Search Results

Search found 574 results on 23 pages for 'iniquities of evil men'.

Page 3/23 | < Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >

  • CallContext and ApplicationHost

    - by p2u
    I tried to create an ApplicationHost. But I had errors like SerializationException and FileNotFoundException. Then I found this blog entry, where it's seem to be a remoting problem. In my little application I use the CallContext, so I tried some approaches. When I empty the CallContext before I create the ApplicationHost, it works: Programm class: namespace ApplicationHostDemo { public class Program { public static void Main(string[] args) { Evil evil = new Evil(); CallContext.SetData(Evil.CALLCONTEXT, evil); CallContext.FreeNamedDataSlot(Evil.CALLCONTEXT); Console.WriteLine("Simple Host-Demo\r\n"); Host host = CreateHost(); CallContext.SetData(Evil.CALLCONTEXT, evil); host.ProcessRequest("Index.aspx"); Console.WriteLine("\r\n\r\nSimple Host-Demo end"); Console.ReadLine(); } public static Host CreateHost() { return (Host)ApplicationHost.CreateApplicationHost(typeof(Host), "/", Directory.GetCurrentDirectory()); } public class Host : MarshalByRefObject { public void ProcessRequest(string page) { SimpleWorkerRequest swr = new SimpleWorkerRequest(page, "", Console.Out); HttpRuntime.ProcessRequest(swr); } } } } Evil class: namespace ApplicationHostDemo { [Serializable] public class Evil : ILogicalThreadAffinative { public const string CALLCONTEXT = "evil"; public string Name { get; set; } } } Do you know or could you explain why it works?

    Read the article

  • Slide Men&uacute; con Jquery &amp; Asp.net

    - by Jason Ulloa
    En este post, trabajaremos una parte que en ocasiones se nos hace un “mundo”, la creación de menús en nuestras aplicaciones web. Nuestro objetivo será evitar la utilización de elementos que puedan ocasionar que la página se vuelva un poco lenta, para ello utilizaremos jquery que viene siendo una herramienta muy semejante a ajax para crear nuestro menú. Para crear nuestro menús de ejemplo necesitaremos de tres elementos: 1. CSS, para aplicar los estilos. 2. Jquery para realizar las animaciones. 3. Imágenes para armar los menús. Nuestro primer Paso: Será agregar la referencias a nuestra página, para incluir los CSS y los Scripts. 1: <link rel="stylesheet" type="text/css" href="Styles/jquery.hrzAccordion.defaults.css" /> 2: <link rel="stylesheet" type="text/css" href="Styles/jquery.hrzAccordion.examples.css" /> 3: <script type="text/javascript" src="JS/jquery-1.3.2.js"></script> 1:  2: <script type="text/javascript" src="JS/jquery.easing.1.3.js"> 1: </script> 2: <script type="text/javascript" src="JS/jquery.hrzAccordion.js"> 1: </script> 2: <script type="text/javascript" src="JS/jquery.hrzAccordion.examples.js"> </script> Nuestro segundo paso: Será la definición del html que contendrá los elementos de tipo imagen y el texto. 1: <li> 2: <div class="handle"> 3: <img src="images/title1.png" /></div> 4: <img src="images/image_test.gif" align="left" /> 5: <h3> 6: Contenido 1</h3> 7: <p> 8: Contenido de Ejemplo 1.<br> 9: <br> 10: Agregue todo el contenido aquí</p> 11: </li> En el código anterior, hemos definido un elemento que contendrá una imagen que se mostrará dentro del menú una vez desplegado. Una etiqueta H3 de html que tendrá el Título y un elemento <p> para definir el parrado de texto. Como vemos es algo realmente sencillo. Si queremos agregar mas elementos, será nada mas copiar el div anterior y agregar nuevo contenido. Al final, nuestro menú debe lucir algo así: Por último, les dejo el ejemplo para descargar

    Read the article

  • L'empire Google est-il « Evil » ? le géant se développe-t-il trop ?

    L'empire Google est-il "Evil" ? le géant se développe-t-il trop ? Une vidéo (pas très objective) publiée récemment sur le Net tend à raviver la psychose qui tourne autour de Google et du contrôle quasi-mondial que la firme pourrait opèrer sur les êtres humains. En reprenant certains chiffres liés aux activités de l'entreprise, la dimension tentaculaire de l'énorme empire Google est montrée avec force. Même si le groupe de Moutain View n'a pas encore dépassé les bornes, pourrait-il le faire ?

