A little problem I ran across on a recent project. I needed to display the attachements link for a list item in a custom DataFormWebPart.
The first thing I did was to add the attachment column to the DataFormWebPart all this resulted in was a yes or no value. After a bit of searching on the web I found the solution. The following lines need to be added:
<SharePoint:AttachmentButton ControlMode="Edit" Enabled="true" ItemId="{@ID}" runat="server" Visible="false"/>
<SharePoint:AttachmentsField ControlMode="Display" ItemId="{@ID}" EnableViewState="true" FieldName="Attachments" runat="server"/>
Relevant links:
http://support.microsoft.com/kb/953271
http://social.technet.microsoft.com/Forums/en-US/sharepointsocialcomputing/thread/80a27347-fbc3-40e0-a622-cce5675579c4/
http://social.msdn.microsoft.com/Forums/en/sharepointcustomization/thread/c257a894-859a-406c-b3bd-d021ef1b7a75
Thursday, January 26, 2012
Tuesday, November 22, 2011
HTML 5 Persistent Storage Risks
At the Intel Security Conference last week I attended a presentation by Ming Chow on Abusing HTML 5. This sparked of some research on my part on the persistent storage API’s that the W3C is promoting.
I started with a deep dive into the Web SQL Database, which I felt was most risky implementation and a good target for SQL and Command injection attacks. However, it seems that the W3C is not going forward with the recommendation of using Web SQL Database. Though the functionality is still available to Webkit Layout engine used by several browsers, Google Chrome, Opera and Safari. This also means that mobile devices which utilize Webkit could use the capability. It also turns out that Webkit can be used in IE as an add-in, so theoretically the Web SQL Database API functionality could be available in IE as well.
More information on Web SQL Database:
http://www.w3.org/TR/webdatabase/
http://en.wikipedia.org/wiki/Web_SQL_Database
http://en.wikipedia.org/wiki/Comparison_of_layout_engines_(HTML5
http://www.roughlydrafted.com/2009/09/25/google-sneaks-webkit-html-5-support-into-internet-explorer/
More Research:
Since Web SQL Database was being deprecated I started researching the risks of IndexedDB and Web Storage API for client side persistent storage.
For IndexedDB See section 7 for the currently identified risks of using IndexedDB API. http://www.w3.org/TR/IndexedDB/ Currently only supported in Firefox and is actively being standardized by the W3C. Some Support in other layout engines but expect support to grow as specification matures.
For Web Storage see section 7 of the specification http://www.w3.org/TR/webstorage/#security-storage On top of the risks outlined in the specification also consider that race conditions can exist and can be exploited (At least at the current implementation of the standard, see warning at top of specification).
Risk mitigation strategies:
• Do not use Web SQL Database API, it has been deprecated.
• Treat data coming from IndexDB and Web Storage as untrusted as it could have been corrupted by a malicious user / application.
• Be aware of Race conditions when using Session Storage.
Potential future research area:
• Since SQLite seems embedded in the browsers see if the new API allow previous SQLite bugs to be used: http://www.cvedetails.com/vendor/9237/Sqlite.html
• Mozilla Firefox stores all Web Storage objects in a single file named webappsstore.sqlite. The sqlite3 command can be used to show the elements stored therein
• Drive by install of WebKit in IE using XSS?
o Everyone trusts Google right?
• Develop an exploit using Web SQL Database to gain access to system resources.
o It’s going to be around for a long time.
I started with a deep dive into the Web SQL Database, which I felt was most risky implementation and a good target for SQL and Command injection attacks. However, it seems that the W3C is not going forward with the recommendation of using Web SQL Database. Though the functionality is still available to Webkit Layout engine used by several browsers, Google Chrome, Opera and Safari. This also means that mobile devices which utilize Webkit could use the capability. It also turns out that Webkit can be used in IE as an add-in, so theoretically the Web SQL Database API functionality could be available in IE as well.
