EventArgs)
    MyBase.OnLoad(e)

    txtDescription.Text =
    Server.HtmlEncode(txtDescription.Text)
    End Sub
    </script>

    <asp:Button ID="Button1" runat="server" Text="Button" /></div>

    Just hit the button to test it.

    Hope this helps

    Tom

    "" wrote:

    > In my application I need to allow users to cut 'n' paste stuff from
    > various sources, some of which might include dodgy characters such as
    > "<". Natch, IE interprets these as potentially dangerous and provides
    > a mechanism to encode/decode them. However I can't seem to get it to
    > work:
    >
    > ....
    > <asp:textbox id=txtDescription style="Z-INDEX: 102; LEFT: 111px;
    > POSITION: absolute; TOP: 124px" tabIndex=29 runat="server"
    > onblur="return ReplaceScriptCode()" Width="553px" Height="52px"
    > CssClass="STANDARD" Font-Names="Arial" Font-Size="8pt"
    > TextMode="MultiLine"></asp:textbox>
    >
    > ....
    >
    > <script language="vb" runat=server>
    > Public Sub ReplaceScriptCode()
    > txtDescription.Text = Server.HtmlEncode(txtDescription.Text)
    > End Sub
    > </script>
    >
    > The app. barfs, telling me that "Server is undefined". Thoughts?
    >
    > Thanks
    >
    > Edward
    >
    >
    =?Utf-8?B?VG9tIEpvaG4=?=, Jul 4, 2007
    #3
  4. Guest

    On 4 Jul, 12:09, Göran Andersson <> wrote:
    > wrote:

    [...]
    > What is it that you are trying to do, really? There is nothing dangerous
    > about pasting markup code into a textbox. ASP.NET won't let you post
    > stuff that contains markup code to the server by default, but that is a
    > completely different thing, and has a completely different solution.


    As you say. The problem comes when the user tries to post the text
    (dumb of me, I know, I should have mentioned that).

    The user wants to be able to paste stuff into text boxes which is then
    sent to the server for processing (generally, storage in a database
    and later retrieval).

    I don't want to remove validation at page level - in fact I doubt the
    clients would let me. I rolled my own client-side jscript to strip
    out markup code which was called from the OnBlur event, but I thought
    I could improve on it using built-in functions.

    In short, the requirement is:

    ASP.NET with VB code behind.

    User pastes stuff into an ASP TextBox

    Presses "Save" button. Save button is asp:Button running server-side.

    Remove/replace "dangerous" code with HtmlEncoded stuff and save to
    database.

    Thoughts?

    Thanks,

    Edward
    , Jul 4, 2007
    #4
  5. wrote:
    > On 4 Jul, 12:09, Göran Andersson <> wrote:
    >> wrote:

    > [...]
    >> What is it that you are trying to do, really? There is nothing dangerous
    >> about pasting markup code into a textbox. ASP.NET won't let you post
    >> stuff that contains markup code to the server by default, but that is a
    >> completely different thing, and has a completely different solution.

    >
    > As you say. The problem comes when the user tries to post the text
    > (dumb of me, I know, I should have mentioned that).
    >
    > The user wants to be able to paste stuff into text boxes which is then
    > sent to the server for processing (generally, storage in a database
    > and later retrieval).
    >
    > I don't want to remove validation at page level - in fact I doubt the
    > clients would let me.


    That validation is not required, as long as you make sure that you treat
    the data as unvalidated on the server side. That means that you never
    put it on a page or use it in a database query without making sure that
    it's properly encoded.

    As the validation doesn't cover any possible circumstances, that's what
    you already should be doing anyway.

    Read up on cross site scripting and sql injections, so that you know how
    these types of security leaks can be exploited.

    > I rolled my own client-side jscript to strip
    > out markup code which was called from the OnBlur event, but I thought
    > I could improve on it using built-in functions.
    >
    > In short, the requirement is:
    >
    > ASP.NET with VB code behind.
    >
    > User pastes stuff into an ASP TextBox
    >
    > Presses "Save" button. Save button is asp:Button running server-side.
    >
    > Remove/replace "dangerous" code with HtmlEncoded stuff and save to
    > database.
    >
    > Thoughts?


    Storing it html encoded in the database served no purpose. Html code can
    not harm the database. You just have to make sure it isn't put on a page
    without being encoded.