    Read the article

  • The HTML5 doctype is not triggering standards mode in IE8

    - by El Guapo
    i work for a company where all our sites currently use the XHTML 1.0 transitional doctype (yes i know it is very old school). I want to change them all to use the HTML5 doctype seeing as it is backwards compatible. One of the reasons why i want to make the switch is because in IE8 if someone has the developer tools installed then the old XHTML doctype switches the browser into compatibility mode and renders the page as IE7. From reading up on it i was led to believe that the HTML5 doctype will set any page to render in standards mode, but this is not happening when i test it on our staging server it still flips into IE7 rendering mode. The weird thing is if i save the page with HTML5 doctype locally and open it, it is rendering in IE8 standards mode. There must be something else causing it to drop into compatibility IE7 rendering. Any ideas what this could be? Below is the head of the test page i have been looking at: <!DOCTYPE html > <html xmlns="http://www.w3.org/1999/xhtml" xmlns:og="http://opengraphprotocol.org/schema/" xmlns:fb="http://www.facebook.com/2008/fbml"> <head> <title>Burton - Mens Clothing - Mens Fashion - Burton Menswear</title> <meta http-equiv="Content-Type" content="text/html; charset=utf-8" /> <meta name="description" content="Burton is one of the UK's leading men's clothing &amp; fashion retailers, with a range of men's clothing designed to make you look &amp; feel good. Find formal &amp; casual clothes &amp; accessories for men online at Burton menswear"/> <meta name="keywords" content="menswear, clothes for men, clothing for men, men clothes, men's fashion, men's wear, men's clothing online, men's clothes online, men's clothes shop, burton men's, burton menswear, burton uk, burton"/> <script type="text/javascript">document.getElementsByTagName('html')[0].className = 'js';</script> <link rel="stylesheet" type="text/css" href="http://eu.burton-menswear.com/wcsstore/ConsumerDirectStorefrontAssetStore/images/colors/color2/v3/css/screen.css" /> <link rel="stylesheet" type="text/css" href="http://eu.burton-menswear.com/wcsstore/ConsumerDirectStorefrontAssetStore/images/colors/color2/v3/css/print.css" media="print"/> <link rel="stylesheet" type="text/css" href="http://eu.burton-menswear.com/wcsstore/ConsumerDirectStorefrontAssetStore/images/colors/color2/v3/css/brand.css" /> <!--[if lt IE 8]> <link rel="stylesheet" href="http://eu.burton-menswear.com/wcsstore/ConsumerDirectStorefrontAssetStore/images/colors/color2/v3/css/ie.css" type="text/css" media="screen, projection"> <![endif]--> <meta http-equiv="content-language" content="en-gb" /> <link rel="shortcut icon" type="image/x-icon" href="http://eu.burton-menswear.com/favicon.ico" /> <link rel="search" type="application/opensearchdescription+xml" title="burton.co.uk Search" href="http://eu.burton-menswear.com/burton-search.xml"/> <!-- Start Summit Tag --> <script type="text/javascript"> var __stormJs = "t1.stormiq.com/dcv4/jslib/3286_D92B7532_4A18_46A8_864A_5FDF1DF25844.js"; </script> <script type="text/javascript" src="http://eu.burton-menswear.com/javascript/track.js"></script> <!-- End Summit Tag --> <!-- Start QuBit Tag --> <script src=//d3c3cq33003psk.cloudfront.net/opentag-31935-42109.js async defer></script> <!-- End QuBit Tag --> <link type="text/css" rel="stylesheet" href="http://reviews.br.wcstage.arcadiagroup.ltd.uk/bvstaging/static/6028-en_gb/bazaarvoice.css" ></link> </head>

    Read the article

  • Movember 2012

    - by Tim Koekkoek
    If you were lucky enough to visit one of the Oracle Dublin offices during the month November you may have noticed a bunch of mustached merchants. If you thought the mustache was the newest hair fashion in Ireland you were wrong. These guys were the Mo Bro’s and proud members of MOracle, our Movember 2012 team. The aim of Movember is to raise vital funds and awareness for men’s health, especially prostate cancer. To raise these funds, men don't shave their upper lips for a whole month and get sponsored for it by friends, family and colleagues. To highlight the importance of supporting this cause, take a look at these statistics: •             1 out of 8 men will be diagnosed with prostate cancer during their life. •             This year more than 2,000 new cases of disease will be diagnosed. •             1 out of 3 men will be diagnosed with cancer during their life. It was a long and heavy month for all the Mo Bro’s, but in the end the effort has paid off. Under the leadership of team captain Jimmy this team managed to raise over €4,400  and was ranked #34 out of 1142 Irish Movember teams. The team couldn't have done it without the constant support of our colleagues and sponsors. Many thanks to all of you! We are very happy to have raised money and awareness for men’s health. On top of that we are also happy to have raised awareness for the most underrated and abandoned piece of man’s hair… the mustache. This is just the beginning; soon many men will proudly wear this fashionable look again!

    Read the article

  • Is it evil to model JSON responses to classes when they are mostly smilar?

