/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
/////////////////////////////////////////////////////////////////////////////
internal static String GetReturnUrl(bool useDefaultIfAbsent)
{
Initialize();
HttpContext context = HttpContext.Current;
String returnUrl = context.Request.QueryString[ReturnUrlVar];
// If it is not in the QueryString, look in the Posted-body
if (returnUrl == null)
{
returnUrl = context.Request.Form[ReturnUrlVar];
if (!string.IsNullOrEmpty(returnUrl) && !returnUrl.Contains("/") && returnUrl.Contains("%"))
{
returnUrl = HttpUtility.UrlDecode(returnUrl);
}
}
// Make sure it is on the current server if EnableCrossAppRedirects is false
if (!string.IsNullOrEmpty(returnUrl) && !EnableCrossAppRedirects)
{
if (!UrlPath.IsPathOnSameServer(returnUrl, context.Request.Url))
{
returnUrl = null;
}
}
// Make sure it is not dangerous, i.e. does not contain script, etc.
if (!string.IsNullOrEmpty(returnUrl) && CrossSiteScriptingValidation.IsDangerousUrl(returnUrl))
{
throw new HttpException(SR.GetString(SR.Invalid_redirect_return_url));
}
return((returnUrl == null && useDefaultIfAbsent) ? DefaultUrl : returnUrl);
}
internal static string GetReturnUrl(bool useDefaultIfAbsent)
{
Initialize();
HttpContext current = HttpContext.Current;
string str = current.Request.QueryString["ReturnUrl"];
if (str == null)
{
str = current.Request.Form["ReturnUrl"];
if ((!string.IsNullOrEmpty(str) && !str.Contains("/")) && str.Contains("%"))
{
str = HttpUtility.UrlDecode(str);
}
}
if ((!string.IsNullOrEmpty(str) && !EnableCrossAppRedirects) && !UrlPath.IsPathOnSameServer(str, current.Request.Url))
{
str = null;
}
if (!string.IsNullOrEmpty(str) && CrossSiteScriptingValidation.IsDangerousUrl(str))
{
throw new HttpException(System.Web.SR.GetString("Invalid_redirect_return_url"));
}
if ((str == null) && useDefaultIfAbsent)
{
return(DefaultUrl);
}
return(str);
}
public override bool ApplyChanges()
{
object editableObject = GetEditableObject();
Debug.Assert(editableObject != null);
if (editableObject == null)
{
return(true);
}
EnsureChildControls();
int count = Controls.Count;
Debug.Assert(count > 0);
if (count == 0)
{
return(true);
}
PropertyDescriptorCollection properties = GetEditableProperties(editableObject, true);
for (int i = 0; i < properties.Count; i++)
{
PropertyDescriptor pd = properties[i];
Control editorControl = (Control)EditorControls[i];
try {
object value = GetEditorControlValue(editorControl, pd);
// If the property is a url, validate protocol (VSWhidbey 290418)
if (pd.Attributes.Matches(urlPropertyAttribute) &&
CrossSiteScriptingValidation.IsDangerousUrl(value.ToString()))
{
_errorMessages[i] = SR.GetString(SR.EditorPart_ErrorBadUrl);
}
else
{
try {
pd.SetValue(editableObject, value);
}
catch (Exception e) {
_errorMessages[i] = CreateErrorMessage(e.Message);
}
}
}
catch {
// If custom errors are enabled, we do not want to render the property type to the browser.
// (VSWhidbey 381646)
if (Context != null && Context.IsCustomErrorEnabled)
{
_errorMessages[i] = SR.GetString(SR.EditorPart_ErrorConvertingProperty);
}
else
{
_errorMessages[i] = SR.GetString(SR.EditorPart_ErrorConvertingPropertyWithType, pd.PropertyType.FullName);
}
}
}
return(!HasError);
}
public static string GeneratePassword(int length, int numberOfNonAlphanumericCharacters)
{
string str;
int num;
if ((length < 1) || (length > 0x80))
{
throw new ArgumentException(System.Web.SR.GetString("Membership_password_length_incorrect"));
}
if ((numberOfNonAlphanumericCharacters > length) || (numberOfNonAlphanumericCharacters < 0))
{
throw new ArgumentException(System.Web.SR.GetString("Membership_min_required_non_alphanumeric_characters_incorrect", new object[] { "numberOfNonAlphanumericCharacters" }));
}
do
{
byte[] data = new byte[length];
char[] chArray = new char[length];
int num2 = 0;
new RNGCryptoServiceProvider().GetBytes(data);
for (int i = 0; i < length; i++)
{
int num4 = data[i] % 0x57;
if (num4 < 10)
{
chArray[i] = (char)(0x30 + num4);
}
else if (num4 < 0x24)
{
chArray[i] = (char)((0x41 + num4) - 10);
}
else if (num4 < 0x3e)
{
chArray[i] = (char)((0x61 + num4) - 0x24);
}
else
{
chArray[i] = punctuations[num4 - 0x3e];
num2++;
}
}
if (num2 < numberOfNonAlphanumericCharacters)
{
Random random = new Random();
for (int j = 0; j < (numberOfNonAlphanumericCharacters - num2); j++)
{
int num6;
do
{
num6 = random.Next(0, length);
}while (!char.IsLetterOrDigit(chArray[num6]));
chArray[num6] = punctuations[random.Next(0, punctuations.Length)];
}
}
str = new string(chArray);
}while (CrossSiteScriptingValidation.IsDangerousString(str, out num));
return(str);
}
protected internal virtual bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
{
if (requestValidationSource == RequestValidationSource.Headers)
{
validationFailureIndex = 0;
return(true); // Ignore Headers collection in the default implementation
}
return(!CrossSiteScriptingValidation.IsDangerousString(value, out validationFailureIndex));
}
/// <summary>
/// Check user-supplied text and return true if it contains any HTML, otherwise false.
