Forum Widgets
Latest Discussions
C# code causing XSS vulnerability
Hello, We get a vulnerability scan that is show that one of my pages is susceptible to a XSS attack. We are using a telerik tree view to display different data when the nodes are expanded. This is the information they reported back to me. Issue Detail The value of the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter is copied into the HTML document as plain text between tags. The payload sbi7s<script>alert(1)</script>tx52l was submitted in the scrollPosition JSON parameter within the ctl00_ContentPlaceHolder1_VIndex2_tvIndex_ClientState parameter. This input was echoed unmodified in the application's response. Request older1_VIndex2_tvIndex_ClientState=%7b%22expandedNodes%22%3a[]%2c%22collapsedNodes%22%3a[]%2c%22logEntries%22%3a[]%2c%22selectedNodes%22%3a[]%2c%22checkedNodes%22%3a[]%2c%22scrollPosition%22%3a%220**sbi7s%3cscript%3ealert(1)%3c%5c%2fscript%3etx52l**%22%7d&ctl00_RadWindowManager1_ClientState=&__ASYNCPOST=true&ctl00%24ContentPlaceHolder1%24VIndex2%24btnAddCart=Add%20To%20Cart Response > HTTP/2 200 OK > Cache-Control: no-cache > Pragma: no-cache > Content-Type: text/plain; charset=utf-8 > Expires: -1 > Server: Microsoft-IIS/10.0 > X-Powered-By: ASP.NET > X-Frame-Options: SAMEORIGIN > X-Ua-Compatible: IE=edge,IE=11,IE=10,IE=9,IE=8,IE=7 > Strict-Transport-Security: max-age=31536000 > Date: Wed, 19 Mar 2025 16:26:27 GMT > Content-Length: 82 > 68|error|500|0**sbi7s<script>alert(1)</script>tx52l** is not a valid value for Int32.| What is the best way to pinpoint this issue? How do I fix this so it isn't showing up on the scans?SolvedJerry8989-Mar 20, 2025Copper Contributor122Views0likes3Comments
Module object available in .NET 6 Blazor WASM Project, but not in .NET 8+ After Upgrade
I have a working project in .NET 6 that calls the following JS code: export function synchronizeFileWithIndexedDb(filename) { return new Promise((res, rej) => { const db = window.indexedDB.open('SqliteStorage', 1); db.onupgradeneeded = () => { db.result.createObjectStore('Files', { keypath: 'id' }); }; db.onsuccess = () => { const req = db.result.transaction('Files', 'readonly').objectStore('Files').get('file'); req.onsuccess = () => { Module.FS_createDataFile('/', filename, req.result, true, true, true); res(); }; }; }); } And behind the scenes in OnInitializedAsync: if (RuntimeInformation.IsOSPlatform(OSPlatform.Create("browser"))) { // create SQLite database file in browser var module = await _js.InvokeAsync<IJSObjectReference>("import", "./dbstorage.js"); await module.InvokeVoidAsync("synchronizeFileWithIndexedDb", SqliteDbFilename); } This works perfectly in .NET 6, which is unfortunately now EOL. Simply upgrading it to .NET 8 causes "Module" (see line 11) to no longer be defined. I ran into the same problem using a brand new .NET 9 project as well. If it's .NET 6 it works, .NET 8 or higher it breaks. Is this a known issue? I'm afraid of upgrading anything with JS Interop now 😛 Is there a path forward? I tried changing Module to DotNet, based on reading MSFT docs, but that didn't work. I don't want to go back to .NET 6 to solve this if I don't have to :) You can try it yourself simply by upgrading the following Sqlite WASM project: https://github.com/TrevorDArcyEvans/BlazorSQLiteWasmSolvedAuri_RahimzadehJan 17, 2025Copper Contributor83Views0likes1Comment
Adding an Icon to the iPhone HomeScreen disables Blazor Server re-connection indefinitely.