    - by Aybe
    Here's the problem : While implementing a C# wrapper for an online API (Discogs) I've been faced to a dilemma : quite often the responses returned have mostly similar members and while modeling these responses to classes, some questions surfaces on which way to go would be the best. Example : Querying for a 'release' or a 'master' will return an object that contains an array of 'artist', however these 'artists' do not exactly have the same members. Currently I decided to represent these 'artists' as a single 'Artist' class, against having respective 'ReleaseArtist' and 'MasterArtist' classes which soon becomes very confusing even though another problem arises : when a category (master or release) does not return these members, they will be null. Though it might sound confusing as well I find it less confusing than the former situation as I've tackled the problem by simply not showing null members when visualizing these objects. Is this the right approach to follow ? An example of these differences : public class Artist { public List<Alias> Aliases { get; set; } public string DataQuality { get; set; } public List<Image> Images { get; set; } public string Name { get; set; } public List<string> NameVariations { get; set; } public string Profile { get; set; } public string Realname { get; set; } public string ReleasesUrl { get; set; } public string ResourceUrl { get; set; } public string Uri { get; set; } public List<string> Urls { get; set; } } public class ReleaseArtist { public string Join { get; set; } public string Name { get; set; } public string Anv { get; set; } public string Tracks { get; set; } public string Role { get; set; } public string ResourceUrl { get; set; } public int Id { get; set; } }

    Read the article

  • Why didn't IE8 support border-radius, evil or ignorance?

    - by Mark Rogers
    When I think back to the time of the release of IE7, I was surprised that there wasn't border-radius support. It seems like an obviously great idea to have a css-property name for rounded corners, which can potentially make a site look less like it came from the computer stone-age. Finally, today we have IE9 and Microsoft finally decided to play ball with the rest of the world. But the question remains, why didn't Microsoft bother to support border-radius in IE8? The problem probably became obvious to the company as the growing chorus of complaints from web developers got louder after the release of IE7. Was the company so isolated or in group-think mode that they were blind for that many years? Or did Microsoft have some additional motive to suppress the border-radius property?

    Read the article

  • Is premature optimization really the root of all evil?

    - by Craig Day
    A colleague of mine today committed a class called ThreadLocalFormat, which basically moved instances of Java Format classes into a thread local, since they are not thread safe and "relatively expensive" to create. I wrote a quick test and calculated that I could create 200,000 instances a second, asked him was he creating that many, to which he answered "nowhere near that many". He's a great programmer and everyone on the team is highly skilled so we have no problem understanding the resulting code, but it was clearly a case of optimizing where there is no real need. He backed the code out at my request. What do you think? Is this a case of "premature optimization" and how bad is it really?

    Read the article

  • Good SEO - Why is Good SEO Better Than Its Evil 'Black Hat' Brother?

    With the rise of today's technology, a number of bad and dodgy practices have come into play that can seriously put your website at risk from being banned in the search engines - no questions asked. The constant shift of techniques and 'state of flux' the search engines remain in makes it difficult to differentiate between good and bad SEO.

    Read the article

  • What is the most EVIL code you have ever seen in a production enterprise environment?

    - by Registered User
    What is the most evil or dangerous code fragment you have ever seen in a production environment at a company? I've never encountered production code that I would consider to be deliberately malicious and evil, so I'm quite curious to see what others have found. The most dangerous code I have ever seen was a stored procedure two linked-servers away from our core production database server. The stored procedure accepted any NVARCHAR(8000) parameter and executed the parameter on the target production server via an double-jump sp_executeSQL command. That is to say, the sp_executeSQL command executed another sp_executeSQL command in order to jump two linked servers. Oh, and the linked server account had sysadmin rights on the target production server.

    Read the article

  • Too Few Women in IT!

    - by Yolande
    Last year, only 1% of attendees at Devoxx were women . This year, Devoxx addressed the issue in a panel entitled "Why We Should Target Women." On the panel were Kim Ross, Régina ten Bruggencate, Trisha Gee, Antonio Goncalves and Claude Falguiére. The moderator was Martijn Verburg. The discussion focused on how to attract women to programming and how to get current women programmers to be more active in the community. The panelists agreed that the IT field should not just attract more women but also men of different ethnic backgrounds. The lack of women in programming is in part a cultural issue that differs from region to region. In developed countries, very few women work as programmers whereas in Brazil and India a lot of women pursue careers in IT.  Women in developed countries perceive the field as isolating and very few young women graduate in computer science.  This perception of isolation was based in reality decades ago, but that is no longer the case today. Main ideas discussed by the panel: - Parents should encourage their daughters to play with Lego and learn programming - More organizations should target girls in high schools and young women in university to expose them to programming.  Duchess organization is planning on being more involved with young girl events and mentoring. - Women tend to be more self-critical about their skills and are intimidated by high skill requirements in job advertisements. Companies should change job advertisements to get more women to interviews. - Panelists don't recommend affirmative action because women feel favored and lose credibility. They want to be judged for their skills. - Panelists recommend acting the same way when dealing with either female or male co-workers and managers - Women need mentors (men or women) to learn to become speakers at conferences and to promote themselves better - Men should be sensitive to the fact that women are alone at work to respond to men teasing. The balance of power at work is different from a social setting. - Men also experience discrimination on the job. It is more difficult for men to take time off when their children are sick, for example. Equal valuing of parental obligations could result in equal pay for women. See also: Trisha Gee Blog - http://mechanitis.blogspot.com/ Duchess Organization - http://www.jduchess.org/

    Read the article

  • If innerHTML is evil, then what's a better way change the text of a link?