/// </summary>
public static bool ContainsHtml(string s, out int matchIndex)
{
if (string.IsNullOrEmpty(s))
{
matchIndex = -1;
return(false);
}
return(CrossSiteScriptingValidation.IsDangerousString(s, true, out matchIndex));
}
/// <summary>
/// Check user-supplied text and return true if it contains any script, otherwise false. The check
/// is not perfect and errs on the safe side, so it may sometimes return true when there is no
/// actual script.
/// </summary>
public static bool ContainsScript(string s)
{
if (string.IsNullOrEmpty(s))
{
return(false);
}
int dummy;
return(CrossSiteScriptingValidation.IsDangerousString(s, false, out dummy));
}
public override bool ApplyChanges()
{
object editableObject = this.GetEditableObject();
if (editableObject == null)
{
return(true);
}
this.EnsureChildControls();
if (this.Controls.Count == 0)
{
return(true);
}
PropertyDescriptorCollection editableProperties = this.GetEditableProperties(editableObject, true);
for (int i = 0; i < editableProperties.Count; i++)
{
PropertyDescriptor pd = editableProperties[i];
Control editorControl = (Control)this.EditorControls[i];
try
{
object editorControlValue = this.GetEditorControlValue(editorControl, pd);
if (pd.Attributes.Matches(urlPropertyAttribute) && CrossSiteScriptingValidation.IsDangerousUrl(editorControlValue.ToString()))
{
this._errorMessages[i] = System.Web.SR.GetString("EditorPart_ErrorBadUrl");
}
else
{
try
{
pd.SetValue(editableObject, editorControlValue);
}
catch (Exception exception)
{
this._errorMessages[i] = base.CreateErrorMessage(exception.Message);
}
}
}
catch
{
if ((this.Context != null) && this.Context.IsCustomErrorEnabled)
{
this._errorMessages[i] = System.Web.SR.GetString("EditorPart_ErrorConvertingProperty");
}
else
{
this._errorMessages[i] = System.Web.SR.GetString("EditorPart_ErrorConvertingPropertyWithType", new object[] { pd.PropertyType.FullName });
}
}
}
return(!this.HasError);
}
protected override ValidationResult IsValid(object value, ValidationContext validationContext)
{
string s = value as string;
if (string.IsNullOrEmpty(s))
{
return(ValidationResult.Success);
}
return(CrossSiteScriptingValidation.IsDangerousString(s, out int matchIndex)
? new ValidationResult($"{validationContext.DisplayName} contains a potentially dangerous value.")
: ValidationResult.Success);
}
public static string Password(int length, int numberOfNonAlphanumericCharacters)
{
string str;
int num;
do
{
byte[] data = new byte[length];
char[] chArray = new char[length];
int num2 = 0;
new RNGCryptoServiceProvider().GetBytes(data);
for (int i = 0; i < length; i++)
{
int num4 = data[i] % 0x57;
if (num4 < 10)
{
chArray[i] = (char)(0x30 + num4);
}
else if (num4 < 0x24)
{
chArray[i] = (char)((0x41 + num4) - 10);
}
else if (num4 < 0x3e)
{
chArray[i] = (char)((0x61 + num4) - 0x24);
}
else
{
chArray[i] = punctuations[num4 - 0x3e];
num2++;
}
}
if (num2 < numberOfNonAlphanumericCharacters)
{
Random random = new Random();
for (int j = 0; j < (numberOfNonAlphanumericCharacters - num2); j++)
{
int num6;
do
{
num6 = random.Next(0, length);
}while (!char.IsLetterOrDigit(chArray[num6]));
chArray[num6] = punctuations[random.Next(0, punctuations.Length)];
}
}
str = new string(chArray);
}while (CrossSiteScriptingValidation.IsDangerousString(str, out num));
return(str);
}
internal static bool IsDangerousString(string s, out int matchIndex)
{
matchIndex = 0;
int startIndex = 0;
while (true)
{
int index = s.IndexOfAny(CrossSiteScriptingValidation.startingChars, startIndex);
if (index >= 0 && index != s.Length - 1)
{
matchIndex = index;
switch (s[index])
{
case '&':
if ((int)s[index + 1] != 35)
{
break;
}
else
{
goto label_7;
}
case '<':
if (CrossSiteScriptingValidation.IsAtoZ(s[index + 1]) || (int)s[index + 1] == 33 || ((int)s[index + 1] == 47 || (int)s[index + 1] == 63))
{
goto label_5;
}
else
{
break;
}
}
startIndex = index + 1;
}
else
{
break;
}
}
return(false);
label_5:
return(true);
label_7:
return(true);
}
public async Task Invoke(HttpContext context)
{
// Check XSS in URL
if (!string.IsNullOrWhiteSpace(context.Request.Path.Value))
{
var url = context.Request.Path.Value;
if (CrossSiteScriptingValidation.IsDangerousString(url, out _))
{
await RespondWithAnError(context).ConfigureAwait(false);
return;
}
}
// Check XSS in query string
if (!string.IsNullOrWhiteSpace(context.Request.QueryString.Value))
{
var queryString = WebUtility.UrlDecode(context.Request.QueryString.Value);
if (CrossSiteScriptingValidation.IsDangerousString(queryString, out _))
{
await RespondWithAnError(context).ConfigureAwait(false);
return;
}
}
// Check XSS in request content
var originalBody = context.Request.Body;
try
{
var content = await ReadRequestBody(context);
if (CrossSiteScriptingValidation.IsDangerousString(content, out _))
{
await RespondWithAnError(context).ConfigureAwait(false);
return;
}
await _next(context).ConfigureAwait(false);
}
finally
{
context.Request.Body = originalBody;
}
}
/// <devdoc>
/// Handles databinding the field and its controls.
