Group items tagged

"Cross Site Request Forgery (CSRF) This article assumes you already understand what CSRF is and how it works. If you don't, do a quick Google search and it will clear it up. CSRF can be done using POST or GET, but GET is much easier to implement. By default, ASP.Net forms and other functionality work via the POST method. If we could submit a GET instead of a POST it would open up the attack surface a great deal. No longer do we need someone to visit a page with a form on it, but we could actually embed the GET request (a link) in emails or other medium. Fortunately for the attacker, unfortunately for the developer, .Net uses Value Shadowing for its controls. This means all server side controls, ie. Viewstate, EventValidation, EventCommand, EventArguments, etc.. It is possible to take the values that would be submitted as part of the form and just add them to the Querystring instead. Now there is a GET request that is comparable to the POST request. ASP.Net Webforms does not check whether a post back comes from GET or POST. The one thing to keep in mind is that the URL in a GET is limited in size. If the form is large and the viewstate is very large, this could block this technique from working. This depends on the way the application is configured (more later)."

jquery.qrcode.js is jquery plugin for a pure browser qrcode generation. It allow you to easily add qrcode to your webpages. It is standalone, less than 4k after minify+gzip, no image download. It doesnt rely on external services which go on and off, or add latency while loading. It is based on a library which build qrcode in various language. jquery.qrcode.js wraps it to make it easy to include in your own code.

The Closure Compiler is a tool for making JavaScript download and run faster. It is a true compiler for JavaScript. Instead of compiling from a source language to machine code, it compiles from JavaScript to better JavaScript. It parses your JavaScript, analyzes it, removes dead code and rewrites and minimizes what's left. It also checks syntax, variable references, and types, and warns about common JavaScript pitfalls.

"Viewstate (ASP.NET) ASP.NET has an option to maintain your ViewState. The ViewState indicates the status of a page when submitted to the server. The status is defined through a hidden field placed on each page with a control. Viewstate can be used as a CSRF defense, as it is difficult for an attacker to forge a valid Viewstate. It is not impossible to forge a valid Viewstate since it is feasible that parameter values could be obtained or guessed by the attacker. However, if the current session ID is added to the ViewState, it then makes each Viewstate unique, and thus immune to CSRF. To use the ViewStateUserKey property within the Viewstate to protect against spoofed post backs. Add the following in the OnInit virtual method of the Page-derived class (This property must be set in the Page.Init event) protected override OnInit(EventArgs e) { base.OnInit(e); if (User.Identity.IsAuthenticated) ViewStateUserKey = Session.SessionID; } The following keys the Viewstate to an individual using a unique value of your choice. (Page.ViewStateUserKey) This must be applied in Page_Init because the key has to be provided to ASP.NET before Viewstate is loaded. This option has been available since ASP.NET 1.1. However, there are limitations on this mechanism. Such as, ViewState MACs are only checked on POSTback, so any other application requests not using postbacks will happily allow CSRF. "

"Encrypting View State Although MAC encoding helps prevent tampering with view state data, it does not prevent users from viewing the data. You can prevent people from viewing this data in two ways: by transmitting the page over SSL, and by encrypting the view state data. Requiring the page to be sent over SSL can help prevent data-packet sniffing and unauthorized data access by people who are not the intended recipients of the page. However, the user who requested the page can still view the view state data because SSL decrypts the page to display it in the browser. This is fine if you are not concerned about authorized users having access to view state data. However, in some cases, controls might use view state to store information that no users should have access to. For example, the page might contain a data-bound control that stores item identifiers (data keys) in view state. If those identifiers contain sensitive data, such as customer IDs, you should encrypt the view state data in addition to or instead of sending the page over SSL. To encrypt the data, set the page's ViewStateEncryptionMode property to true. If you store information in view state, you can use regular read and write techniques; the page handles all encryption and decryption for you. Encrypting view state data can affect the performance of your application. Therefore, do not use encryption unless you need it. Control State Encryption Controls that use control state can require that view state be encrypted by calling the RegisterRequiresViewStateEncryption method. If any control in the page requires that view state be encrypted, all view state in the page will be encrypted. Per-user View State Encoding If a Web site authenticates users, you can set the ViewStateUserKey property in the Page_Init event handler to associate the page's view state with a specific user. This helps prevent one-click attacks, in which a malicious user creates a valid, pre-filled Web page with view state from a pre

Lightbox_me is an essential tool for the jQuery developer's toolbox. Feed it a DOM element wrapped in a jQuery object and it will lightbox it for you, no muss no fuss.