    - by sanj
    I know innerHTML is supposedly evil, but I think it's the simplest way to change link text. For example: <a id="mylink" href="">click me</a> In JS you can change the text with: document.getElementById("mylink").innerHTML = new_text; And in Prototype/jQuery: $("mylink").innerHTML = new_text; works fine. Otherwise you have to replace all of the child nodes first and then add a text node. Why bother?

    Read the article

  • How would I merged nested dictionaries in a list in python?

    - by Kevin
    for example if i had the result [{'Germany': {"Luge - Men's Singles": 'Gold'}}, {'Germany': {"Luge - Men's Singles": 'Silver'}}, {'Italy': {"Luge - Men's Singles": 'Bronze'}}] [{'Germany': {"Luge - Women's Singles": 'Gold'}}, {'Austria': {"Luge - Women's Singles": 'Silver'}}, {'Germany': {"Luge - Women's Singles": 'Bronze'}}] [{'Austria': {'Luge - Doubles': 'Gold'}}, {'Latvia': {'Luge - Doubles': 'Silver'}}, {'Germany': {'Luge - Doubles': 'Bronze'}}] how would I sort this so that all of the events germany and so on had won could be under one single title. i.e germany would be germany:Luge - Men's Singles: Gold, Silver, Luge - Women's Singles: Gold, Bronze, Luge - Doubles: Bronze. thanks for any help

    Read the article

  • Premature optimization is the root of all evil, but can it ever be too late?

    - by polygenelubricants
    "We should forget about small efficiencies, say about 97% of the time: premature optimization is the root of all evil" So what is that 3% like? Can the avoidance of premature optimization ever be taken too extreme that it does more harm than good? Even if it's rare, has there been a case of a real measurable software engineering disaster due to complete negligence to optimize early in the process? Bonus question: is software engineering pretty much the only field that has such a counter intuitive principle regarding doing something earlier rather than later before things potentially become too big a problem to fix? Personal question: how do you justify something as premature optimization and not just a case of you being lazy/ignorant/dumb?

    Read the article

  • Is GOTO really as evil as we are led to believe?

    - by RoboShop
    I'm a young programmer, so all my working life I've been told GOTO is evil, don't use it, if you do, your first born son will die. Recently, I've realized that GOTO actually still exists in .NET and I was wondering, is GOTO really as bad as they say, or is it just because everyone says you shouldn't use it, so that's why you don't. I know GOTO can be used badly, but are there any legit situations where you may possibly use it. The only thing I can think of is maybe to use GOTO to break out of a bunch of nested loops. I reckon that might be better then having to "break" out of each of them but because GOTO is supposedly always bad, I would never use it and it would probably never pass a peer review. What are your views? Is GOTO always bad? Can it sometimes be good? Has anyone here actually been gutsy enough to use GOTO for a real life system?

    Read the article

  • What techniques can be used to detect so called "black holes" (a spider trap) when creating a web crawler?

    - by Tom
    When creating a web crawler, you have to design somekind of system that gathers links and add them to a queue. Some, if not most, of these links will be dynamic, which appear to be different, but do not add any value as they are specifically created to fool crawlers. An example: We tell our crawler to crawl the domain evil.com by entering an initial lookup URL. Lets assume we let it crawl the front page initially, evil.com/index The returned HTML will contain several "unique" links: evil.com/somePageOne evil.com/somePageTwo evil.com/somePageThree The crawler will add these to the buffer of uncrawled URLs. When somePageOne is being crawled, the crawler receives more URLs: evil.com/someSubPageOne evil.com/someSubPageTwo These appear to be unique, and so they are. They are unique in the sense that the returned content is different from previous pages and that the URL is new to the crawler, however it appears that this is only because the developer has made a "loop trap" or "black hole". The crawler will add this new sub page, and the sub page will have another sub page, which will also be added. This process can go on infinitely. The content of each page is unique, but totally useless (it is randomly generated text, or text pulled from a random source). Our crawler will keep finding new pages, which we actually are not interested in. These loop traps are very difficult to find, and if your crawler does not have anything to prevent them in place, it will get stuck on a certain domain for infinity. My question is, what techniques can be used to detect so called black holes? One of the most common answers I have heard is the introduction of a limit on the amount of pages to be crawled. However, I cannot see how this can be a reliable technique when you do not know what kind of site is to be crawled. A legit site, like Wikipedia, can have hundreds of thousands of pages. Such limit could return a false positive for these kind of sites. Any feedback is appreciated. Thanks.

