September 2006 - Posts
The warning flags are going up about the increasing use of AJAX in Web applications. It seems as though we're increasing the usability of our apps while dropping our guard on security issues. There's a great post by Dan Sellers on multiple potential vulnerabilities in the misuse of the technology. Here are some of the issues Dan discusses:
- Web services left wide open to denial-of-service attacks on endpoints
- Broader attack surfaces created when the attacker can see function names, variables, parameters, return type, and data types
- JavaScript Web service proxies give hackers direct access to trusted resources for SQL injection attacks
- Out of band JavaScript calls injected by bad guys present a silent and unseen danger
- Hackers could use cross-site scripting to propagate malware like a worm
As Dan suggests, AJAX controls should carry warning stickers about new client-side security issues.
It's disappointing that versions of Visual Studio .NET pre VS2005 won't be supported on Windows Vista. I was looking forward to jumping on the new OS bandwagon. True, there's always Virtual PC for building VS2002-03 apps, but I find the virtual environment somewhat slow and cumbersome.
Wait! If Vista's built-in security is the obstacle (I get fed up with those incessant security warnings!) maybe Microsoft could introduce another Vista SKU - Windows Vista Developer Version. It could strip away the blocking security restrictions that make the OS safer for the consumer market and allow developer tools - old and new - to run freely.
I was looking around on www.gotdotnet.com for sample files and was shocked to see the sorry state of some sections.
The User Samples area includes a totally bogus banking application called "PROJECTS IN BANKING" (actually a useless ASP Classic file) and an entry called "MCE Crack" which appears to be some sort of cracker's or warez tool as an executable. Meanwhile, the Resource Centre features a spam link to a recruiter's site.
Maybe GotDotNet has fallen out of favour since CodePlex came on the scene, but GDN is still a valuable community resource. It needs a caretaker/moderator who can at least get rid of the garbage every day.
Feedback sent.
Someone asked the other day in the newsgroups about creating a Windows-style groupbox in ASP.NET. I knew I had seen one used somewhere in a Web page, and finally tracked it down. It turns out to be the <fieldset> tag with an embedded <legend> to hold the text.
In ASP.NET, use the Panel control and provide a text value to the groupingtext attribute.
Here's some ASP.NET code:
<asp:panel id="Panel1" runat="server" groupingtext="Using the Fieldset Element">
<table width="100%">
<tr>
<td>
<asp:radiobutton id="radGrp1" runat="server" groupname="rads" />
</td>
<td>
<asp:label id="lblLegend" runat="server" text="Use the Legend Tag!" />
</td>
</tr>
<tr>
<td>
<asp:radiobutton id="radGrp2" checked="true" groupname="rads" runat="server" /></td>
<td>
<asp:label id="lblGroup" runat="server" text="Creates a Groupbox in HTML!">
</asp:label>
</td>
</tr>
</table>
</asp:panel>
Here's the HTML spec's reference for the tag:
http://www.w3.org/TR/html4/interact/forms.html#edef-FIELDSET
More Posts