/// </devdoc>
protected virtual void OnDataBindField(object sender, EventArgs e)
{
Control boundControl = (Control)sender;
Control controlContainer = boundControl.NamingContainer;
string urlValue = null;
string nullImageUrl = NullImageUrl;
string altText = GetFormattedAlternateText(controlContainer);
if (DesignMode && (boundControl is TableCell))
{
if (boundControl.Controls.Count == 0 || !(boundControl.Controls[0] is Image))
{
throw new HttpException(SR.GetString(SR.ImageField_WrongControlType, DataImageUrlField));
}
((Image)boundControl.Controls[0]).Visible = false;
((TableCell)boundControl).Text = GetDesignTimeValue();
return;
}
object data = GetValue(controlContainer, DataImageUrlField, ref _imageFieldDesc);
urlValue = FormatImageUrlValue(data);
if (boundControl is TableCell) // read-only
{
TableCell cell = (TableCell)boundControl;
if (cell.Controls.Count < 2 || !(cell.Controls[0] is Image) || !(cell.Controls[1] is Label))
{
throw new HttpException(SR.GetString(SR.ImageField_WrongControlType, DataImageUrlField));
}
Image image = (Image)cell.Controls[0];
Label label = (Label)cell.Controls[1];
label.Visible = false;
if (urlValue == null || (ConvertEmptyStringToNull && urlValue.Length == 0))
{
if (nullImageUrl.Length > 0)
{
urlValue = nullImageUrl;
}
else
{
image.Visible = false;
label.Text = NullDisplayText;
label.Visible = true;
}
}
if (!CrossSiteScriptingValidation.IsDangerousUrl(urlValue))
{
image.ImageUrl = urlValue;
}
image.AlternateText = altText;
}
else // edit/insert
{
if (!(boundControl is TextBox))
{
throw new HttpException(SR.GetString(SR.ImageField_WrongControlType, DataImageUrlField));
}
((TextBox)boundControl).Text = data.ToString();
((TextBox)boundControl).ToolTip = altText;
if (data != null)
{
// size down the textbox for certain types
if (data.GetType().IsPrimitive)
{
((TextBox)boundControl).Columns = 5;
}
}
}
}
public override bool ApplyChanges()
{
WebPart webPart = WebPartToEdit;
Debug.Assert(webPart != null);
if (webPart != null)
{
EnsureChildControls();
bool allowLayoutChange = webPart.Zone.AllowLayoutChange;
if (allowLayoutChange)
{
try {
webPart.AllowClose = _allowClose.Checked;
}
catch (Exception e) {
_allowCloseErrorMessage = CreateErrorMessage(e.Message);
}
}
try {
webPart.AllowConnect = _allowConnect.Checked;
}
catch (Exception e) {
_allowConnectErrorMessage = CreateErrorMessage(e.Message);
}
if (allowLayoutChange)
{
try {
webPart.AllowHide = _allowHide.Checked;
}
catch (Exception e) {
_allowHideErrorMessage = CreateErrorMessage(e.Message);
}
}
if (allowLayoutChange)
{
try {
webPart.AllowMinimize = _allowMinimize.Checked;
}
catch (Exception e) {
_allowMinimizeErrorMessage = CreateErrorMessage(e.Message);
}
}
if (allowLayoutChange)
{
try {
webPart.AllowZoneChange = _allowZoneChange.Checked;
}
catch (Exception e) {
_allowZoneChangeErrorMessage = CreateErrorMessage(e.Message);
}
}
try {
TypeConverter exportModeConverter = TypeDescriptor.GetConverter(typeof(WebPartExportMode));
webPart.ExportMode = (WebPartExportMode)exportModeConverter.ConvertFromString(_exportMode.SelectedValue);
}
catch (Exception e) {
_exportModeErrorMessage = CreateErrorMessage(e.Message);
}
try {
TypeConverter helpModeConverter = TypeDescriptor.GetConverter(typeof(WebPartHelpMode));
webPart.HelpMode = (WebPartHelpMode)helpModeConverter.ConvertFromString(_helpMode.SelectedValue);
}
catch (Exception e) {
_helpModeErrorMessage = CreateErrorMessage(e.Message);
}
try {
webPart.Description = _description.Text;
}
catch (Exception e) {
_descriptionErrorMessage = CreateErrorMessage(e.Message);
}
string value = _titleUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(value))
{
_titleUrlErrorMessage = SR.GetString(SR.EditorPart_ErrorBadUrl);
}
else
{
try {
webPart.TitleUrl = value;
}
catch (Exception e) {
_titleUrlErrorMessage = CreateErrorMessage(e.Message);
}
}
value = _titleIconImageUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(value))
{
_titleIconImageUrlErrorMessage = SR.GetString(SR.EditorPart_ErrorBadUrl);
}
else
{
try {
webPart.TitleIconImageUrl = value;
}
catch (Exception e) {
_titleIconImageUrlErrorMessage = CreateErrorMessage(e.Message);
}
}
value = _catalogIconImageUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(value))
{
_catalogIconImageUrlErrorMessage = SR.GetString(SR.EditorPart_ErrorBadUrl);
}
else
{
try {
webPart.CatalogIconImageUrl = value;
}
catch (Exception e) {
_catalogIconImageUrlErrorMessage = CreateErrorMessage(e.Message);
}
}
