One of the problems of using a GridView with a lot of the table plug-ins for jQuery or any other JavaScript table library is that the library expects your html to be well formatted with your table headers appearing within a thead.  Example below.

<table>
	<thead>
		<tr><th>Header</th></tr>
	</thead>
	<tbody>
		<tr><td>Data</td></tr>
	</tbody>
</table>

The problem is that a GridView does not format the table correctly.  Below is a simple Extension Method used to clean up after your GridView to make it output clean html for use with JavaScript table frameworks.

GridView Extension method for clean html output

public static void FixThead(this GridView grid)
{
    if (grid.Rows.Count > 0)
    {
        //This replaces <td> with <th> and adds the scope attribute
        grid.UseAccessibleHeader = true;
        grid.HeaderRow.TableSection = TableRowSection.TableHeader;
    }
}

There you have it is as easy as that.

   

So lately I have been reading "ASP.NET MVC Pro" and when I read the chapter about security (written by Rob Conery ) I was intrigued by the XSS examples that were in the book and thought to myself that I should give XSS a try.  

Wikipedia has the following excerpt about Cross-site scripting

"The term "cross-site scripting" originated from the fact that a malicious web site could load another web site into another frame or window, then use JavaScript to read/write data on the other web site. Over time the definition changed to mean the injection of HTML/JavaScript into a web page, which may be confusing because the name is no longer an accurate description of the current definition."

Now I am not a malicious person so I didn't have any desire to inject JavaScript into some existing site but I was a bit curious as to how easy it is to manipulate one website via JavaScript from another web site.   As I like to use DotNetKicks (I also check DotNetShoutOut but was on DotNetKicks when the idea came to me) I decided to see just how easy it would be to Kick my story from my own website rather than having a user leave my site to go to DotNetKicks to kick my story.

Step 1 Inspect the Request and Response.

So the first step would be to see what the site expected when a story was kicked.  As I was already at DotNetKicks I read a couple stories and found one that I liked and kicked it.   Inspecting the response with FireBug I saw the following.

And for the Headers I saw the following

Looking at the Headers and the Post values it is very evident that they are using  an Ajax request with a response type of Json.   As they are using Ajax it is very easy to see what JavaScript they are using to create the request.

Now if you look at the headers the "Referer" does have me a bit worried as they might be able to see where the request is coming from but hey I would really like a lot of Kicks so I decided to press on with my quest.

Step 2 Writing some JavaScript to see if it works.

Trial 1.

I first decided to see if I could just make an ajax post request passing in the same variables.  The following is the write up in the simplest form.

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>

    <script type="text/javascript" 
    src="http://ajax.googleapis.com/ajax/libs/jquery/1.3.2/jquery.min.js"></script>
    <script type="text/javascript">
        $.post('http://dotnetkicks.com/services/ajax/ajaxservices.ashx',
             { id: 1, method: 'kickStory', params: [41965, true] },
              function(response) { alert(response); },'json');
    </script>
</head>
<body>
    <form id="form1" runat="server">
    <div>
   
    </div>
    </form>
</body>
</html>

Okay so what was the response??  Well it ends up that Firefox and other browsers see this request to a different domain namely dotnetkicks.com as a security threat and issue the following warning.

Access to restricted URI denied (NS_ERROR_DOM_BAD_URI)

Okay so that doesn't work what about loading dotnetkicks in an iframe on the page (I could use some css to hide it or something).

Trial 2

Here is an iframe example in its simplest

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title></title>
</head>
<body onload="javascript:kick();">
    <form id="form1" runat="server">
    <div>
    <iframe id="dnk" name="dnk" src="http://www.dotnetkicks.com" ></iframe>
    </div>
    </form>
     <script type="text/javascript">
         function kick() {
             var dnk = window.frames.dnk;
             dnk.KickIt(41977, true);
         }
    </script>
</body>
</html>

Okay so I thought this time it might work a little better but once again I got a security warning in Firefox and IE.

Permission denied to get property Window.KickIt

Once again the error is due to the fact that the iframe does not share the same domain.   After some more testing the only cross site request that I was able to perform was a get request with a data type of jsonp using jQuery.  

Moral of the story

XSS is not as easy as it sounds, that and you should always differentiate between a get and post request. 

Feedback

If you know how I could have gotten it to work shoot me an Email or leave a comment and I will give it a try and update the post

   

OK so here is the scenario,  you have a data bound control, plain old vanilla DropDownList that is bound to a DataReader.  What you need to do is add values to the dropdown list from JavaScript and then retrieve the new value on the code behind after the user submits the form.

Part 1- jQuery Goodness

Adding the item to the DropDownList (now we are on the html side so we need to think in terms of html namely the <select> tag.)  I mean adding the item to the select list is easy.

ASPX markup

<label>My Drop Down List</label>
<asp:DropDownList runat="server" ID="ddlMyDropDown" CssClass="ddlMyDropDown" ></asp:DropDownList>
<br />
<br />
<input type="text" id="addToDropDown" class="addToDropDown" />

jQuery code that will add the value from the text box to the drop down and select the newly added value

// first lets un-select any items that have been selected
$("select.ddlMyDropDown option:selected").removeAttr("selected");
var addvalue=$("#addToDropDown").val(); 
$("select.ddlMyDropDown").prepend('<option selected="selected" value="' + addvalue + '">' + addvalue+ '</option>');

As a note you will notice that I am using the class to select the DropDownList(I mean the html select).  I am doing this because I am assuming that you are going to use a MasterPage which is an INamingContainer that will mess with your id's.  (This is one of the reasons that jQuery rocks if you know your CSS 3 selectors
you will be able to select virtually anything on the page with jQuery and manipulate it as needed)

ASP.NET Tweaks

Ok so now on the server side this is where it gets a bit tricky. You first need to un-enable Validation which is a "feature" of .Net 2.0+ namely whenever you use databinding with a DropDownList all the values are added to ViewState so that ASP.NET knows what values are valid in the drop down list.

<pages enableEventValidation="false">

The next gotcha is the same as before only different.  So by disabling Event Validation we are no longer going to get an error screen at the time of the post back but we still can't retrieve the value via the SelectedValue property of the control.  Instead we need to grab the value from the Form.

// this won't work ddlMyDropDown.SelectedValue
string selected = Request.Form[ddlMyDropDown.UniqueID];

You probably know this but just as a reminder.  The "UniqueID" of a control in the html world is the "name" property and the ClientID is the "id" property of the html, when retrieving values from the Form you need to use the name of the html element hence why we used the UniqueID..