Articles : Page 1 of 1
-
Wishful Thinking: Why can't HTML fix Script Attacks at the Source?
Apr 1215The Web can be an evil place, especially if you're a Web Developer blissfully unaware of Cross Site Script Attacks (XSS). Even if you are aware of XSS in all of its insidious forms, it's extremely complex to deal with all the issues if you're taking user input and you're actually allowing users to post raw HTML into an application. I'm dealing with this again today in a Web application where legacy data contains raw HTML that has to be displayed and users ask for the ability to use raw HTML as...
-
ASP.NET MVC + Selenium + IISExpress
Dec 1122The goal of this blog entry is to explain how you can create integration tests for ASP.NET MVC applications by using a combination of Selenium WebDriver and IISExpress. Integration tests are useful when you want to test an entire user story. For example, you might want to test whether a user can successfully add an item to a shopping cart. Adding an item to a shopping cart might require the execution of C# code, database code, and JavaScript code. Using an integration test, you can verify t...
-
Scott Hanselman's 2011 Ultimate Developer and Power Users Tool List for Windows
Dec 1101Everyone collects utilities, and most folks have a list of a few that they feel are indispensable. Here's mine. Each has a distinct purpose, and I probably touch each at least a few times a week. For me, util means utilitarian and it means don't clutter my tray. If it saves me time, and seamlessly integrates with my life, it's the bomb. Many/most are free some aren't. Those that aren't free are very likely worth your 30-day trial, and perhaps your money. Here are most of the contents of my ...
-
Implementing an Authorization Attribute for WCF Web API
Oct 1120If you’re not familiar with WCF Web API, it’s a framework with nice HTTP abstractions used to expose simple HTTP services over the web. It’s focus is targeted at applications that provide HTTP services for various clients such as mobile devices, browsers, desktop applications. In some ways, it’s similar to ASP.NET MVC as it was developed with testability and extensibility in mind. There are some concepts that are similar to ASP.NET MVC, but with a twist. For example, where ASP.NET MVC has fi...
-
Preventing CSRF With Ajax
Oct 1111A long while ago I wrote about the potential dangers of Cross-site Request Forgery attacks, also known as CSRF or XSRF. These exploits are a form of confused deputy attack. Screen grab from The Police Academy movie.In that post, I covered how ASP.NET MVC includes a set of anti-forgery helpers to help mitigate such exploits. The helpers include an HTML helper meant to be called in the form that renders a hidden input, and an attribute applied to the controller action to protect. These helpers...
-
Loading jQuery Consistently in a .NET Web App
Oct 1110One thing that frequently comes up in discussions when using jQuery is how to best load the jQuery library (as well as other commonly used and updated libraries) in a Web application. Specifically the issue is the one of versioning and making sure that you can easily update and switch versions of script files with application wide settings in one place and having your script usage reflect those settings in the entire application on all pages that use the script. Although I use jQuery as an exa...
-
7 books for a .NET Summer reading list (2011 version)
Sep 1112In the previous years “n books for a .NET Summer reading list” used to be the title of the book list post. Now, in the last of my 4 posts with books suggestions I am back to the original title. In my introductory post I said I would have listed only a few web development on .NET books. In fact there are only 2. Web Development on .NET Professional ASP.NET MVC 3 While Professional ASP.NET MVC v2 was mainly an update of the original professional MVC1 book, the third remake, due to the nature o...
-
Installing and Running node.js applications within IIS on Windows - Are you mad?
Aug 1128Some folks on our team have been working on making node.js work awesomely on Windows. There's a few questions you might have. First, what's node.js? If you're not familiar with node.js, it's a new web programming toolkit that everyone's talking about. It's the one that makes you feel not hip if you don't know what it is. Like Ruby on Rails was a few years back. Folks called it Node and it's basically server-side JavaScript. The idea is that if you are doing a bunch of JavaScript on the cl...
-
NuGet Package of the Week #9 - ASP.NET MiniProfiler from StackExchange rocks your world
Jul 1122I LOVE great debugging tools. Anything that makes it easier for me to make a site correct and fast is glorious. I've talked about Glimpse, an excellent firebug-like debugger for ASP.NET MVC, and I've talked about ELMAH, and amazing logger and error handler. Now the triad is complete with MiniProfiler, my Package of the Week #9. Yes, #9. I'm counting System.Web.Providers as #8, so phooey. ;) Hey, have you implemented the NuGet Action Plan? Get on it, it'll take only 5 minutes: NuGet Action...
-
Hanselminutes Podcast 272 - Basics of Web Security with Barry Dorrans
Jun 1129Scott sits down with Microsoft Security Engineer Barry Dorrans to get a general sense of the basics of Web Security in 2011. Who are the groups in the news most often? What threats are nailing websites most often today, and are they different from classic threats? Where do we start to protect our sites? Download: MP3 Full Show NOTE: If you want to download our complete archives as a feed - that's all 271 shows, please subscribe to the Complete MP3 Feed here. Also, please do take a momen...
- 1