    Read the article

  • weighted matching algorithm in Perl

    - by srk
    Problem : We have equal number of men and women.each men has a preference score toward each woman. So do the woman for each man. each of the men and women have certain interests. Based on the interest we calculate the preference scores. So initially we have an input in a file having x columns. First column is the person(men/woman) id. id are nothing but 0.. n numbers.(first half are men and next half woman) the remaining x-1 columns will have the interests. these are integers too. now using this n by x-1 matrix... we have come up with a n by n/2 matrix. the new matrix has all men and woman as their rows and scores for opposite sex in columns. We have to sort the scores in descending order, also we need to know the id of person related to the scores after sorting. So here i wanted to use hash table. once we get the scores we need to make up pairs.. for which we need to follow some rules. My trouble is with the second matrix of n by n/2 that needs to give information of which man/woman has how much preference on a woman/man. I need these scores sorted so that i know who is the first preferred woman/man, 2nd preferred and so on for a man/woman. I hope to get good suggestions on the data structures i use.. I prefer php or perl. Thank you in advance

    Read the article

  • Security Issues with Single Page Apps

    - by Stephen.Walther
    Last week, I was asked to do a code review of a Single Page App built using the ASP.NET Web API, Durandal, and Knockout (good stuff!). In particular, I was asked to investigate whether there any special security issues associated with building a Single Page App which are not present in the case of a traditional server-side ASP.NET application. In this blog entry, I discuss two areas in which you need to exercise extra caution when building a Single Page App. I discuss how Single Page Apps are extra vulnerable to both Cross-Site Scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks. This goal of this blog post is NOT to persuade you to avoid writing Single Page Apps. I’m a big fan of Single Page Apps. Instead, the goal is to ensure that you are fully aware of some of the security issues related to Single Page Apps and ensure that you know how to guard against them. Cross-Site Scripting (XSS) Attacks According to WhiteHat Security, over 65% of public websites are open to XSS attacks. That’s bad. By taking advantage of XSS holes in a website, a hacker can steal your credit cards, passwords, or bank account information. Any website that redisplays untrusted information is open to XSS attacks. Let me give you a simple example. Imagine that you want to display the name of the current user on a page. To do this, you create the following server-side ASP.NET page located at http://MajorBank.com/SomePage.aspx: <%@Page Language="C#" %> <html> <head> <title>Some Page</title> </head> <body> Welcome <%= Request["username"] %> </body> </html> Nothing fancy here. Notice that the page displays the current username by using Request[“username”]. Using Request[“username”] displays the username regardless of whether the username is present in a cookie, a form field, or a query string variable. Unfortunately, by using Request[“username”] to redisplay untrusted information, you have now opened your website to XSS attacks. Here’s how. Imagine that an evil hacker creates the following link on another website (hackers.com): <a href="/SomePage.aspx?username=<script src=Evil.js></script>">Visit MajorBank</a> Notice that the link includes a query string variable named username and the value of the username variable is an HTML <SCRIPT> tag which points to a JavaScript file named Evil.js. When anyone clicks on the link, the <SCRIPT> tag will be injected into SomePage.aspx and the Evil.js script will be loaded and executed. What can a hacker do in the Evil.js script? Anything the hacker wants. For example, the hacker could display a popup dialog on the MajorBank.com site which asks the user to enter their password. The script could then post the password back to hackers.com and now the evil hacker has your secret password. ASP.NET Web Forms and ASP.NET MVC have two automatic safeguards against this type of attack: Request Validation and Automatic HTML Encoding. Protecting Coming In (Request Validation) In a server-side ASP.NET app, you are protected against the XSS attack described above by a feature named Request Validation. If you attempt to submit “potentially dangerous” content — such as a JavaScript <SCRIPT> tag — in a form field or query string variable then you get an exception. Unfortunately, Request Validation only applies to server-side apps. Request Validation does not help in the case of a Single Page App. In particular, the ASP.NET Web API does not pay attention to Request Validation. You can post any content you want – including <SCRIPT> tags – to an ASP.NET Web API action. For example, the following HTML page contains a form. When you submit the form, the form data is submitted to an ASP.NET Web API controller on the server using an Ajax request: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> </head> <body> <form data-bind="submit:submit"> <div> <label> User Name: <input data-bind="value:user.userName" /> </label> </div> <div> <label> Email: <input data-bind="value:user.email" /> </label> </div> <div> <input type="submit" value="Submit" /> </div> </form> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { user: { userName: ko.observable(), email: ko.observable() }, submit: function () { $.post("/api/users", ko.toJS(this.user)); } }; ko.applyBindings(viewModel); </script> </body> </html> The form above is using Knockout to bind the form fields to a view model. When you submit the form, the view model is submitted to an ASP.NET Web API action on the server. Here’s the server-side ASP.NET Web API controller and model class: public class UsersController : ApiController { public HttpResponseMessage Post(UserViewModel user) { var userName = user.UserName; return