value = _helpUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(value))
{
_helpUrlErrorMessage = SR.GetString(SR.EditorPart_ErrorBadUrl);
}
else
{
try {
webPart.HelpUrl = value;
}
catch (Exception e) {
_helpUrlErrorMessage = CreateErrorMessage(e.Message);
}
}
try {
webPart.ImportErrorMessage = _importErrorMessage.Text;
}
catch (Exception e) {
_importErrorMessageErrorMessage = CreateErrorMessage(e.Message);
}
try {
webPart.AuthorizationFilter = _authorizationFilter.Text;
}
catch (Exception e) {
_authorizationFilterErrorMessage = CreateErrorMessage(e.Message);
}
try {
webPart.AllowEdit = _allowEdit.Checked;
}
catch (Exception e) {
_allowEditErrorMessage = CreateErrorMessage(e.Message);
}
}
return(!HasError);
}
private void OnDataBindField(object sender, EventArgs e)
{
HyperLink link = (HyperLink)sender;
Control namingContainer = link.NamingContainer;
object component = null;
if (namingContainer == null)
{
throw new HttpException(System.Web.SR.GetString("DataControlField_NoContainer"));
}
component = DataBinder.GetDataItem(namingContainer);
if ((component == null) && !base.DesignMode)
{
throw new HttpException(System.Web.SR.GetString("DataItem_Not_Found"));
}
if ((this.textFieldDesc == null) && (this.urlFieldDescs == null))
{
PropertyDescriptorCollection properties = TypeDescriptor.GetProperties(component);
string dataTextField = this.DataTextField;
if (dataTextField.Length != 0)
{
this.textFieldDesc = properties.Find(dataTextField, true);
if ((this.textFieldDesc == null) && !base.DesignMode)
{
throw new HttpException(System.Web.SR.GetString("Field_Not_Found", new object[] { dataTextField }));
}
}
string[] dataNavigateUrlFields = this.DataNavigateUrlFields;
int num = dataNavigateUrlFields.Length;
this.urlFieldDescs = new PropertyDescriptor[num];
for (int i = 0; i < num; i++)
{
dataTextField = dataNavigateUrlFields[i];
if (dataTextField.Length != 0)
{
this.urlFieldDescs[i] = properties.Find(dataTextField, true);
if ((this.urlFieldDescs[i] == null) && !base.DesignMode)
{
throw new HttpException(System.Web.SR.GetString("Field_Not_Found", new object[] { dataTextField }));
}
}
}
}
string str2 = string.Empty;
if ((this.textFieldDesc != null) && (component != null))
{
object dataTextValue = this.textFieldDesc.GetValue(component);
str2 = this.FormatDataTextValue(dataTextValue);
}
if ((base.DesignMode && (this.DataTextField.Length != 0)) && (str2.Length == 0))
{
str2 = System.Web.SR.GetString("Sample_Databound_Text");
}
if (str2.Length > 0)
{
link.Text = str2;
}
int length = this.urlFieldDescs.Length;
string str3 = string.Empty;
if (((this.urlFieldDescs != null) && (length > 0)) && (component != null))
{
object[] dataUrlValues = new object[length];
for (int j = 0; j < length; j++)
{
if (this.urlFieldDescs[j] != null)
{
dataUrlValues[j] = this.urlFieldDescs[j].GetValue(component);
}
}
string s = this.FormatDataNavigateUrlValue(dataUrlValues);
if (!CrossSiteScriptingValidation.IsDangerousUrl(s))
{
str3 = s;
}
}
if ((base.DesignMode && (this.DataNavigateUrlFields.Length != 0)) && (str3.Length == 0))
{
str3 = "url";
}
if (str3.Length > 0)
{
link.NavigateUrl = str3;
}
}
/// <devdoc>
/// </devdoc>
private void OnDataBindField(object sender, EventArgs e)
{
Debug.Assert((DataTextField.Length != 0) || (DataNavigateUrlFields.Length != 0),
"Shouldn't be DataBinding without a DataTextField and DataNavigateUrlField");
HyperLink boundControl = (HyperLink)sender;
Control controlContainer = boundControl.NamingContainer;
object dataItem = null;
if (controlContainer == null)
{
throw new HttpException(SR.GetString(SR.DataControlField_NoContainer));
}
// Get the DataItem from the container
dataItem = DataBinder.GetDataItem(controlContainer);
if (dataItem == null && !DesignMode)
{
throw new HttpException(SR.GetString(SR.DataItem_Not_Found));
}
if ((textFieldDesc == null) && (urlFieldDescs == null))
{
PropertyDescriptorCollection props = TypeDescriptor.GetProperties(dataItem);
string fieldName;
fieldName = DataTextField;
if (fieldName.Length != 0)
{
textFieldDesc = props.Find(fieldName, true);
if ((textFieldDesc == null) && !DesignMode)
{
throw new HttpException(SR.GetString(SR.Field_Not_Found, fieldName));
}
}
string[] dataNavigateUrlFields = DataNavigateUrlFields;
int dataNavigateUrlFieldsLength = dataNavigateUrlFields.Length;
urlFieldDescs = new PropertyDescriptor[dataNavigateUrlFieldsLength];
for (int i = 0; i < dataNavigateUrlFieldsLength; i++)
{
fieldName = dataNavigateUrlFields[i];
if (fieldName.Length != 0)
{
