Can't path to Style Sheet using ~
-
This code doesn't find the Style sheet: where the cardss.css is in the root of the web folder. I have used the ~ successfully in other areas such as <%@ Register...... Src="~/header.ascx" .....%> I am not allowed to use ../ to move up levels. I don't understand why the tilde is not working. I don't get an error, I just don't have any of the formatting. TF Tim Featherston www.QBSix.com
-
This code doesn't find the Style sheet: where the cardss.css is in the root of the web folder. I have used the ~ successfully in other areas such as <%@ Register...... Src="~/header.ascx" .....%> I am not allowed to use ../ to move up levels. I don't understand why the tilde is not working. I don't get an error, I just don't have any of the formatting. TF Tim Featherston www.QBSix.com
The ~ only works for server-side paths, and is translated to an actual path before sending to the browser. Since your link tag is plain client side HTML, it is sent to the browser as-is. On some tags, you can add
runat="server"to make it a server-side control, thus enabling the ~. I do not know if it will work with the link tag though.
-
The ~ only works for server-side paths, and is translated to an actual path before sending to the browser. Since your link tag is plain client side HTML, it is sent to the browser as-is. On some tags, you can add
runat="server"to make it a server-side control, thus enabling the ~. I do not know if it will work with the link tag though.
No, the runat="server" doesn't work within the link tag. No error, jsut nothing happens. I'm confused, because the web hosting practice where I am taking this don't allow ../ logic. I have been reading web security papers this week, and it appears that is the direction sites are going to. If so, how do you reference /cardss.css from /aFolder/oneLevel/aPage.aspx ? All of my web experience has been in the middle (data services) and db tiers, so I am fighting the learnign curve for presentation development. Thanks for you comments. TF Tim Featherston www.QBSix.com
-
No, the runat="server" doesn't work within the link tag. No error, jsut nothing happens. I'm confused, because the web hosting practice where I am taking this don't allow ../ logic. I have been reading web security papers this week, and it appears that is the direction sites are going to. If so, how do you reference /cardss.css from /aFolder/oneLevel/aPage.aspx ? All of my web experience has been in the middle (data services) and db tiers, so I am fighting the learnign curve for presentation development. Thanks for you comments. TF Tim Featherston www.QBSix.com
I have never heard of a web hosting practice with a policy like this, and I have no idea how they would even enforce it. Using ../ is pretty standard, even recommended. The only other way is to use an absolute path, i.e. something that begins with /, or the actual host name. In fact, even should you succeed in using the ~, it may be rendered as ../ on the browser. I can understand wanting to avoid ../ on user controls (because they can be used in different directories), but not on normal pages.
-
I have never heard of a web hosting practice with a policy like this, and I have no idea how they would even enforce it. Using ../ is pretty standard, even recommended. The only other way is to use an absolute path, i.e. something that begins with /, or the actual host name. In fact, even should you succeed in using the ~, it may be rendered as ../ on the browser. I can understand wanting to avoid ../ on user controls (because they can be used in different directories), but not on normal pages.
IN IIS 6.0, there is a property "Allow "../" which by default is unchecked. I think in IIS 5.0, you accomplish this with a Microsoft tool called URLScan, which runs as an ISAPI filter. This web application will be running on the military secured network. You are correct. The ~ is rendered as a ../ on the browser if you view source. The following is an excerpt from Improving Web Application Security Patterns And Practices from Microsoft. Arbitrary Code Execution If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. The risks posed by arbitrary code execution increase if the server process under which the attacker’s code runs is over-privileged. Common vulnerabilities include weak IID configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution. Countermeasures to help prevent arbitrary code execution include: ● Configure IIS to reject URLs with “../” to prevent path traversal. ● Lock down system commands and utilities with restricted ACLs. ● Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched. Maybe ~ is OK because that is server side ? Like I said, I am pretty weak in this area. I appreciate your comments. TF Tim Featherston www.QBSix.com
-
IN IIS 6.0, there is a property "Allow "../" which by default is unchecked. I think in IIS 5.0, you accomplish this with a Microsoft tool called URLScan, which runs as an ISAPI filter. This web application will be running on the military secured network. You are correct. The ~ is rendered as a ../ on the browser if you view source. The following is an excerpt from Improving Web Application Security Patterns And Practices from Microsoft. Arbitrary Code Execution If an attacker can execute malicious code on your server, the attacker can either compromise server resources or mount further attacks against downstream systems. The risks posed by arbitrary code execution increase if the server process under which the attacker’s code runs is over-privileged. Common vulnerabilities include weak IID configuration and unpatched servers that allow path traversal and buffer overflow attacks, both of which can lead to arbitrary code execution. Countermeasures to help prevent arbitrary code execution include: ● Configure IIS to reject URLs with “../” to prevent path traversal. ● Lock down system commands and utilities with restricted ACLs. ● Stay current with patches and updates to ensure that newly discovered buffer overflows are speedily patched. Maybe ~ is OK because that is server side ? Like I said, I am pretty weak in this area. I appreciate your comments. TF Tim Featherston www.QBSix.com
Ah, now I understand. I think that restriction only applies to server side "include" files, and to normal server paths -- the following would be illegal:
<!--#include file="../filename.ext"-->as wouldhttp://myserver/abc.def.ghi/myfile.aspxbut it should still be ok to use normal client-side relative file references, like your CSS file, or an image file.