Request.CreateResponse(HttpStatusCode.OK); } } public class UserViewModel { public string UserName { get; set; } public string Email { get; set; } } If you submit the HTML form, you don’t get an error. The “potentially dangerous” content is passed to the server without any exception being thrown. In the screenshot below, you can see that I was able to post a username form field with the value “<script>alert(‘boo’)</script”. So what this means is that you do not get automatic Request Validation in the case of a Single Page App. You need to be extra careful in a Single Page App about ensuring that you do not display untrusted content because you don’t have the Request Validation safety net which you have in a traditional server-side ASP.NET app. Protecting Going Out (Automatic HTML Encoding) Server-side ASP.NET also protects you from XSS attacks when you render content. By default, all content rendered by the razor view engine is HTML encoded. For example, the following razor view displays the text “<b>Hello!</b>” instead of the text “Hello!” in bold: @{ var message = "<b>Hello!</b>"; } @message   If you don’t want to render content as HTML encoded in razor then you need to take the extra step of using the @Html.Raw() helper. In a Web Form page, if you use <%: %> instead of <%= %> then you get automatic HTML Encoding: <%@ Page Language="C#" %> <% var message = "<b>Hello!</b>"; %> <%: message %> This automatic HTML Encoding will prevent many types of XSS attacks. It prevents <script> tags from being rendered and only allows &lt;script&gt; tags to be rendered which are useless for executing JavaScript. (This automatic HTML encoding does not protect you from all forms of XSS attacks. For example, you can assign the value “javascript:alert(‘evil’)” to the Hyperlink control’s NavigateUrl property and execute the JavaScript). The situation with Knockout is more complicated. If you use the Knockout TEXT binding then you get HTML encoded content. On the other hand, if you use the HTML binding then you do not: <!-- This JavaScript DOES NOT execute --> <div data-bind="text:someProp"></div> <!-- This Javacript DOES execute --> <div data-bind="html:someProp"></div> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { someProp : "<script>alert('Evil!')<" + "/script>" }; ko.applyBindings(viewModel); </script>   So, in the page above, the DIV element which uses the TEXT binding is safe from XSS attacks. According to the Knockout documentation: “Since this binding sets your text value using a text node, it’s safe to set any string value without risking HTML or script injection.” Just like server-side HTML encoding, Knockout does not protect you from all types of XSS attacks. For example, there is nothing in Knockout which prevents you from binding JavaScript to a hyperlink like this: <a data-bind="attr:{href:homePageUrl}">Go</a> <script src="Scripts/jquery-1.7.1.min.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { homePageUrl: "javascript:alert('evil!')" }; ko.applyBindings(viewModel); </script> In the page above, the value “javascript:alert(‘evil’)” is bound to the HREF attribute using Knockout. When you click the link, the JavaScript executes. Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) attacks rely on the fact that a session cookie does not expire until you close your browser. In particular, if you visit and login to MajorBank.com and then you navigate to Hackers.com then you will still be authenticated against MajorBank.com even after you navigate to Hackers.com. Because MajorBank.com cannot tell whether a request is coming from MajorBank.com or Hackers.com, Hackers.com can submit requests to MajorBank.com pretending to be you. For example, Hackers.com can post an HTML form from Hackers.com to MajorBank.com and change your email address at MajorBank.com. Hackers.com can post a form to MajorBank.com using your authentication cookie. After your email address has been changed, by using a password reset page at MajorBank.com, a hacker can access your bank account. To prevent CSRF attacks, you need some mechanism for detecting whether a request is coming from a page loaded from your website or whether the request is coming from some other website. The recommended way of preventing Cross-Site Request Forgery attacks is to use the “Synchronizer Token Pattern” as described here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet When using the Synchronizer Token Pattern, you include a hidden input field which contains a random token whenever you display an HTML form. When the user opens the form, you add a cookie to the user’s browser with the same random token. When the user posts the form, you verify that the hidden form token and the cookie token match. Preventing Cross-Site Request Forgery Attacks with ASP.NET MVC ASP.NET gives you a helper and an action filter which you can use to thwart Cross-Site Request Forgery attacks. For example, the following razor form for creating a product shows how you use the @Html.AntiForgeryToken() helper: @model MvcApplication2.Models.Product <h2>Create Product</h2> @using (Html.BeginForm()) { @Html.AntiForgeryToken(); <div> @Html.LabelFor( p => p.Name, "Product Name:") @Html.TextBoxFor( p => p.Name) </div> <div> @Html.LabelFor( p => p.Price, "Product Price:") @Html.TextBoxFor( p => p.Price) </div> <input type="submit" /> } The @Html.AntiForgeryToken() helper generates a random token and assigns a serialized version of the same random token to both a cookie and a hidden form field. (Actually, if you dive into the source code, the AntiForgeryToken() does something a little more complex because it takes advantage of a user’s identity when generating the token). Here’s what the hidden form field looks like: <input name=”__RequestVerificationToken” type=”hidden” value=”NqqZGAmlDHh6fPTNR_mti3nYGUDgpIkCiJHnEEL59S7FNToyyeSo7v4AfzF2i67Cv0qTB1TgmZcqiVtgdkW2NnXgEcBc-iBts0x6WAIShtM1″ /> And here’s what the cookie looks like using the Google Chrome developer toolbar: You use the [ValidateAntiForgeryToken] action filter on the controller