When I use my Blazor Server app (.NET 8) with Safari on my iPhone, I am asked to Reconnect to the Server when the connection is lost. I swipe down and a connection is re-established. If I make an Icon on the iPhone Home Screen (mimicking an iPhone app) I am unable to re-establish a Connection. Swiping down to refresh the page does nothing. Is there a solution for this via Blazor Server? Thank youSolvedAxium7Dec 31, 2024Copper Contributor70Views0likes1Comment
React website with ASP.NET and IIS : API not working
Hi, I have found a lot of similar issues on the web but none was working for me, and I am so desperate after days so I am posting here and hope someone can help. I have an ASP.NET server that serves a React website, and also works as an API for the website itself. The server runs on a Windows 11 PC with IIS, in C:/MyWebSite. This folder contains the ASP.NET server (.exe, .dll, etc), the IIS configuration (web.config) and the build React website (index.html, favicon.ico and assets folder). The server succeed to show my main page, but it fails doing an API request. The API request fails as well when I call it from Postman, and gives me the error "HTTP 404.0 - Not Found" with these details : Module IIS Web Core Notification : MapRequestHandler Handler : StaticFile Error code : 0x80070002 FYI, the request is GET http://localhost:5058/api/configuration/settings Concerning ASP.NET, here is my Program.cs : using Microsoft.AspNetCore.Authentication.JwtBearer; using Microsoft.IdentityModel.Tokens; using System.Text; // Create the web application builder var builder = WebApplication.CreateBuilder(args); // JWT authentication builder.Services.AddAuthentication(options => { options.DefaultAuthenticateScheme = JwtBearerDefaults.AuthenticationScheme; options.DefaultChallengeScheme = JwtBearerDefaults.AuthenticationScheme; }) .AddJwtBearer(options => { string? tKey = builder.Configuration["Jwt:Key"]; options.TokenValidationParameters = new TokenValidationParameters { ValidateIssuer = true, ValidateAudience = true, ValidateLifetime = true, ValidateIssuerSigningKey = true, ValidIssuer = builder.Configuration["Jwt:Issuer"], ValidAudience = builder.Configuration["Jwt:Audience"], IssuerSigningKey = tKey != null ? new SymmetricSecurityKey(Encoding.UTF8.GetBytes(tKey)) : null }; }); // Add the controllers to the application (for input http requests) builder.Services.AddControllers(); // Configure CORS policy builder.Services.AddCors(options => { options.AddPolicy("AllowAllOrigins", builder => { builder.AllowAnyOrigin() .AllowAnyHeader() .AllowAnyMethod(); }); }); // Create the App var app = builder.Build(); // Applies the CORS policy app.UseCors("AllowAllOrigins"); // Serving the static files app.UseDefaultFiles(); app.UseStaticFiles(); app.UseRouting(); // Map the routes to the controllers app.MapControllers(); // Undefined route will lead to index.html app.MapFallbackToFile("index.html"); // Run the App app.Run(); Of course, I have created some controllers, here is ConfigurationController.cs for example : using Microsoft.AspNetCore.Mvc; namespace AspReact.Server.Controllers { [ApiController] [Route("api/configuration")] public class GeneralController : ControllerBase { [HttpGet("settings")] public ActionResult GetSettings() { return Ok(new { language = 'fr', theme = 0 }); } [HttpPost("settings")] public ActionResult SetSettings([FromQuery] string language, [FromQuery] string theme) { m_tLanguage = language; m_tTheme = theme; return Ok(); } } } Here is my IIS configuration : <?xml version="1.0"?> <configuration> <system.webServer> <rewrite> <rules> <rule name="React Routes" stopProcessing="true"> <match url=".*" /> <conditions logicalGrouping="MatchAll"> <add input="{REQUEST_FILENAME}" matchType="IsFile" negate="true" /> <add input="{REQUEST_FILENAME}" matchType="IsDirectory" negate="true" /> <add input="{REQUEST_URI}" pattern="^/(api)" negate="true" /> </conditions> <action type="Rewrite" url="/" /> </rule> </rules> </rewrite> </system.webServer> </configuration> NB : At first I was not doing : <add input="{REQUEST_URI}" pattern="^/(api)" negate="true" /> And the API request was returning the content of index.html... If it can help. Please note that all this is working during development with the server running in a debug console. I would be grateful for any help! Thanks.SolvedAlexTekeufNov 22, 2024Copper Contributor398Views0likes2Comments
Dynamic form generation from dictionary
