It's easy to forget about conditioning data when you are in the midst of getting a product out the door.  This is particularly true on web projects.  Even Intranet web sites get hacked.

The moral is, don't forget to condition using input text.  One of the easiest steps you can take is using HTMLEncode:

This simple change might prevent someone from embedding script in a text control which might run amuck on your web server.

This one took me a while.  I was playing around with putting script into my web site's feed back form, trying to capture RequestValidation exceptions.  I wasn't having much luck.

The symptom of my initial attempt at handling the error was that no matter what sort of code I included in the Page_Error method, I always viewed the .Net yellow screen of embarrassment when I purposely introduced a <script> tag into the feed back text fields.

It turns out, you have to complete the request in the Page_Error method.  The bad news is, your page processing ends.  BOOM!  So things like style sheets and master page processing will not happen.

You can capture the error in the Application_Error method of global.asax  This lets you do a few more things, but basically, the request must be handled in the Application_Error.

What all the verbiage means is that a Request.End() call must be made before your error handing method returns, or else you'll get the yellow screen of embarrassment.

Here's an example of how I handled the exception in my feed back form code behind:

So much for lack of qualified applicants of U.S. origin.  It's about money.  Pretty soon, it will be about safety.

Aircraft repair jobs sold to foreign workers, resumes not important

I host codewiz51.com web site on webhost4life.com.  I don't want to spend $40 on an SSL certificate, so I use the free shared SSL certificate.  One of the problems is that the web address is different between the non-SSL and SSL access URLs and directories.  For instance, you are on http://www.codewiz51.com/blog, but the SSL access is https://siteabc.mysite4now.net/starwars/yoda (this address will give you an error.)

In order to get around this problem, I've modified the event handlers for the default.aspx page on my main web site to show "(Secure)" appended to the html title element when using SSL.

Here's the relevant section of yoda.master.  Noticed that I do not include a title tag in the head.  Each content page supplies the title as a content string for the ContentPlaceHolder "head".

Here's the code I've added to default.aspx.cs:

The first routine, Page_Load, simply adds the correct title to the html for the page.

The second routine, Page_PreInit is more important.  It modifies the path to the master page so that ASP.Net can find the file when using SSL.

I've put together a short article with screen shots on resolving right-alignment issues with labels.  The solutions are simple and obvious, once you know to look for them:

1. Make sure the html element used for labels (span in this case) is large enought to handle different font settings.
2. Be aware that the font you are using in the Visual Studio 2008 designer is probably not the same for most of your users.
3. If layout is critical, you should probably specify font-family and font-size in the element's style. (However, be aware the user can override your settings.)
4. Always test your web page with an accessible theme in IE or FireFox.

I used to purchase most of my technical literature from a web site called bookpool.com.  It was an excellent site for purchasing technical books.  Alas, today, I went to the site, determined that I would "catch up" on .NET 3.5 literature and get a head start on .Net 4.0.  But the site is gone!  (It's a GoDaddy unclaimed site now - not even a picture of Danica on the page to cheer me up.)  I did a quick search and found a lot of chatter in the April time frame that the site was down and it appeared the company had gone belly up.  I guess this is just another casualty of the recession.

More...

Sorry for the Google advertisements.  Economy is lousy, I need the money.  Please click.

The ads are terrible.  I know it, you know it.  All I can say is sorry for the cruddy google ads.