action which is the recipient of the form post to validate that the token in the hidden form field matches the token in the cookie. If the tokens don’t match then validation fails and you can’t post the form: public ActionResult Create() { return View(); } [ValidateAntiForgeryToken] [HttpPost] public ActionResult Create(Product productToCreate) { if (ModelState.IsValid) { // save product to db return RedirectToAction("Index"); } return View(); } How does this all work? Let’s imagine that a hacker has copied the Create Product page from MajorBank.com to Hackers.com – the hacker grabs the HTML source and places it at Hackers.com. Now, imagine that the hacker trick you into submitting the Create Product form from Hackers.com to MajorBank.com. You’ll get the following exception: The Cross-Site Request Forgery attack is blocked because the anti-forgery token included in the Create Product form at Hackers.com won’t match the anti-forgery token stored in the cookie in your browser. The tokens were generated at different times for different users so the attack fails. Preventing Cross-Site Request Forgery Attacks with a Single Page App In a Single Page App, you can’t prevent Cross-Site Request Forgery attacks using the same method as a server-side ASP.NET MVC app. In a Single Page App, HTML forms are not generated on the server. Instead, in a Single Page App, forms are loaded dynamically in the browser. Phil Haack has a blog post on this topic where he discusses passing the anti-forgery token in an Ajax header instead of a hidden form field. He also describes how you can create a custom anti-forgery token attribute to compare the token in the Ajax header and the token in the cookie. See: http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx Also, take a look at Johan’s update to Phil Haack’s original post: http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC (Other server frameworks such as Rails and Django do something similar. For example, Rails uses an X-CSRF-Token to prevent CSRF attacks which you generate on the server – see http://excid3.com/blog/rails-tip-2-include-csrf-token-with-every-ajax-request/#.UTFtgDDkvL8 ). For example, if you are creating a Durandal app, then you can use the following razor view for your one and only server-side page: @{ Layout = null; } <!DOCTYPE html> <html> <head> <title>Index</title> </head> <body> @Html.AntiForgeryToken() <div id="applicationHost"> Loading app.... </div> @Scripts.Render("~/scripts/vendor") <script type="text/javascript" src="~/App/durandal/amd/require.js" data-main="/App/main"></script> </body> </html> Notice that this page includes a call to @Html.AntiForgeryToken() to generate the anti-forgery token. Then, whenever you make an Ajax request in the Durandal app, you can retrieve the anti-forgery token from the razor view and pass the token as a header: var csrfToken = $("input[name='__RequestVerificationToken']").val(); $.ajax({ headers: { __RequestVerificationToken: csrfToken }, type: "POST", dataType: "json", contentType: 'application/json; charset=utf-8', url: "/api/products", data: JSON.stringify({ name: "Milk", price: 2.33 }), statusCode: { 200: function () { alert("Success!"); } } }); Use the following code to create an action filter which you can use to match the header and cookie tokens: using System.Linq; using System.Net.Http; using System.Web.Helpers; using System.Web.Http.Controllers; namespace MvcApplication2.Infrastructure { public class ValidateAjaxAntiForgeryToken : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { var headerToken = actionContext .Request .Headers .GetValues("__RequestVerificationToken") .FirstOrDefault(); ; var cookieToken = actionContext .Request .Headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); // check for missing cookie or header if (cookieToken == null || headerToken == null) { return false; } // ensure that the cookie matches the header try { AntiForgery.Validate(cookieToken.Value, headerToken); } catch { return false; } return base.IsAuthorized(actionContext); } } } Notice that the action filter derives from the base AuthorizeAttribute. The ValidateAjaxAntiForgeryToken only works when the user is authenticated and it will not work for anonymous requests. Add the action filter to your ASP.NET Web API controller actions like this: [ValidateAjaxAntiForgeryToken] public HttpResponseMessage PostProduct(Product productToCreate) { // add product to db return Request.CreateResponse(HttpStatusCode.OK); } After you complete these steps, it won’t be possible for a hacker to pretend to be you at Hackers.com and submit a form to MajorBank.com. The header token used in the Ajax request won’t travel to Hackers.com. This approach works, but I am not entirely happy with it. The one thing that I don’t like about this approach is that it creates a hard dependency on using razor. Your single page in your Single Page App must be generated from a server-side razor view. A better solution would be to generate the anti-forgery token in JavaScript. Unfortunately, until all browsers support a way to generate cryptographically strong random numbers – for example, by supporting the window.crypto.getRandomValues() method — there is no good way to generate anti-forgery tokens in JavaScript. So, at least right now, the best solution for generating the tokens is the server-side solution with the (regrettable) dependency on razor. Conclusion The goal of this blog entry was to explore some ways in which you need to handle security differently in the case of a Single Page App than in the case of a traditional server app. In particular, I focused on how to prevent Cross-Site Scripting and Cross-Site Request Forgery attacks in the case of a Single Page App. I want to emphasize that I am not suggesting that Single Page Apps are inherently less secure than server-side apps. Whatever type of web application you build – regardless of whether it is a Single Page App, an ASP.NET MVC app, an ASP.NET Web Forms app, or a Rails app – you must constantly guard against security vulnerabilities.

