Oct2010
14

ASP.NET Controls - System.Web.UI.HtmlControls.HtmlButton client click hits the server twice

by nmgomes

Hi all,

At work we have about 5000 PC's that are mainly our commercial network. All those PC use intranet services and web applications.

Until a few months ago IE6 was our corporate browser (yep) but we ended moving to IE8.

A few days ago someone came to me saying that their application appears to have some problem because every time they click some HTML buttons the server gets two hits.

Also they are able to say that this didn't happen when they used the IE6.

In the faulty application the buttons that trigger two posts were System.Web.UI.HtmlControls.HtmlButton controls with Click event handlers registered.

After some research I found that the default type attribute value for HTML BUTTON element has changed in IE8 and later (here).

  • In IE7 and earlier the default value is 'button'
  • In IE8 and later the default value is 'submit'

This changed in browser default behavior was not reflected in the Server-Control that renders it: it doesn't set the type attribute value to button when a postback is required.

Without such change, every time we attached a Click event handler to a HtmlButton we endup with two posts: one triggered by the _doPostback function and another from the form itself (caused by the default type='submit' value.).

I easily bypass this problem by setting the type attribute value to 'button' in my base control.

Even so, I think that this change should be done by the framework itself when a postback is required in a HtmlButton.

After some 'reflection' I propose changing the System.Web.UI.Util.WriteOnClickAttribute method to do the job.

Such change would ensure the some behavior independent of the browser version.

If you have another workaround or you think I'm completely wrong please let me know.

Also if you think this is a real problem that should be solved then visit this Connect entry I create.

Filed in: ASP.NET

Sep2010
28

Patch For ASP.NET Vulnerability Available

by nmgomes

Microsoft has published a Security Advisory (2416728) about a security vulnerability in ASP.NET on Saturday, September 18th. This vulnerability exists in all versions of ASP.NET and was publically disclosed late Friday at a security conference.

Scott Guthrie has provided information on workarounds (please see Important: ASP.NET Security Vulnerability and ASP.NET Security Vulnerability) to prevent attackers from using this vulnerability against their ASP.NET applications.

To help with Microsoft’s response to the new padding oracle vulnerability, a new forum was also set up: Security Vulnerability.

Microsoft has now announced the release of an out-of-band security update to address the ASP.NET Security Vulnerability.

Applying the update addresses the ASP.NET Security Vulnerability, and once the update is applied to your system the workarounds Scott has previously blogged about will no longer be required. But, until the update has been installed, those workarounds must be used.

You can learn more about this security update release from this reading the Microsoft Security Response Center Blog Post as well as the official Advance Notification Bulletin.

Important Links:

Filed in: ASP.NET | Security

Sep2010
18

jQuery UI on the Microsoft CDN

by nmgomes

Microsoft is now hosting jQuery UI on the Microsoft Ajax CDN (uncompressed and compressed versions) as well as all the pre-built themes.

Remember that CDN using is free and no registration is required.

For more information check out Stephen Walther’s announcement from Microsoft.

Filed in: ASP.NET