ASP.NET Blazor app brand spanking new to the stuff here. Trying a move from Apache PHP. Trying to create a dynamic form from a dictionary generated from a separate class I've banged my head against the wall for hours and can't get past this point. This makes everything a text box.. and When its done this way I can see the data change from the submit method. Any time I try to create a bool (checkbox) or number field I get conversion errors or worse. That dictionary _registry.Fields.FieldsData looks like. (converted to JSON to use here) { "ID": { "ID": "47", "fld_app": "5", "fld_human": "ID", "fld_column": "ID", "fld_enable": "True", "fld_type": "int", "fld_pdotype": "", "fld_length": "NULL", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "1", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column1": { "ID": "48", "fld_app": "5", "fld_human": "Column1", "fld_column": "Column1", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "2", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column2": { "ID": "49", "fld_app": "5", "fld_human": "Column2", "fld_column": "Column2", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "3", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column3": { "ID": "50", "fld_app": "5", "fld_human": "Column3", "fld_column": "Column3", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "4", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column4": { "ID": "51", "fld_app": "5", "fld_human": "Column4", "fld_column": "Column4", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "5", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column5": { "ID": "52", "fld_app": "5", "fld_human": "Column5", "fld_column": "Column5", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "6", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" }, "Column6": { "ID": "53", "fld_app": "5", "fld_human": "Column6", "fld_column": "Column6", "fld_enable": "True", "fld_type": "nvarchar", "fld_pdotype": "", "fld_length": "50", "fld_precision": "", "fld_pass": "", "fld_opt": "False", "fld_opt_table": "", "fld_opt_column": "", "fld_icon_set": "", "fld_regex": "", "fld_uom": "", "fld_placeholder": "", "fld_usr_ID": "False", "fld_link": "", "fld_index": "True", "fld_detail": "True", "fld_form": "True", "fld_order": "7", "fld_title": "False", "fld_required": "False", "fld_double": "False", "fld_encrypt": "False", "fld_time": "False", "fld_image": "False", "fld_unique": "False", "fld_json": "False" } } The .razor component PAGE "/FieldsAdmin" @inject ILogger<FieldsAdmin> Logger @inject portalx.Classes.Main.DBO Database @using System.Data @using System.Collections.Generic @inject portalx.Classes.Main._reg _registry @using System.Text.Json <form method="post" @onsubmit="Submit" @formname="FieldsAdmin"> <AntiforgeryToken /> @if (_registry.Fields.FieldsData != null) { @foreach (var row in _registry.Fields.FieldsData) { <div class="form-row"> @foreach (var field in row.Value) { <div class="form-group col-md-6"> <label>@field.Key</label> @{ var key = $"{row.Key}-{field.Key}"; if (!Model!.DynamicFields.ContainsKey(key)) { Model!.DynamicFields[key] = field.Value?.ToString() ?? string.Empty; } } <InputText @bind-Value="Model!.DynamicFields[key]" /> </div> } </div> } } <div> <button type="submit">Submit</button> </div> </form> <div> <h3>Fields Data (JSON)</h3> <pre>@jsonString</pre> </div> @code { [SupplyParameterFromForm] private ModelFieldsAdmin? Model { get; set; } private Dictionary<string, string> dataDict { get; set; } private string jsonString { get; set; } protected override void OnInitialized() { Model ??= new(); dataDict = new Dictionary<string, string> { { "ID", "hidden" }, { "fld_app", "skip me" }, { "fld_human", "text" }, { "fld_column", "skip me" }, { "fld_enable", "bool" }, { "fld_type", "skip me" }, { "fld_pdotype", "skip me" }, { "fld_length", "skip me" }, { "fld_precision", "skip me" }, { "fld_pass", "bool" }, { "fld_opt", "bool" }, { "fld_opt_table", "text" }, { "fld_opt_column", "text" }, { "fld_icon_set", "text" }, { "fld_regex", "text" }, { "fld_uom", "text" }, { "fld_placeholder", "text" }, { "fld_usr_ID", "bool" }, { "fld_link", "bool" }, { "fld_index", "bool" }, { "fld_detail", "bool" }, { "fld_form", "bool" }, { "fld_order", "number" }, { "fld_title", "bool" }, { "fld_required", "bool" }, { "fld_double", "bool" }, { "fld_encrypt", "bool" }, { "fld_time", "bool" }, { "fld_image", "bool" }, { "fld_unique", "bool" }, { "fld_json", "bool" } }; jsonString = JsonSerializer.Serialize(_registry.Fields.FieldsData, new JsonSerializerOptions { WriteIndented = true }); } private void Submit() { foreach (var kvp in Model!.DynamicFields) { Logger.LogInformation("Field Key: {Key}, Value: {Value}", kvp.Key, kvp.Value); } } public class ModelFieldsAdmin { public string? Id { get; set; } public Dictionary<string, string> DynamicFields { get; set; } = new Dictionary<string, string>(); } }SolvedKillGorackNov 09, 2024Copper Contributor152Views0likes1Commentajax and connection to mvc .net