    Read the article

  • SQL Server CLR stored procedures in data processing tasks - good or evil?

    - by Gart
    In short - is it a good design solution to implement most of the business logic in CLR stored procedures? I have read much about them recently but I can't figure out when they should be used, what are the best practices, are they good enough or not. For example, my business application needs to parse a large fixed-length text file, extract some numbers from each line in the file, according to these numbers apply some complex business rules (involving regex matching, pattern matching against data from many tables in the database and such), and as a result of this calculation update records in the database. There is also a GUI for the user to select the file, view the results, etc. This application seems to be a good candidate to implement the classic 3-tier architecture: the Data Layer, the Logic Layer, and the GUI layer. The Data Layer would access the database The Logic Layer would run as a WCF service and implement the business rules, interacting with the Data Layer The GUI Layer would be a means of communication between the Logic Layer and the User. Now, thinking of this design, I can see that most of the business rules may be implemented in a SQL CLR and stored in SQL Server. I might store all my raw data in the database, run the processing there, and get the results. I see some advantages and disadvantages of this solution: Pros: The business logic runs close to the data, meaning less network traffic. Process all data at once, possibly utilizing parallelizm and optimal execution plan. Cons: Scattering of the business logic: some part is here, some part is there. Questionable design solution, may encounter unknown problems. Difficult to implement a progress indicator for the processing task. I would like to hear all your opinions about SQL CLR. Does anybody use it in production? Are there any problems with such design? Is it a good thing?

    Read the article

  • Usernames are evil. How can I make Restful Authentication only require an email address and password

    - by Koning WWWWWWWWWWWWWWWWWWWWWWW
    As the title says: how can I use the Restful Authentication Plugin with Ruby on Rails. When I want to create a new user, it requires me to set the (wrong-named, confusing field) login (= username), email address and password. However, I want, like Facebook does, to require the user to enter only an email address and password, not a username. People will also login with this email address. Can anyone help me?

    Read the article

  • If tables are so evil, why does joomla use tables for its layout?

    - by DMin
    When you create a template you don't use tables. but when joomla rendereds the page, there are at least 4 places where tables are used to structure the content. Does this tell you something about tables or the fact that the joomla community should invest more time and learn how to code css or just the fact that tables are needed when you don't know what css is going to be throw in later(which probably means they are of some use)?

    Read the article

  • Assembly wide multicast attributes. Are they evil?

    - by HeavyWave
    I am working on a project where we have several attributes in AssemblyInfo.cs, that are being multicast to a methods of a particular class. [assembly: Repeatable( AspectPriority = 2, AttributeTargetAssemblies = "MyNamespace", AttributeTargetTypes = "MyNamespace.MyClass", AttributeTargetMemberAttributes = MulticastAttributes.Public, AttributeTargetMembers = "*Impl", Prefix = "Cls")] What I don't like about this, is that it puts a piece of login into AssemblyInfo (Info, mind you!), which for starters should not contain any logic at all. The worst part of it, is that the actual MyClass.cs does not have the attribute anywhere in the file, and it is completely unclear that methods of this class might have them. From my perspective it greatly hurts readability of the code (not to mention that overuse of PostSharp can make debugging a nightmare). Especially when you have multiple multicast attributes. What is the best practice here? Is anyone out there is using PostSharp attributes like this?

    Read the article

  • Usernames are evil. How can I make Restful Authentication only require a username and password, inst

    - by Koning WWWWWWWWWWWWWWWWWWWWWWW
    As the title sais: How can I use the Restful Authentication Plugin with Ruby on Rails. When I want to create a new user, it requires me a (wrong-named, confusing field) login (= username), email address and password. However, I want, like Facebook does, only require the user to enter an email address and password, not a username. People will also login with this email address. Can anyone help me?

    Read the article

  • A good architecture is evil? Hardcode forever?

    - by igor
    I have worked in many companies. Most of all reached a big success in their field. Some times I found the code was written by owner or co-owner or the first developer of this company. It was strange from architectural point of view code or awful code styled, or hardcoded and so on. I know a couple of startups, that were grown up and were started from the "one night" code. Is it only way to get success to write code in this way? Why does a code written "on knee" but in time is better than delayed well thought-out one? What about future? Which way is the best: to write a good architecture, code and spend some more time at the startup or to write "fast" and hardcoded one that would be completely (partially) throw out (or maybe wouldn't) after some period of time (or never)?

    Read the article

< Previous Page | 1 2 3 4 5 6 7 8 9 10 11 12  | Next Page >