http://weblogs.asp.net/firoz/archive/tags/ASP.NET/default.aspxTags: ASP.NETenCommunityServer 2007 SP1 (Build: 20510.895)http://weblogs.asp.net/firoz/archive/2007/03/17/launch-announcement-dotenet-digg-clone.aspxSun, 18 Mar 2007 06:46:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:2052627firoz.ansari12http://weblogs.asp.net/firoz/rsscomments.aspx?PostID=2052627http://weblogs.asp.net/firoz/archive/2007/03/17/launch-announcement-dotenet-digg-clone.aspx#comments<p>Its give me immense pleasure to announcement .NET portal - <a href="http://www.dotenet.com">DOTENET</a> (URL: www.dotenet.com). It&rsquo;s &quot;Digg&quot; style web application dedicated to .NET and relative technologies. This portal will serve as central hub to share articles, tutorials, blog post etc. </p><p>When I was planning to create this portal two months back, I was sure that first release of this project will have minimum &quot;must to have&quot; features and later I will add features which are &quot;good to have&quot;. And that&rsquo;s why you will notice many blank pages on this portal. These blank pages are place-holder for features which I will add in coming weeks (depending upon available bandwidth). </p><p>The desired goal of creating a community portal cannot be achieved without your active participation. Please register yourself to this portal and share any article or post which you think useful to .NET community. If you find any existing link useful in DOTNET portal, please vote for that link so that link can be push to popular segment. </p><p>As you continue participating in this portal, please keep in mind that this community portal needs your feedback to remain alive. Please provide your feedback/opinion/suggestion to my blog (URL: <a href="http://www.firoz.name/2007/03/18/announcement-dotenet/">Announcement: DOTENET</a>) </p><p>URL: <a href="http://www.dotenet.com">Home Page</a> </p><p>URL: <a href="http://www.dotenet.com/register">Registration Page</a></p><img src="http://weblogs.asp.net/aggbug.aspx?PostID=2052627" width="1" height="1">ASP.NETC#.NETCommunity PortalsVB.NETSQL Serverhttp://weblogs.asp.net/firoz/archive/2006/05/26/Vulnerable-JavaScript-Comments.aspxFri, 26 May 2006 12:10:00 GMTc06e2b9d-981a-45b4-a55f-ab0d8bbfdc1c:449252firoz.ansari0http://weblogs.asp.net/firoz/rsscomments.aspx?PostID=449252http://weblogs.asp.net/firoz/archive/2006/05/26/Vulnerable-JavaScript-Comments.aspx#comments<P>Today while checking balance in my banker’s web portal, which is self acclaimed as one of the most secured online banking portal of India, I curiously thought of inspecting their HTML content using View Source. But I really shocked (and I almost got heart attack) to see whole bunch of JavaScript comment placed all over their pages. Most interesting thing was that these JavaScript snippets not only tell you bug numbers, who have done those modifications, on which date, but also what was the actual issue and how they have resolved that issue. <IMG class=wp-smiley alt=:) src="http://www.firoz.name/wp-includes/images/smilies/icon_smile.gif"> </P> <P>The most interesting part was:<BR><CODE>&lt;script language="JavaScript1.2"&gt;<BR>function alert_keycode(){<BR>/*<BR>Abhilash. </P> <P>This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value. </P> <P>And submit is invoked</P> <P>*/</P> <P>frm = document.confirmFrm;<BR>if(event.keyCode==13)<BR>{<BR>blah blah blah</CODE></P> <P>I love this “detailed” and technically well explained comment provided by developer in HTML code.</P> <P>On serious note, I never prefer to put these JavaScript comments in my code as you can realize from comments like these, it might give lead to reveal any vulnerability or security hole in application. Even if you don’t want to consider the increase of payload of page because of these JavaScript comment but still putting comments with all kind technical or business explanations is major security risk to your application. <I>Don’t do that!</I></P> <P>IMO, these code comments are for developer and not for user. My suggestion to all web developers to use server side comments instead of any client side comment specially if you are developing application for financial institutions etc.</P> <P>What is your opinion if I modify above code like this:<BR><CODE>&lt;script language="JavaScript1.2"&gt;<BR>function alert_keycode(){<BR><B>&lt;%</B><BR>/*Abhilash. </P> <P>This script was added bcze on pressing enter key on pwd field used to get Submittted but since the Command Action invoked was diff one that of OK button, it was not producing desired results. The solution was create a temp hidden field and changing Pwd field name to that of Ok button dynamically, assigning tmp-hidden field name/value with original Pwd Field name/value.<BR>And submit is invoked<BR>*/<BR><B>%&gt;</B><BR>frm = document.confirmFrm;<BR>if(event.keyCode==13)<BR>{<BR>blah blah blah<BR>&lt;/script&gt;</CODE></P> <P>I guess later one is more secured than the original one. Do you agree with me?? </P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt">Please provide your comment here:</P> <P class=MsoNormal style="MARGIN: 0in 0in 0pt"><A href="http://www.firoz.name/2006/05/26/vulnerable-javascript-comments/">http://www.firoz.name/2006/05/26/vulnerable-javascript-comments/</A></P><img src="http://weblogs.asp.net/aggbug.aspx?PostID=449252" width="1" height="1">ASP.NET