urlFieldDescs[i] = props.Find(fieldName, true);
if ((urlFieldDescs[i] == null) && !DesignMode)
{
throw new HttpException(SR.GetString(SR.Field_Not_Found, fieldName));
}
}
}
}
string dataTextValue = String.Empty;
if (textFieldDesc != null && dataItem != null)
{
object data = textFieldDesc.GetValue(dataItem);
dataTextValue = FormatDataTextValue(data);
}
if (DesignMode && (DataTextField.Length != 0) && dataTextValue.Length == 0)
{
dataTextValue = SR.GetString(SR.Sample_Databound_Text);
}
if (dataTextValue.Length > 0)
{
boundControl.Text = dataTextValue;
}
int urlFieldDescsLength = urlFieldDescs.Length;
string dataNavValue = String.Empty;
if (urlFieldDescs != null && urlFieldDescsLength > 0 && dataItem != null)
{
object[] data = new object[urlFieldDescsLength];
for (int i = 0; i < urlFieldDescsLength; i++)
{
if (urlFieldDescs[i] != null)
{
data[i] = urlFieldDescs[i].GetValue(dataItem);
}
}
string urlValue = FormatDataNavigateUrlValue(data);
if (!CrossSiteScriptingValidation.IsDangerousUrl(urlValue))
{
dataNavValue = urlValue;
}
}
if (DesignMode && (DataNavigateUrlFields.Length != 0) && dataNavValue.Length == 0)
{
dataNavValue = "url";
}
if (dataNavValue.Length > 0)
{
boundControl.NavigateUrl = dataNavValue;
}
}
protected virtual void OnDataBindField(object sender, EventArgs e)
{
Control control = (Control)sender;
Control namingContainer = control.NamingContainer;
string s = null;
string nullImageUrl = this.NullImageUrl;
string formattedAlternateText = this.GetFormattedAlternateText(namingContainer);
if (base.DesignMode && (control is TableCell))
{
if ((control.Controls.Count == 0) || !(control.Controls[0] is Image))
{
throw new HttpException(System.Web.SR.GetString("ImageField_WrongControlType", new object[] { this.DataImageUrlField }));
}
((Image)control.Controls[0]).Visible = false;
((TableCell)control).Text = this.GetDesignTimeValue();
}
else
{
object dataValue = this.GetValue(namingContainer, this.DataImageUrlField, ref this._imageFieldDesc);
s = this.FormatImageUrlValue(dataValue);
if (control is TableCell)
{
TableCell cell = (TableCell)control;
if (((cell.Controls.Count < 2) || !(cell.Controls[0] is Image)) || !(cell.Controls[1] is Label))
{
throw new HttpException(System.Web.SR.GetString("ImageField_WrongControlType", new object[] { this.DataImageUrlField }));
}
Image image = (Image)cell.Controls[0];
Label label = (Label)cell.Controls[1];
label.Visible = false;
if ((s == null) || (this.ConvertEmptyStringToNull && (s.Length == 0)))
{
if (nullImageUrl.Length > 0)
{
s = nullImageUrl;
}
else
{
image.Visible = false;
label.Text = this.NullDisplayText;
label.Visible = true;
}
}
if (!CrossSiteScriptingValidation.IsDangerousUrl(s))
{
image.ImageUrl = s;
}
image.AlternateText = formattedAlternateText;
}
else
{
if (!(control is TextBox))
{
throw new HttpException(System.Web.SR.GetString("ImageField_WrongControlType", new object[] { this.DataImageUrlField }));
}
((TextBox)control).Text = dataValue.ToString();
((TextBox)control).ToolTip = formattedAlternateText;
if ((dataValue != null) && dataValue.GetType().IsPrimitive)
{
((TextBox)control).Columns = 5;
}
}
}
}
public static string GeneratePassword(int length, int numberOfNonAlphanumericCharacters)
{
if (length < 1 || length > 128)
{
throw new ArgumentException(SR.GetString(SR.Membership_password_length_incorrect));
}
if (numberOfNonAlphanumericCharacters > length || numberOfNonAlphanumericCharacters < 0)
{
throw new ArgumentException(SR.GetString(SR.Membership_min_required_non_alphanumeric_characters_incorrect,
"numberOfNonAlphanumericCharacters"));
}
string password;
int index;
byte[] buf;
char[] cBuf;
int count;
do
{
buf = new byte[length];
cBuf = new char[length];
count = 0;
(new RNGCryptoServiceProvider()).GetBytes(buf);
for (int iter = 0; iter < length; iter++)
{
int i = (int)(buf[iter] % 87);
if (i < 10)
{
cBuf[iter] = (char)('0' + i);
}
else if (i < 36)
{
cBuf[iter] = (char)('A' + i - 10);
}
else if (i < 62)
{
cBuf[iter] = (char)('a' + i - 36);
}
else
{
cBuf[iter] = punctuations[i - 62];
count++;
}
}
if (count < numberOfNonAlphanumericCharacters)
{
int j, k;
Random rand = new Random();
for (j = 0; j < numberOfNonAlphanumericCharacters - count; j++)
{
do
{
k = rand.Next(0, length);
}while(!Char.IsLetterOrDigit(cBuf[k]));
cBuf[k] = punctuations[rand.Next(0, punctuations.Length)];
}
}
password = new string(cBuf);
}while(CrossSiteScriptingValidation.IsDangerousString(password, out index));
return(password);
}
private void CreateAvailableWebPartDescriptions()