I need to access some c# code from javascript in MVC ,NET (not blazor). I have the below. This is very specific to .NET and MVC stack and not a generic ajax question like another one in stack overfow. I get no error message it just continues to the next statement after the ajax call. There could be 2 possible issues i think. My url: '/Home/CreatePostcodeFromCoordinates', is wrong. Or my C# assembly is not part of the assembly? or something similar. I am not that experienced with Web techs, I come from a DB background but can't be that difficult to get this link working right? Can't see anything else wrong. Also does the return value from C# need to be some special format or a string (as per now) is ok? this could be another reason? Thank you! console.log("just before /Home/CreatePostcodeFromCoordinates"); $.ajax({ type: "POST", url: '/Home/CreatePostcodeFromCoordinates', data: { param1: longitude, param2: latitude }, success: function (response) { console.log('success'); console.log(response); }, error: function (error) { console.error(error); } });Solvedpanos2024bOct 28, 2024Copper Contributor156Views0likes1Comment
Checkbox values empty if other form fields are empty when POST form
I have hit a road block on a ASP.NET/Razor Pages project I am working on. I have a form with checkboxes. I have a List<int> field that is bound to the Id of the checkboxes. If I submit the form with only the checkboxes checked the List is always null. However, if I type text in a textbox in the form before submitting, the checkbox values are POST'd correctly. Looking for any hints on things to try or check to to help me narrow down the problem. Thank for any suggestions.SolvedMarioF2110Sep 20, 2024Copper Contributor315Views0likes2Comments
Could not set or bind model property with Bootstrap Datepicker in Blazor
I am using bootstrap datepicker and the problem is that when I pick a date, it does not fire a change or input event and noting is binding with the model property Course.StartDate or Course.EndDate. The default datepicker works but does not support Afghanistan datetime. That is why I use boostrap datepicker. Blazor code: @using Microsoft.AspNetCore.Mvc.Rendering @using myproject.Data @using Microsoft.JSInterop; @inject myproject.Repository.CoursesRepository _coursesRepository @inject IJSRuntime JS <EditForm Model="@Course" OnValidSubmit="e=> { if(selectedId == 0) { addCourse(); } else { updateCourse(Course.CourseId); } }"> <div class="mb-2"> <div>@Course.StartDate</div> <label class="col-form-label" for="StartDate">@Loc["Start Date"]<span class="text-danger fs--1">*</span>:</label> <InputDate class="form-control" @bind-Value="Course.StartDate" @bind-Value:format="yyyy-MM-dd" id="StartDate" /> <ValidationMessage class="text-danger" For="(() => Course.StartDate)"/> </div> <div class="mb-2"> <label class="col-form-label" for="EndDate">@Loc["End Date"]<span class="text-danger fs--1">*</span>:</label> <InputDate class="form-control" @bind-Value="Course.EndDate" @bind-Value:format="yyyy-MM-dd" id="EndDate"/> <ValidationMessage class="text-danger" For="(() => Course.EndDate)"/> </div> </EditForm> @code { public CourseModel Course = new(); public string[] dates = new string[] { "#StartDate", "#EndDate" }; protected override void OnAfterRender(bool firstRender) { base.OnAfterRender(firstRender); loadScripts(); } void addCourse() { _coursesRepository.AddCourse(Course); FillData(); Course = new(); var title = "Course"; Swal.Success(title : Loc[$"{title} added successfully"],toast : true); } // initializes the datepicker public async Task loadScripts() { await JS.InvokeVoidAsync("initializeDatepicker", (object) dates); } } This is script for initializing the datepickers <script> function initializeDatepicker(dates) { dates.forEach((element) => { $(element).datepicker({ onSelect: function(dateText) { // this is not working element.value = this.value; /* tried this and still not working $(element).trigger("change"); also tried this and still not working $(element).change(); */ // this is working console.log("Selected date: " + dateText + "; input's current value: " + this.value); }, dateFormat: 'yy-mm-dd', changeMonth: true, changeYear: true }); }); } </script>Solvednajeeb-anwariOct 17, 2022Copper Contributor4.7KViews0likes2CommentsScrapping and Automation
Hey There! Basically, I want to make a website that can scrape data from other websites without using an API in the same way that cURL in PHP scrapes data from other websites. I would like to know if it is possible to do this type of programming in ASP.net . My final year project will be a ASP.net project that focuses on automation and that I wish to do in ASP.net. Thanks.Solvedjason006Sep 01, 2022Copper Contributor922Views0likes2Comments
Resources
Tags
- ASP.NET Core152 Topics
- ASP.NET (Classic)82 Topics
- Web API63 Topics
- Blazor62 Topics
- mvc55 Topics
- Razor Pages35 Topics
- IIS.NET29 Topics
- security26 Topics
- SignalR6 Topics
- community1 Topic