I’ve been using tabbed browsing in IE with Maxthon for a while now – level 000

This doesn’t concern .Net except that the browser is the client for ASP.NET.  Some praise Firefox and other browsers for tabbed browsing, and I think that this is a feature that shouldn’t be lacking from IE. 

I’ve been using Maxthon (used to be MyIE2), and I am very satisfied.  It is a wrapper for IE, and it keeps instances of IE in a tabbed application.  I develop ASP.NET applications with Maxthon, and there is no difference because it uses the IE engine. 

Along the browser lines, if we (ASP.NET developers) developed pages using the XHTML standard with CSS, then we won’t have so many cross-browser issues.  Standards for the web are well-established now, so we need to adhere to them so that browser choice doesn’t matter. 

How many people still don’t using a DOCTYPE in their pages?

DO NOT implement web security with your UI – level 100

I mark this post as 100 because this basic knowledge that every developer should know.  I’m maintaining a semi-legacy ASP web application, and so many page implement security through the UI.  For instance if a user isn’t allow to update data, then a “disabled” attribute is added to the <input type=”submit”>.  That’s it!  That’s all they do to protect their data.  So, how do you get around this?  You change the html and repost, or you run some script to remove the disabled attribute, or just create your own HTTP request.  The page that actually does the update does NO validation, NO checks.  It just assumes that the request is coming from the previous page unchanged, and it blindly updates data.

There is no easy fix for a site that is developed like this.  You really have to recode all the areas that modify data.  Some people might suggest checking the HTTP_REFERER Server Variables, but I whipped up a sample to show how easy it is to spoof that variable, and it’s not even a required variable in the HTML specification, so that’s out the window as a “real” solution.  The only solution is to code it correctly.  Check credentials before allowing the update.

I wonder how many applications out there have this security hole.

It’s common knowledge that .Text has this “feature”.   The comments feature is UI only.  If it’s not on, then the UI won’t be displayed, but if you just post a comment, the web interface will accept it but not display it.  But that comment will be downloaded with the RSS feed.  I’ve already informed Scott W. about this, so he knows I’m not knocking him.

I think this is very common of web applications, and we need to do a better job of writing secure code.

Abstracting from ASP.NET pages – level 300

Some of the common things we do in ASP.NET v1.1 is set configuration information explicitly to our aspx’s.  We set the title, the template we are using, the theme (maybe css), the navigation (links), the roles that are allowed access to our page, maybe some custom information for that page, and then think of some other information you “hard-code” in your page.  To abstract this away and make my pages more configurable without changing code, I’ve developed an interface that my base page class implements.  The definition of the interface is as follows:

 public interface IPageConfig
  string this[string sKey]{get;set;}
  string Title{get;set;}
  string VirtualPath{get;set;}
  string Template{get;set;}
  string Theme{get;set;}
  string[] Roles{get;set;}

  bool IsRoot{get;}
  IPageConfig Parent{get;}
  IPageConfig[] Siblings{get;}
  IPageConfig[] Children{get;}
  string[] ChildrenNames{get;set;}

  NameValueCollection Attributes{get;}
  NavigationUrlCollection Navigation{get;}


Then I implemented a custom object to read information from my web.config file.  In my properties that implement this interface, I can access this helper object to retrieve the configuration items from my web.config: title, template, theme, etc.  It is really powerful and allows me more control over my site through my configuration file instead of a lot of repetitive code changes.

You don’t have to use the web.config right off to implement this interface, just implement this interface in your base page and make the properties return the value you want to use for that page.  This allows for abstraction later on when you find you need it.  If you find you don’t need it, you have some standardized locations to set setting for that page.

I’ve learned something the hard way with .Net:  “Always code to interfaces.”

Philosophies for developing, using, and trusting software – level 200

I worked the election in my county yesterday, and something that came to my mind was the computerized voting machines.  These voting machines run software, and this software is in charge of keeping track of votes.  This job is very important, and if the code has bugs, it could lose track of votes.  My precinct uses bubble-in ballots, so there is NO doubt what the vote is.  We see on the paper the selections.  Some of these voting machines take in data and then report on it.  We just have to TRUST that the report is accurate.  Because of that, we have to TRUST that the software has no major bugs, and that is TRUSTING the developer who wrote the software.  These machines perform such an important job, that I believe we shouldn’t just TRUST the software. 

This situation resonates with me in normal software development.  Sometimes when a user has a problem, my response includes something like “just do this, and the software with do this and that and then show you the result.”.  I just EXPECT that the user will trust the software, but some users aren’t comfortable with that, and I know that if I don’t know how some software works internally, I’m skeptical about it.  Going forward, I’m going to make an effort to provide more detail about what the software is doing to the user. 

Logging is another issue.  If I have code that does a series of things and then spits out a result, but it doesn’t log intermediate data, how do I find where I went wrong if the result is wrong?  Same with voting machines.  If they spit out a completed paper ballot after every voter, this paper trail would ensure than no malfunction ever lost votes.

You mean my web app has to support characters other than English?!? – level 300

The time will come when some text or some data will need to contain foreign characters.  For me, this means Japanese Kanji text for a global application under development.  I need to use the following text: ??????????????. You are seeing question marks because .Text doesn’t support these characters in all places.

ASP.NET is unicode-based, so a lot of the work is done for me, but in order to work with this text, I have to make some changes to my development workstation and database (potentially).  First, I looked at the database, and the database was developed with a forward-thinking method, and all character fields are nchar or nvarchar, so SQL Server 2000 will be able to store all unicode characters without anything special.  I also had to check to make sure my stored procedures all used nvarchar and that no strings were ever converted to another codepage.  I was please to find the database in order, and I could store and retrieve this text.  With .Net, I was able to whip up a web app, and it just worked, but when looking at our existing application written with ASP & VB6 COM+, I found that it didn’t “just work”.  I separated the parts and discovered that I could call the COM+ pieces to store and retrieve this data, so the large part was taken care of.  Thank God VB6 supports unicode.  Of course, all that is happening is the transport of character codes.

The problem came with ASP making the call to COM+, getting information, but it was written to the page garbled.  After a lot of research, the fix was to set the CodePage that ASP uses to stream the response to the client.  This can be done in the header line with CodePage=”65001” – which is the unicode codepage, or I can use Response.CodePage = 65001 at the top of the ASP.  But header information also needed to be in the HTML page to display properly on the client, so I use Response.CharSet = “utf-8” to tell the browser to use this character set.  Doing this is every page did the trick, but I have a LOT of pages, so I set about looking for a global setting for the CodePage.  After a lot of searching, I found the AspCodePage IIS Metabase setting.  This is an obscure setting because we don’t normally have to change the IIS Metabase.  It’s kind of like a registry for IIS.  IIS Manager have GUI for some common settings, but this isn’t one of them.  I downloaded the IIS Metabase Explorer with the IIS 6.0 kit from Microsoft, and I was able to set this setting to 65001 for my application, and this affected all the pages in my app.

For good measure, I went ahead and added

<meta http-equiv=”Content-Type” content=”text/html; charset=UTF-8″>

to all my pages. 

It took me quite a while to educate myself on character sets because up to this point, I’d only had to deal with English.  It’s good education though.  I think all developers should know that text doesn’t always translate to normal ASCII codes.