{
if (this._availableWebPartDescriptions == null)
{
if ((base.WebPartManager == null) || string.IsNullOrEmpty(this._importedPartDescription))
{
this._availableWebPartDescriptions = new WebPartDescriptionCollection();
}
else
{
PermissionSet set = new PermissionSet(PermissionState.None);
set.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
set.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Minimal));
set.PermitOnly();
bool flag = true;
string str = null;
string description = null;
string imageUrl = null;
try
{
try
{
using (StringReader reader = new StringReader(this._importedPartDescription))
{
using (XmlTextReader reader2 = new XmlTextReader(reader))
{
if (reader2 == null)
{
goto Label_02F7;
}
reader2.MoveToContent();
reader2.MoveToContent();
reader2.ReadStartElement("webParts");
reader2.ReadStartElement("webPart");
reader2.ReadStartElement("metaData");
string str4 = null;
string path = null;
while (reader2.Name != "type")
{
reader2.Skip();
if (reader2.EOF)
{
throw new EndOfStreamException();
}
}
if (reader2.Name == "type")
{
str4 = reader2.GetAttribute("name");
path = reader2.GetAttribute("src");
}
bool isShared = base.WebPartManager.Personalization.Scope == PersonalizationScope.Shared;
if (!string.IsNullOrEmpty(str4))
{
PermissionSet set2 = new PermissionSet(PermissionState.None);
set2.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
set2.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Medium));
CodeAccessPermission.RevertPermitOnly();
flag = false;
set2.PermitOnly();
flag = true;
Type type = WebPartUtil.DeserializeType(str4, true);
CodeAccessPermission.RevertPermitOnly();
flag = false;
set.PermitOnly();
flag = true;
if (!base.WebPartManager.IsAuthorized(type, null, null, isShared))
{
this._importErrorMessage = System.Web.SR.GetString("WebPartManager_ForbiddenType");
}
else
{
if (type.IsSubclassOf(typeof(WebPart)) || type.IsSubclassOf(typeof(Control)))
{
goto Label_02DD;
}
this._importErrorMessage = System.Web.SR.GetString("WebPartManager_TypeMustDeriveFromControl");
}
}
else
{
if (base.WebPartManager.IsAuthorized(typeof(UserControl), path, null, isShared))
{
goto Label_02DD;
}
this._importErrorMessage = System.Web.SR.GetString("WebPartManager_ForbiddenType");
}
return;
Label_021E:
reader2.Read();
Label_0226:
if (!reader2.EOF && ((reader2.NodeType != XmlNodeType.Element) || !(reader2.Name == "property")))
{
goto Label_021E;
}
if (reader2.EOF)
{
goto Label_02F7;
}
string attribute = reader2.GetAttribute("name");
if (attribute == "Title")
{
str = reader2.ReadElementString();
}
else if (attribute == "Description")
{
description = reader2.ReadElementString();
}
else if (attribute == "CatalogIconImageUrl")
{
string s = reader2.ReadElementString().Trim();
if (!CrossSiteScriptingValidation.IsDangerousUrl(s))
{
imageUrl = s;
}
}
else
{
reader2.Read();
goto Label_02DD;
}
if (((str != null) && (description != null)) && (imageUrl != null))
{
goto Label_02F7;
}
reader2.Read();
Label_02DD:
if (!reader2.EOF)
{
goto Label_0226;
}
}
Label_02F7:
if (string.IsNullOrEmpty(str))
{
str = System.Web.SR.GetString("Part_Untitled");
}
this._availableWebPartDescriptions = new WebPartDescriptionCollection(new WebPartDescription[] { new WebPartDescription("ImportedWebPart", str, description, imageUrl) });
}
}
catch (XmlException)
{
this._importErrorMessage = System.Web.SR.GetString("WebPartManager_ImportInvalidFormat");
}
catch
{
this._importErrorMessage = !string.IsNullOrEmpty(this._importErrorMessage) ? this._importErrorMessage : System.Web.SR.GetString("WebPart_DefaultImportErrorMessage");
}
finally
{
if (flag)
{
CodeAccessPermission.RevertPermitOnly();
}
}
}
catch
{
throw;
}
}
}
}
private void CreateAvailableWebPartDescriptions()
{
if (_availableWebPartDescriptions != null)
{
return;
}
if (WebPartManager == null || String.IsNullOrEmpty(_importedPartDescription))
{
_availableWebPartDescriptions = new WebPartDescriptionCollection();
return;
}
// Run in minimal trust
PermissionSet pset = new PermissionSet(PermissionState.None);
// add in whatever perms are appropriate
pset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
pset.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Minimal));
pset.PermitOnly();
bool permitOnly = true;
string title = null;
string description = null;
string icon = null;
// Extra try-catch block to prevent elevation of privilege attack via exception filter
try {
try {
// Get the WebPart description from its saved XML description.