    --
    Göran Andersson
    _____
    http://www.guffa.com
    =?ISO-8859-1?Q?G=F6ran_Andersson?=, Jul 4, 2007
    #5
  6. Guest

    On 4 Jul, 15:58, Göran Andersson <> wrote:
    > wrote:
    > > On 4 Jul, 12:09, Göran Andersson <> wrote:
    > >> wrote:

    > > [...]
    > >> What is it that you are trying to do, really? There is nothing dangerous
    > >> about pasting markup code into a textbox. ASP.NET won't let you post
    > >> stuff that contains markup code to the server by default, but that is a
    > >> completely different thing, and has a completely different solution.

    [...]

    Thanks for all your help so far - it really is appreciated.

    I reaslise that there's no danger to the database from the text, or
    markup code (actually, in the scenario at present, it's simply users
    copying and pasting e-mail messages wholesale, including the reply
    prefixes e.g. >> as seen above which are the main problem). I just
    want to allow the users to copy and paste what they want and save this
    text to the database without incurring "A potentially dangerous
    Request.Form value ... " error. So it seems to make sense to htlm-
    encode the text, whatever it is, save it, and then un-html-encode it
    when the data is retrieved and displayed.

    I can't be the only person in history to have encountered this problem
    yet I can't seem to find any examples that satisfy my requirements. I
    thought this page:

    http://www.asp.net/faq/RequestValidation.aspx#5

    had it, but I can't make it work.

    Any further ideas before you lose patience completely?

    Edward
    , Jul 4, 2007
    #6
  7. Mark Rae [MVP], Jul 4, 2007
    #7
  8. wrote:
    > On 4 Jul, 15:58, Göran Andersson <> wrote:
    >> wrote:
    >>> On 4 Jul, 12:09, Göran Andersson <> wrote:
    >>>> wrote:
    >>> [...]
    >>>> What is it that you are trying to do, really? There is nothing dangerous
    >>>> about pasting markup code into a textbox. ASP.NET won't let you post
    >>>> stuff that contains markup code to the server by default, but that is a
    >>>> completely different thing, and has a completely different solution.

    > [...]
    >
    > Thanks for all your help so far - it really is appreciated.
    >
    > I reaslise that there's no danger to the database from the text, or
    > markup code (actually, in the scenario at present, it's simply users
    > copying and pasting e-mail messages wholesale, including the reply
    > prefixes e.g. >> as seen above which are the main problem). I just
    > want to allow the users to copy and paste what they want and save this
    > text to the database without incurring "A potentially dangerous
    > Request.Form value ... " error. So it seems to make sense to htlm-
    > encode the text, whatever it is, save it, and then un-html-encode it
    > when the data is retrieved and displayed.


    No, that doesn't make sense. Encoding only makes sense if you use an
    encoding that is relevant for where you put the data. Html-encoding data
    that goes into the database and then decode it when you read it is a
    total waste of time, space and code. It serves no purpose at all.

    Also, as you were trying to encode the text on the client side, that
    doesn't make it any safer. On the contrary, as you would later decode
    this text that you can't safely say that you know is properly encoded,
    you would instead open up the security hole that the validation is meant
    to help prevent.

    > I can't be the only person in history to have encountered this problem


    Of course not. I have handled the problem myself several times.

    > yet I can't seem to find any examples that satisfy my requirements. I
    > thought this page:
    >
    > http://www.asp.net/faq/RequestValidation.aspx#5
    >
    > had it, but I can't make it work.


    Just pick that single property from that page and put in your @Page
    directive. That turns the validation off.

    Then you just handle the data as normal, just store it in the database
    at it is. When you later put it on a page, make sure that it's properly
    html encoded.

    --
    Göran Andersson
    _____
    http://www.guffa.com
    =?ISO-8859-1?Q?G=F6ran_Andersson?=, Jul 4, 2007
    #8
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Makarand
    Replies:
    0
    Views:
    972
    Makarand
    Nov 6, 2003
  2. Andrea Williams

    Problem with C# Class and Server.HTMLEncode

    Andrea Williams, Jan 27, 2004, in forum: ASP .Net
    Replies:
    4
    Views:
    22,209
    Michael Earls
    Jan 27, 2004
  3. Michael Gaillez

    Server.HTMLEncode and performance

    Michael Gaillez, Jun 24, 2004, in forum: ASP .Net
    Replies:
    3
    Views:
    2,049
    Kevin Spencer
    Jun 24, 2004
  4. Chris
    Replies:
    2
    Views:
    893
    Chris
    Jul 15, 2004
  5. MyndPhlyp
    Replies:
    3
    Views:
    482
    MyndPhlyp
    Oct 3, 2005
Loading...

Share This Page