Posted by: Gabe Hilado in ASP.NET,SharePoint on August 2nd, 2011

When you are developing custom SharePoint web parts using SharePoint Object Model, it’s not enough that you can properly render contents in “Browse mode”.  Your web part must also take into account when the page it is attached to goes into “Edit mode”. In this blog post, I enumerate the different states the web part can be in in any given time. Sometimes, you would want to limit the functionality of the web part when it is not in “Browse mode”. And this is why you check what state the part is in before rendering contents for it.

You must also take into consideration the following use-cases that your web part will participate in:

  • From the site’s Web Part Gallery, clicking the web part and rendering it in “Preview mode”.
  • When editing the page that has the web part in SharePoint Designer 2010, that the web part renders properly as a user-control.

I want to focus on properly rendering the Web part in SharePoint Designer because this is a use-case that can be commonly missed. Today, I was testing a web part I am developing for Zenpo Software Innovations when I encountered the following error in SharePoint Designer 2010:

Error Creating Control in SharePoint Designer

“Error Creating Control” – what does that mean?

 

The web part’s OnLoad and OnInit event-handlers didn’t check that the page is in “design mode”. So, it tried to render its content as if it was in browse-mode.

The web part uses custom JavaScript. I have to register the scripts in order for the web part to use them. I implement the script-registration during the OnInit event of the web part like the following:

        protected override void OnInit(EventArgs e)
        {
                if (!Page.ClientScript.IsClientScriptIncludeRegistered("Script1"))
                {
                     scriptRegistered = false;
                     Page.ClientScript.RegisterClientScriptInclude("Script1",
                            Page.ClientScript.GetWebResourceUrl(this.GetType(),
                            "Zenposoft.Script1.js"));
                }
        }

This script registration code works fine on the web browser. The problem is when this code is invoked during SPD-editing of the web part page, Page.ClientScript.GetWebResourceUrl returns empty string (under normal browsing state, it would have returned the URL to the WebResource.axd file). And you cannot pass an empty string URL to the Page.ClientScript.RegisterClientScriptInclude method (it will throw an exception if you pass an empty URL). The web part really had no business trying to register scripts during design-time.

You might say to yourself, “this shouldn’t be an issue since Web part pages are edited through the browser anyway”. Think again! Web designers at your organization will use SharePoint Designer at some point to edit SharePoint pages and if your web part cannot handle “design mode” correctly, the designers will see the ugly “Error Creating Control” in SPD. You cannot instill confidence in the use of your web part if it’s throwing exceptions in SharePoint Designer!!!

So, how do we fix this? You can use the one of the following or both:

I found this Microsoft SharePoint Designer Team Blog post that has nice explanation on how to create “designer friendly controls”. SPContext.Current.IsDesignTime and Control.DesignMode are mentioned in that blog post.

First, I modify the OnInit event-handler such that I register scripts only when “not in design mode”:

        protected override void OnInit(EventArgs e)
        {
            if (!this.DesignMode && !SPContext.Current.IsDesignTime)
            {
                if (!Page.ClientScript.IsClientScriptIncludeRegistered("Script1"))
                {
                    scriptRegistered = false;
                    Page.ClientScript.RegisterClientScriptInclude("Script1",
                            Page.ClientScript.GetWebResourceUrl(this.GetType(),
                            "Zenposoft.Script1.js"));
                }
            }
        }

After deploying the modified Web part, we check SharePoint Designer and the errors are gone:

SPD-Error-Gone

SharePoint Designer Errors - Gone

Yes, the errors are gone but we need to display something where the web part(s) are embedded. If the web part in on the page, the designer should render something there; it can’t be just white-space.

In order to render something in “design mode”, we override the Render method of the web part:

        protected override void Render(HtmlTextWriter writer)
        {
            if (this.DesignMode || SPContext.Current.IsDesignTime)
            {
                writer.Write("<input type="button" value="Web part is in edit mode..." />");
            }
            else
            {
                base.Render(writer);
            }
        }

If the web part is in “design mode”, we render a simple HTML button. Otherwise, we let the base class (WebPart) handle the rendering. Deploy the updated web part and you should now see the following in SharePoint Designer:

SPD-Render-Control

Render HTML button in Desing Mode

To summarize, you will want to render web parts correctly in designers such as SPD 2010.  The likelihood that Web designers will edit SharePoint pages in SPD is high enough that you will want to “design mode” for your web part to run properly.

Posted by: Gabe Hilado in ASP.NET,Security on September 29th, 2010

Microsoft came out today with an out-of-band security update for the ASP.NET Padding Oracle Attack Vulnerability. If you didn’t perform the recommended workaround last week (when this vulnerability was disclosed) because you thought the Microsoft update was going to come out soon–well, I think you got lucky today now that the update is out. BUT, I hope your public ASP.NET sites didn’t get exploited during all that time! Now that the update is out, you should look into the following Microsoft Security Bulletin as soon as possible:

http://www.microsoft.com/technet/security/bulletin/MS10-070.mspx

Posted by: Gabe Hilado in ASP.NET,IIS,Security on September 22nd, 2010

Yesterday, I blogged about the newest ASP.NET Vulnerability. As of this writing, there is still no patch for the ASP.NET Security Advisory 2416728. If the detection tool as part of the workaround provided by Microsoft reports that your apps are okay, then you don’t have nothing to worry about—just wait for the security update (what else can you do?).

Now, if the detection tool reports that your apps are vulnerable, and the apps are public-facing (on the Web), you will really want to consider the workaround.

The emphasis of the workaround is to “homogenize the error codes”. The exploit relies on error codes returned by the application to an attacker. The more differentiated the error codes, the more it learns about the encryption, and the better chance it has on cracking the encryption (read-up on “Padding Oracle Attack”).

I created a stripped-down test ASP.NET Web application project that initially has customErrors=”Off”. Within the project, I created pages that will deliberately throw errors. I have a “Divide by Zero” page, a “Throw Error” page, a “View State Exception” page, and a link from the default page to a non-existent page. I used Fiddler to monitor the traffic to and from the app while customErrors=”Off”. Next, I apply Scott Guthrie’s ASP.NET workaround for this vulnerability. I set customErrors=”On” and initially, I use redirectMode=”ResponseRedirect”. The HTTP 500 response codes disappeared but there are still HTTP 302 (redirect) responses. See the evolution of the response codes as I changed the customErrors section:

Fiddler Screenshot of Mixed Error-Codes

customErrors=”On” starts at line 13 in the screenshot above. No more HTTP 500 once customErrors was turned on. However, there are still HTTP 302, which may clue-in the attacker that an error occurred and hence the redirect to a generic page.

So we change the customErrors element once more time. I set redirectMode=”ResponseRewrite”:

   

<customErrors mode="On" defaultRedirect="fatwhale.htm" redirectMode="ResponseRewrite" />

(By the way, in case you’re wondering what the “fatwhale.htm” page is, it is in reference to the twitter whale whenever twitter service gets overloaded.)

After setting redirectMode=”ResponseRewrite”, the traffic captured by Fiddler shows that everything is consistently HTTP 200, even though we know that run-time errors were occurring on the individual pages:

Fiddler Screenshot - All HTTP 200 Response

Scott responded to some of the comments in his blog post and he strongly encouraged people to homogenize the response/error codes. The Fiddler screenshots I showed above is what I think Scott Gu means by “homogenizing the codes”.

Newer Posts »