using (StringReader sr = new StringReader(_importedPartDescription)) {
using (XmlReader reader = XmlUtils.CreateXmlReader(sr)) {
if (reader != null)
{
reader.MoveToContent();
// Check if imported part is authorized
// Get to the metadata
reader.MoveToContent();
reader.ReadStartElement(WebPartManager.ExportRootElement);
reader.ReadStartElement(WebPartManager.ExportPartElement);
reader.ReadStartElement(WebPartManager.ExportMetaDataElement);
// Get the type name
string partTypeName = null;
string userControlTypeName = null;
while (reader.Name != WebPartManager.ExportTypeElement)
{
reader.Skip();
if (reader.EOF)
{
throw new EndOfStreamException();
}
}
if (reader.Name == WebPartManager.ExportTypeElement)
{
partTypeName = reader.GetAttribute(WebPartManager.ExportTypeNameAttribute);
userControlTypeName = reader.GetAttribute(WebPartManager.ExportUserControlSrcAttribute);
}
// If we are in shared scope, we are importing a shared WebPart
bool isShared = (WebPartManager.Personalization.Scope == PersonalizationScope.Shared);
if (!String.IsNullOrEmpty(partTypeName))
{
// Need medium trust to call BuildManager.GetType()
PermissionSet mediumPset = new PermissionSet(PermissionState.None);
mediumPset.AddPermission(new SecurityPermission(SecurityPermissionFlag.Execution));
mediumPset.AddPermission(new AspNetHostingPermission(AspNetHostingPermissionLevel.Medium));
CodeAccessPermission.RevertPermitOnly();
permitOnly = false;
mediumPset.PermitOnly();
permitOnly = true;
Type partType = WebPartUtil.DeserializeType(partTypeName, true);
CodeAccessPermission.RevertPermitOnly();
permitOnly = false;
pset.PermitOnly();
permitOnly = true;
// First check if the type is authorized
if (!WebPartManager.IsAuthorized(partType, null, null, isShared))
{
_importErrorMessage = SR.GetString(SR.WebPartManager_ForbiddenType);
return;
}
// If the type is not a webpart, create a generic Web Part
if (!partType.IsSubclassOf(typeof(WebPart)) && !partType.IsSubclassOf(typeof(Control)))
{
// We only allow for Controls (VSWhidbey 428511)
_importErrorMessage = SR.GetString(SR.WebPartManager_TypeMustDeriveFromControl);
return;
}
}
else
{
// Check if the path is authorized
if (!WebPartManager.IsAuthorized(typeof(UserControl), userControlTypeName, null, isShared))
{
_importErrorMessage = SR.GetString(SR.WebPartManager_ForbiddenType);
return;
}
}
while (!reader.EOF)
{
while (!reader.EOF && !(reader.NodeType == XmlNodeType.Element &&
reader.Name == WebPartManager.ExportPropertyElement))
{
reader.Read();
}
if (reader.EOF)
{
break;
}
string name = reader.GetAttribute(WebPartManager.ExportPropertyNameAttribute);
if (name == TitlePropertyName)
{
title = reader.ReadElementString();
}
else if (name == DescriptionPropertyName)
{
description = reader.ReadElementString();
}
else if (name == IconPropertyName)
{
string url = reader.ReadElementString().Trim();
if (!CrossSiteScriptingValidation.IsDangerousUrl(url))
{
icon = url;
}
}
else
{
reader.Read();
continue;
}
if (title != null && description != null && icon != null)
{
break;
}
reader.Read();
}
}
}
if (String.IsNullOrEmpty(title))
{
title = SR.GetString(SR.Part_Untitled);
}
_availableWebPartDescriptions = new WebPartDescriptionCollection(
new WebPartDescription[] { new WebPartDescription(ImportedWebPartID, title, description, icon) });
}
}
catch (XmlException) {
_importErrorMessage = SR.GetString(SR.WebPartManager_ImportInvalidFormat);
return;
}
catch {
_importErrorMessage = (!String.IsNullOrEmpty(_importErrorMessage)) ?
_importErrorMessage :
SR.GetString(SR.WebPart_DefaultImportErrorMessage);
return;
}
finally {
if (permitOnly)
{
// revert if you're not just exiting the stack frame anyway
CodeAccessPermission.RevertPermitOnly();
}
}
}
catch {
throw;
}
}
public override bool ApplyChanges()
{
WebPart webPartToEdit = base.WebPartToEdit;
if (webPartToEdit != null)
{
this.EnsureChildControls();
bool allowLayoutChange = webPartToEdit.Zone.AllowLayoutChange;
if (allowLayoutChange)
{
try
{
webPartToEdit.AllowClose = this._allowClose.Checked;
}
catch (Exception exception)
{
this._allowCloseErrorMessage = base.CreateErrorMessage(exception.Message);
}
}
try
{
webPartToEdit.AllowConnect = this._allowConnect.Checked;
}
catch (Exception exception2)
{
this._allowConnectErrorMessage = base.CreateErrorMessage(exception2.Message);
}
if (allowLayoutChange)
{
try
{
webPartToEdit.AllowHide = this._allowHide.Checked;
}
catch (Exception exception3)
{
this._allowHideErrorMessage = base.CreateErrorMessage(exception3.Message);
}
}
if (allowLayoutChange)
{
try
{
webPartToEdit.AllowMinimize = this._allowMinimize.Checked;
}
catch (Exception exception4)
{
this._allowMinimizeErrorMessage = base.CreateErrorMessage(exception4.Message);
}
}
if (allowLayoutChange)
{
try
{
webPartToEdit.AllowZoneChange = this._allowZoneChange.Checked;
}
catch (Exception exception5)
{
this._allowZoneChangeErrorMessage = base.CreateErrorMessage(exception5.Message);
}
}
try
{
TypeConverter converter = TypeDescriptor.GetConverter(typeof(WebPartExportMode));
webPartToEdit.ExportMode = (WebPartExportMode)converter.ConvertFromString(this._exportMode.SelectedValue);
}
catch (Exception exception6)
{
this._exportModeErrorMessage = base.CreateErrorMessage(exception6.Message);
}
try
{
TypeConverter converter2 = TypeDescriptor.GetConverter(typeof(WebPartHelpMode));
webPartToEdit.HelpMode = (WebPartHelpMode)converter2.ConvertFromString(this._helpMode.SelectedValue);
}
catch (Exception exception7)
{
this._helpModeErrorMessage = base.CreateErrorMessage(exception7.Message);
}
try
{
webPartToEdit.Description = this._description.Text;
}
catch (Exception exception8)
{
this._descriptionErrorMessage = base.CreateErrorMessage(exception8.Message);
}
string text = this._titleUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(text))
{
this._titleUrlErrorMessage = System.Web.SR.GetString("EditorPart_ErrorBadUrl");
}
else
{
try
{
webPartToEdit.TitleUrl = text;
}
catch (Exception exception9)
{
this._titleUrlErrorMessage = base.CreateErrorMessage(exception9.Message);
}
}
text = this._titleIconImageUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(text))
{
this._titleIconImageUrlErrorMessage = System.Web.SR.GetString("EditorPart_ErrorBadUrl");
}
else
{
try
{
webPartToEdit.TitleIconImageUrl = text;
}
catch (Exception exception10)
{
this._titleIconImageUrlErrorMessage = base.CreateErrorMessage(exception10.Message);
}
}
text = this._catalogIconImageUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(text))
{
this._catalogIconImageUrlErrorMessage = System.Web.SR.GetString("EditorPart_ErrorBadUrl");
}
else
{
try
{
webPartToEdit.CatalogIconImageUrl = text;
}
catch (Exception exception11)
{
this._catalogIconImageUrlErrorMessage = base.CreateErrorMessage(exception11.Message);
}
}
text = this._helpUrl.Text;
if (CrossSiteScriptingValidation.IsDangerousUrl(text))
{
this._helpUrlErrorMessage = System.Web.SR.GetString("EditorPart_ErrorBadUrl");
}
else
{
try
{
webPartToEdit.HelpUrl = text;
}
catch (Exception exception12)
{
this._helpUrlErrorMessage = base.CreateErrorMessage(exception12.Message);
}
}
try
{
webPartToEdit.ImportErrorMessage = this._importErrorMessage.Text;
}
catch (Exception exception13)
{
this._importErrorMessageErrorMessage = base.CreateErrorMessage(exception13.Message);
}
try
{
webPartToEdit.AuthorizationFilter = this._authorizationFilter.Text;
}
catch (Exception exception14)
{
this._authorizationFilterErrorMessage = base.CreateErrorMessage(exception14.Message);
}
try
{
webPartToEdit.AllowEdit = this._allowEdit.Checked;
}
catch (Exception exception15)
{
this._allowEditErrorMessage = base.CreateErrorMessage(exception15.Message);
}
}
return(!this.HasError);
}