More information on Web SQL Database:
http://www.w3.org/TR/webdatabase/
http://en.wikipedia.org/wiki/Web_SQL_Database
http://en.wikipedia.org/wiki/Comparison_of_layout_engines_(HTML5
http://www.roughlydrafted.com/2009/09/25/google-sneaks-webkit-html-5-support-into-internet-explorer/
More Research:
Since Web SQL Database was being deprecated I started researching the risks of IndexedDB and Web Storage API for client side persistent storage.
For IndexedDB See section 7 for the currently identified risks of using IndexedDB API. http://www.w3.org/TR/IndexedDB/ Currently only supported in Firefox and is actively being standardized by the W3C. Some Support in other layout engines but expect support to grow as specification matures.
For Web Storage see section 7 of the specification http://www.w3.org/TR/webstorage/#security-storage On top of the risks outlined in the specification also consider that race conditions can exist and can be exploited (At least at the current implementation of the standard, see warning at top of specification).
Risk mitigation strategies:
• Do not use Web SQL Database API, it has been deprecated.
• Treat data coming from IndexDB and Web Storage as untrusted as it could have been corrupted by a malicious user / application.
• Be aware of Race conditions when using Session Storage.
Potential future research area:
• Since SQLite seems embedded in the browsers see if the new API allow previous SQLite bugs to be used: http://www.cvedetails.com/vendor/9237/Sqlite.html
• Mozilla Firefox stores all Web Storage objects in a single file named webappsstore.sqlite. The sqlite3 command can be used to show the elements stored therein
• Drive by install of WebKit in IE using XSS?
o Everyone trusts Google right?
• Develop an exploit using Web SQL Database to gain access to system resources.
o It’s going to be around for a long time.
Friday, November 11, 2011
Friday, April 15, 2011
Getting the Display value of a variable reference field
Getting the Display value of a variable reference field
On occasion there is need to get the display value of reference variable.
There are two ways to accomplish this first is make the call back to the server and query the table.
The second and more efficient way is to use get display box function of g_form.
Thanks to Mark Stanger for this pointer.
On occasion there is need to get the display value of reference variable.
There are two ways to accomplish this first is make the call back to the server and query the table.
The second and more efficient way is to use get display box function of g_form.
var refFieldDispVal = g_form.getDisplayBox('the reference field').value;
Thanks to Mark Stanger for this pointer.
Adding a Reference Field to a UI Page
The following code is required to add a reference field to a UI Page. Note this does have type ahead on it as well.
This example references the sys_user table and only returns accounts which are active and not locked out.
To use this code add it to the html section of the ui_page.
This enables the use of a reference field when custom forms are required.
This example references the sys_user table and only returns accounts which are active and not locked out.
To use this code add it to the html section of the ui_page.
<j:set var="jvar_user_query" value="QUERY:active=true^locked_out=false" />
<input id="user_query" type="hidden" value="${jvar_user_query}" />
<g:ui_reference name="${jvar_user_query}" table="sys_user" />
This enables the use of a reference field when custom forms are required.
JavaScript Code Snippet: Find and Replace all
Here is a JavaScript code snippet for a find and replace all.
This example code finds if there is an instance of three dashes in the string and replaces with three spaces.
This example code finds if there is an instance of three dashes in the string and replaces with three spaces.
if(str.indexOf('---') != -1){
str = str.replace(/---/g,' ');
}
Monday, February 21, 2011
New Photo Viewer
I've been playing with a new JQuery Photo Viewer control called Cloud Carousel written by Professor Cloud
This new control has helped me learn about image resizing as well, which has helped me shrink the size of the banner image improving performance.
Check out my Gallery here: http://dalecox99.com/Fun%20Stuff/photos.aspx
On the Photo Page I created a new master page that give the maximum view window to see all the photos.
I hope you enjoy the photos.
This new control has helped me learn about image resizing as well, which has helped me shrink the size of the banner image improving performance.
Check out my Gallery here: http://dalecox99.com/Fun%20Stuff/photos.aspx
On the Photo Page I created a new master page that give the maximum view window to see all the photos.
I hope you enjoy the photos.
Subscribe to:
Posts (Atom)