Before reading this article, please go through the following article:
This is the continuation of my previous article Simple But Interesting Features of VS 2012: Part 1. Here are more features I have explored.
Cross-scripting is a security threat when a developer allows scripts and HTML tags. But in many situations we need our page to support HTML and scripts. In such situations .Net 4.5 provides us with two features:
- Deferred "lazy" request validation- for selective part
- Access to unvalidated request data
Whenever a request is made, it's always validated for the complete data and if it is turned off then it is not validated at all. Using Lazy request validation only the required data will be validated. To enable lazy request validation set the "requestValidationMode" attribute to "4.5" in the "httpRuntime" element in web.config.
How this will work is, let's take a simple example; if I wish to validate data when a particular button is clicked, in such a scenario, I don't want that when the page loads, the request should be validated, it should instead be validated whenever the button is clicked. This was not possible with the earlier versions of .Net, but now lazy request validation will do it in .Net 4.5.
It can be used like:
I have added two ASP textboxes and one ASP button. I have set the requestvalidationmode to 4.5. The moment I tried to enter the string with a HTML tag, I get the error "Potential dangerous request...."
This is my code:
The moment I replace the ASP textbox server control with a simple HTML control and click the submit button, it works fine. The structure looks like this:
Now let's access the same from the code:
Again I get the same error "Potential dangerous request... " But again I try to access the page by a slight change in the code and it works fine.
Now returning to ASP textboxes, in other words server controls, .Net tries to use the posted data to maintain the view state, so the error is encountered. To avoid this .Net has introduced the "ValidateRequestMode" feature. We can set the textbox to "disabled" for which we don't want the server to request validation.
After adding ValidateRequestMode, it works fine.
This feature is important, since earlier we would set the validation request to false at the page level and the entire page becomes open for cross scripting. But with this feature only a part is opened and the remaining page is secure from XXS attacks.
CSS Editor: Hierarchy Indentation
The moment we create a hierarchy with CSS it is automatically indented and we can see the inheritance. Hierarchical indentation is enabled by default, but if the user wishes, it can be disabled. To turn it off select Tools-> Option-> Text Editor -> CSS -> Formatting. See:
In the figure below, you can see a 3-level hierarchy. The first level is the div, then the next is an anchor inside the div and the third level is hover on anchor inside the div.