By default, all popular Web browsers assume the HTTP protocol. In doing so, the software prepends the 'http://' onto the requested URL and automatically connect to the HTTP server on port 80. Why then do many pages explictly set http on all hypertext links? Surely it is easier to type "domain.com" than "http://domain.com". HTTP is also deprecated due to the ever-evolving web: The HyperText Transfer Protocol is no longer used to transfer hypertext. It is increasingly becoming used a means to transfer any content over port 80. Thus the definition "http" no longer means anything in the context of a URL since you are unlikely to be requesting hypertext. As the web evolves, next generation protocols will begin to replace http. By explicitly using "http://domain.com" in your links you are forcing your viewers of the future into using an obsolete protocol. By using "//domain.com" you will guarantee the protocol of tomorrow will work with your pages of today. Succinctly, use of the http protocol is redundant and time consuming to communicate. The internet, media, and society are all better off without it.

WeBlog is a blog module for Sitecore 6.2+. It is the successor to the EviBlog module. Features Windows Live Writer integration (MetaWeblog API) Page Editor support and custom WebEdit ribbon Wordpress Import CSS-based themes, with custom themes possible (one included) Various blog navigation components Comments (with author notification and optional approval workflow) Comment CAPTCHA through MSCaptcha or reCAPTCHA Gravatar Support Social sharing through ShareThis or AddThis, and other Facebook and Twitter widgets Tagging and tagcloud RSS Feeds (Sitecore Integrated RSS) Multi-server (staged architecture) support Globalized labels and messaging (English, Danish, Dutch, and Japanese translations provided) Most importantly, WeBlog has been architected to allow you to easily integrate it into your existing content and design, and to allow you to customize its templates and layout to your project requirements.

Never write a single javascript line anymore to validate your forms FrontEnd. Parsley will do that for you - and do it right -, thanks to its powerful DOM-API !

"I don't know if you can do it on-demand, but you can enable the option "Track Active Item in Solution Explorer" (options->Projects and Solutions) which will always select the active tab item in the solution explorer."

"EpicEditor is an embeddable JavaScript Markdown editor with split fullscreen editing, live previewing, automatic draft saving, offline support, and more. For developers, it offers a robust API, can be easily themed, and allows you to swap out the bundled Markdown parser with anything you throw at it. "

On the server you need to install a Role Service called Management Service. You find this by going to ServerManager->Roles->WebServer(IIS) and then looking in right panel, section RoleServices. There it is, and there you can click to add it to the config.

If an agent becomes disconnected for whatever reason, you can follow these steps to re-connect it: ssh to the server that the disconnected agent is on. go to the build agent's bin directory (i.e. /opt/teamcity/buildagent/buildagent01/bin/) su to the user that the agent runs as (i.e. appBuilder) run agent.sh start That will start the agent, and after a few seconds or so, the next time you go to TeamCity, it will be connected.

Sometimes it is required to get all Items in the database based on a given template. Iterating through the entire database may be a very expensive operation though. However in this particular case, we can resort to the Link database. Link database is used by Sitecore to resolve all the linking issues - what referrers and what references the Item has. And if an item is based on a template, it also counts as a reference from the item to the template. The solution then is very simple: get all the referrers for a given template item.

A free tool for designers and web developers. It parses your css and returns a copy with all external media "baked" right into it as Base64 encoded datasets. The number of time consuming http-requests on your website is decreased significantly, resulting in a massive speed-boost (server-side gzip-compression must be enabled).

Are you running into this error on your ASP.NET AJAX enabled web site? Does it only happen on some machines or on some browsers? Here's how you can get to the bottom of it.

Our famework is fast, flexible, and FREE. It's designed for people who edit map content. Find out more, or try it out yourself with our online demo. CartoView allows you to use Google maps, Google Earth Browser, Openlayers and other mapping APIs interchangeably. CartoView offers an advanced plugin architecture for rendering plugins on many web mapping applications. Use Cartoview to develop your mapping plugin once and use it in many different online mapping applications.

jQuery Bubble Popup is a plugin to display smart, animated & shadowed, "bubble" popups or tooltips with few lines of code in jQuery. The plugin support HTML5 and it is fully compatible with IE, Firefox, Chrome, Opera and Safari. It needs jQuery v.1.4.2 to run, the fastest and concise JavaScript Library.

This is an agile HTML parser that builds a read/write DOM and supports plain XPATH or XSLT (you actually don't HAVE to understand XPATH nor XSLT to use it, don't worry...). It is a .NET code library that allows you to parse "out of the web" HTML files. The parser is very tolerant with "real world" malformed HTML. The object model is very similar to what proposes System.Xml, but for HTML documents (or streams).

Ketchup is a slim jQuery Plugin that validates your forms. It aims to be very flexible and extendable for its appearance and functionality.