Thursday, January 20, 2005

asp.net form submision hijack

I am not sure if anybody in the world is handling this behaviour. To explain the requested behaviour, i am using a simplified scenario, there is a web form which accepts employee number and empolyee name and age. Employee age is validated for range and in code behind employee number is chceked if it's present in database, if not a error message is shown to user using a label control.

In a scenario, user enters a valid age and a employee number which not present in db, so page is processed and label is set with the error message "employee not in db". Now if he enters a valid employee number and invalid age (outside the range) and tabs out, since age range is invalid both client side range validator error and server side error messages are displayed. I was told that user is confused as he knows the employee number is correct but page displays a contradicting message. {my first thoughts is "Oh yeah... so..." } and was asked to remove the message before form is submited.

Initially thought of hijacking the asp.net form submission {for those who like to see how its done, i have included the script } but wrote a client script to clear the label and register using Page.RegisterOnSubmitStatement, since that is fired only when form is submitted, the on-blur of the age control doesn't invoke the script. I didn't had a clue if i can wire client events and when i found the option, i wrote a script to clear the server message.

//Wire the method to events
document.body.attachEvent('onkeydown',ClearServerMessage);
document.body.attachEvent('onmousedown',ClearServerMessage);

// Will hold the Label control client id
var strHTMLElementForServerSideMessage;
function ClearServerMessage(e){
   //get the ServerSideMessage HTML element
   strHTMLElement = document.getElementById(strHTMLElementForServerSideMessage);

   //Clear only when the user does something with validation control elements, such as textbox's,..    if((window.event.srcElement.tagName == "INPUT")
      || (window.event.srcElement.tagName == "SELECT")
      || (window.event.srcElement.tagName == "A") )
   {
      //Check if not null and element of type SPAN, then clear off message
      if( (strHTMLElement != null) && (strHTMLElement.nodeName == 'SPAN') )
      {
         strHTMLElement.innerHTML = "";
      }
      //UnWire the method from events, so it won't be fired again
      document.body.detachEvent('onkeydown',ClearServerMessage);
      document.body.detachEvent('onmousedown',ClearServerMessage);
   }
}

//code behind
string szClrScript = "<script language=JavaScript>strHTMLElementForServerSideMessage=\"" + LabelServerMessage.ClientID + "\";</script>";
if(!Page.IsClientScriptBlockRegistered("szClrSCript"))
Page.RegisterClientScriptBlock("szClrScript", szClrScript);


The fun, form submission hijack script,

<script language="javascript">

// save the original function pointer of the .NET __doPostBack function in a global variable netPostBack
var netPostBack = __doPostBack;

// replace __doPostBack with your own function
__doPostBack = EscapeHtml;

function EscapeHtml (eventTarget, eventArgument)
{
// execute your own code before the page is submitted
document.all." + HtmlText.ClientID + ".value = escape(document.all." + HtmlText.ClientID + ".value);
// call base functionality
return netPostBack (eventTarget, eventArgument);
}

</script>

No comments: