+Authentication is a process of verifying whether someone is who he claims he is. It usually involves a username and a password, but may include any other methods of demonstrating identity, such as a smart card, fingerprints, etc. +
++Authorization is finding out if the person, once identified, is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources. +
+ ++PRADO provides an extensible authentication/authorization framework. As described in application lifecycles, TApplication reserves several lifecycles for modules responsible for authentication and authorization. PRADO provides the TAuthManager module for such purposes. Developers can plug in their own auth modules easily. TAuthManager is designed to be used together with TUserManager module, which implements a read-only user database. +
++When a page request occurs, TAuthManager will try to restore user information from session. If no user information is found, the user is considered as an anonymous or guest user. To facilitate user identity verification, TAuthManager provides two commonly used methods: login() and logout(). A user is logged in (verified) if his username and password entries match a record in the user database managed by TUserManager. A user is logged out if his user information is cleared from session and he needs to re-login if he makes new page requests. +
++During Authorization application lifecycle, which occurs after Authentication lifecycle, TAuthManager will verify if the current user has access to the requested page according to a set of authorization rules. The authorization is role-based, i.e., a user has access to a page if 1) the page explicitly states that the user has access; 2) or the user is of a particular role that has access to the page. If the user does not have access to the page, TAuthManager will redirect user browser to the login page which is specified by LoginPage property. +
+ ++To enable PRADO auth framework, add the TAuthManager module and TUserManager module to application configuration, +
++In the above, the UserManager property of TAuthManager is set to the users module which is TUserManager. Developers may replace it with a different user management module that is derived from TUserManager. +
++Authorization rules for pages are specified in page configurations as follows, +
++An authorization rule can be either an allow rule or a deny rule. Each rule consists of four optional properties: +
++When a page request is being processed, a list of authorization rules may be available. However, only the first effective rule matching the current user will render the authorization result. +
++In the above example, anonymous users will be denied from posting to PageID1 and PageID2, while User1 and User2 and all users of role Role1 can access the two pages (in both get and post methods). +
+ ++As aforementioned, TUserManager implements a read-only user database. The user information are specified in either application configuration or an external XML file. +
++We have seen in the above example that two users are specified in the application configuration. Complete syntax of specifying the user and role information is as follows, +
++where the roles attribute in user element is optional. User roles can be specified in either the user element or in a separate role element. +
++Viewstate lies at the heart of PRADO. Viewstate represents data that can be used to restore pages to the state that is last seen by end users before making the current request. By default, PRADO uses hidden fields to store viewstate information. +
++It is extremely important to ensure that viewstate is not tampered by end users. Without protection, malicious users may inject harmful code into viewstate and unwanted instructions may be performed when page state is being restored on server side. +
++To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate is modified, PRADO will stop restoring the viewstate and return an error message. +
++HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure TSecurityManager in application configuration, +
++HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. To enable viewstate encryption, set the EnableStateEncryption of pages to true. This can be done in page configurations or in page code. Note, encrypting viewstate may degrade the application performance. A better strategy is to store viewstate on the server side, rather than the default hidden field. +
+ ++Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers. +
++One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferrable because it disables all HTML tags. +
++PRADO incorporates the work of SafeHTML and provides developers with a useful component called TSafeHtml. By enclosing content within a TSafeHtml component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used TTextBox has a SafeText property which contains user input that are ensured to be safe if displayed directly to end users. +
+ ++Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information. +
++There are several countermeasures to prevent cookies from being attacked. +
++Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable. +
++Cookie validation is disabled by default. To enable it, configure the THttpRequest module as follows, +
++To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the Cookies collection of THttpRequest by using the following PHP statements, +
++To send cookie data encoded with validation information, create new THttpCookie objects and add them to the Cookies collection of THttpResponse, +
++TButton creates a click button on a Web page. The button's caption is specified by Text property. A button is used to submit data to a page. TButton raises two server-side events, Click and Command, when it is clicked on the client-side. The difference between Click and Command events is that the latter event is bubbled up to the button's ancestor controls. A Command event handler can use CommandName and CommandParameter associated with the event to perform specific actions. +
++Clicking on button can trigger form validation, if CausesValidation is true. And the validation may be restricted within a certain group of validator controls according to ValidationGroup. +
++TCheckBox displays a check box on a Web page. A caption can be specified via Text and displayed beside the check box. It can appear either on the right or left of the check box, which is determined by TextAlign. You may further specify attributes applied to the text by using LabelAttributes. +
++To determine whether the check box is checked, test the Checked property. A CheckedChanged event is raised if the state of Checked is changed between posts to the server. If AutoPostBack is true, changing the check box state will cause postback action. And if CausesValidation is also true, upon postback validation will be performed for validators within the specified ValidationGroup. +
++TBD +
+ ++TDatagrid is an important control in building complex Web applications. It displays data in a tabular format with rows (also called items) and columns. A row is composed by cells, while columns govern how cells should be displayed according to their association with the columns. Data specified via DataSource or DataSourceID are bound to the rows and feed contents to cells. +
++TDataGrid is highly interactive. Users can sort the data along specified columns, navigate through different pages of the data, and perform actions, such as editting and deleting, on rows of the data. +
++Rows of TDataGrid can be accessed via its Items property. A row (item) can be in one of several modes: browsing, editting and selecting, which affects how cells in the row are displayed. To change an item's mode, modify EditItemIndex or SelectedItemIndex. Note, if an item is in edit mode, then selecting this item will have no effect. +
+ ++Columns of a data grid determine how the associated cells are displayed. For example, cells associated with a TBoundColumn are displayed differently according to their modes. A cell is displayed as a static text if the cell is in browsing mode, a text box if it is in editting mode, and so on. +
++PRADO provides five types of columns: +
++TDataGrid defines different styles applied to its items. For example, AlternatingItemStyle is applied to alternating items (item 2, 4, 6, etc.) Through these properties, one can set CSS style fields or CSS classes for the items. +
++Item styles are applied in a hierarchical way. Styles in higher hierarchy will inherit from styles in lower hierarchy. Starting from the lowest hierarchy, the item styles include item's own style, ItemStyle, AlternatingItemStyle, SelectedItemStyle, and EditItemStyle. Therefore, if background color is set as red in ItemStyle, EditItemStyle will also have red background color, unless it is explicitly set to a different value. +
+ ++TDataGrid provides several events to facilitate manipulation of its items, +
++TDataGrid by default will create a list of columns based on the structure of the bound data. TDataGrid will read the first row of the data, extract the field names of the row, and construct a column for each field. Each column is of type TBoundColumn. +
++The following example displays a list of computer product information using a TDataGrid. Columns are automatically generated. Pay attention to how item styles are specified and inherited. The data are populated into the datagrid using the follow code, which is common among most datagrid applications, +
++Using automatically generated columns gives a quick way of browsing tabular data. In real applications, however, automatically generated columns are often not sufficient because developers have no way customizing their appearance. Manually specified columns are thus more desirable. +
++To manually specify columns, set AutoGenerateColumns to false, and specify the columns in a template like the following, +
++Note, if AutoGenerateColumns is true and there are manually specified columns, the automatically generated columns will be appended to the manually specified columns. Also note, the datagrid's Columns property contains only manually specified columns and no automatically generated ones. +
++The following example uses manually specified columns to show a list of book information, +
+Pay attention to how item (row) styles and column styles cooperate together to affect the appearance of the cells in the datagrid.
++Besides the rich data presentation functionalities as demonstrated in previous section, TDataGrid is also highly user interactive. An import usage of TDataGrid is editting or deleting rows of data. The TBoundColumn can adjust the associated cell presentation according to the mode of datagrid items. When an item is in browsing mode, the cell is displayed with a static text; when the item is in editting mode, a textbox is displayed to collect user inputs. TDataGrid provides TEditCommandColumn for switching item modes. In addition, TButtonColumn offers developers the flexibility of creating arbitrary buttons for various user interactions. +
++The following example shows how to make the previous book information table an interactive one. It allows users to edit and delete book items from the table. Two additional columns are used in the example to allow users interact with the datagrid: TEditCommandColumn and TButtonColumn. +
++TDataGrid supports sorting its items according to specific columns. To enable sorting, set AllowSorting to true. This will turn column headers into clickable buttons if their SortExpression property is not empty. When users click on the header buttons, an OnSortCommand event will be raised. Developers can write handlers to respond to the sort command and sort the data according to SortExpression which is specified in the corresponding column. +
++The following example turns the datagrid in Example 2 into a sortable one. Users can click on the link button displayed in the header of any column, and the data will be sorted in ascending order along that column. +
++When dealing with large datasets, paging is helpful in reducing the page size and complexity. TDataGrid has an embedded pager that allows users to specify which page of data they want to see. The pager can be customized via PagerStyle. For example, PagerStyle.Visible determines whether the pager is visible or not; PagerStyle.Position indicates where the pager is displayed; and PagerStyle.Mode specifies what type of pager is displayed, a numeric one or a next-prev one. +
++To enable paging, set AllowPaging to true. The number of rows of data displayed in a page is specified by PageSize, while the index (zero-based) of the page currently showing to users is by CurrentPageIndex. When users click on a pager button, TDataGrid raises OnPageIndexChanged event. Typically, the event handler is written as follows, +
++The following example enables the paging functionality of the datagrid shown in Example 1. In this example, you can set various pager styles interactively to see how they affect the pager display. +
++The paging functionality shown above requires loading all data into memory, even though only a portion of them is displayed in a page. For large datasets, this is inefficient and may not always be feasible. TDataGrid provides custom paging to solve this problem. Custom paging only requires the portion of the data to be displayed to end users. +
++To enable custom paging, set both AllowPaging and AllowCustomPaging to true. Notify TDataGrid the total number of data items (rows) available by setting VirtualItemCount. And respond to the OnPageIndexChanged event. In the event handler, use the NewPageIndex property of the event parameter to fetch the new page of data from data source. For MySQL database, this can be done by using LIMIT clause in an SQL select statement. +
++Besides traditional class inheritance, extensibility of TDataGrid is mainly through developing new datagrid column components. For example, one may want to display an image column. He may use TTemplateColumn to accomplish this task. A better solution is to develop an image column component so that the work can be reused easily in other projects. +
++All datagrid column components must inherit from TDataGridColumn. The main method that needs to be overridden is initializeCell() which creates content for cells in the corresponding column. Since each cell is also in an item (row) and the item can have different types (such as Header, AltneratingItem, etc.), different content may be created according to the item type. For the image column example, one may want to create a TImage control within cells residing in items of Item and AlterantingItem types. +
++In initializeCell(), remember to call the parent implementation, as it initializes cells in items of Header and Footer types. +
+ +-TDatagrid is an important control in building complex Web applications. It displays data in a tabular format with rows (also called items) and columns. A row is composed by cells, while columns govern how cells should be displayed according to their association with the columns. Data specified via DataSource or DataSourceID are bound to the rows and feed contents to cells. -
--TDataGrid is highly interactive. Users can sort the data along specified columns, navigate through different pages of the data, and perform actions, such as editting and deleting, on rows of the data. -
--Rows of TDataGrid can be accessed via its Items property. A row (item) can be in one of several modes: browsing, editting and selecting, which affects how cells in the row are displayed. To change an item's mode, modify EditItemIndex or SelectedItemIndex. Note, if an item is in edit mode, then selecting this item will have no effect. -
- --Columns of a data grid determine how the associated cells are displayed. For example, cells associated with a TBoundColumn are displayed differently according to their modes. A cell is displayed as a static text if the cell is in browsing mode, a text box if it is in editting mode, and so on. -
--PRADO provides five types of columns: -
--TDataGrid defines different styles applied to its items. For example, AlternatingItemStyle is applied to alternating items (item 2, 4, 6, etc.) Through these properties, one can set CSS style fields or CSS classes for the items. -
--Item styles are applied in a hierarchical way. Styles in higher hierarchy will inherit from styles in lower hierarchy. Starting from the lowest hierarchy, the item styles include item's own style, ItemStyle, AlternatingItemStyle, SelectedItemStyle, and EditItemStyle. Therefore, if background color is set as red in ItemStyle, EditItemStyle will also have red background color, unless it is explicitly set to a different value. -
- --TDataGrid provides several events to facilitate manipulation of its items, -
--TDataGrid by default will create a list of columns based on the structure of the bound data. TDataGrid will read the first row of the data, extract the field names of the row, and construct a column for each field. Each column is of type TBoundColumn. -
--The following example displays a list of computer product information using a TDataGrid. Columns are automatically generated. Pay attention to how item styles are specified and inherited. The data are populated into the datagrid using the follow code, which is common among most datagrid applications, -
--Using automatically generated columns gives a quick way of browsing tabular data. In real applications, however, automatically generated columns are often not sufficient because developers have no way customizing their appearance. Manually specified columns are thus more desirable. -
--To manually specify columns, set AutoGenerateColumns to false, and specify the columns in a template like the following, -
--Note, if AutoGenerateColumns is true and there are manually specified columns, the automatically generated columns will be appended to the manually specified columns. Also note, the datagrid's Columns property contains only manually specified columns and no automatically generated ones. -
--The following example uses manually specified columns to show a list of book information, -
-Pay attention to how item (row) styles and column styles cooperate together to affect the appearance of the cells in the datagrid.
--Besides the rich data presentation functionalities as demonstrated in previous section, TDataGrid is also highly user interactive. An import usage of TDataGrid is editting or deleting rows of data. The TBoundColumn can adjust the associated cell presentation according to the mode of datagrid items. When an item is in browsing mode, the cell is displayed with a static text; when the item is in editting mode, a textbox is displayed to collect user inputs. TDataGrid provides TEditCommandColumn for switching item modes. In addition, TButtonColumn offers developers the flexibility of creating arbitrary buttons for various user interactions. -
--The following example shows how to make the previous book information table an interactive one. It allows users to edit and delete book items from the table. Two additional columns are used in the example to allow users interact with the datagrid: TEditCommandColumn and TButtonColumn. -
--TDataGrid supports sorting its items according to specific columns. To enable sorting, set AllowSorting to true. This will turn column headers into clickable buttons if their SortExpression property is not empty. When users click on the header buttons, an OnSortCommand event will be raised. Developers can write handlers to respond to the sort command and sort the data according to SortExpression which is specified in the corresponding column. -
--The following example turns the datagrid in Example 2 into a sortable one. Users can click on the link button displayed in the header of any column, and the data will be sorted in ascending order along that column. -
--When dealing with large datasets, paging is helpful in reducing the page size and complexity. TDataGrid has an embedded pager that allows users to specify which page of data they want to see. The pager can be customized via PagerStyle. For example, PagerStyle.Visible determines whether the pager is visible or not; PagerStyle.Position indicates where the pager is displayed; and PagerStyle.Mode specifies what type of pager is displayed, a numeric one or a next-prev one. -
--To enable paging, set AllowPaging to true. The number of rows of data displayed in a page is specified by PageSize, while the index (zero-based) of the page currently showing to users is by CurrentPageIndex. When users click on a pager button, TDataGrid raises OnPageIndexChanged event. Typically, the event handler is written as follows, -
--The following example enables the paging functionality of the datagrid shown in Example 1. In this example, you can set various pager styles interactively to see how they affect the pager display. -
--The paging functionality shown above requires loading all data into memory, even though only a portion of them is displayed in a page. For large datasets, this is inefficient and may not always be feasible. TDataGrid provides custom paging to solve this problem. Custom paging only requires the portion of the data to be displayed to end users. -
--To enable custom paging, set both AllowPaging and AllowCustomPaging to true. Notify TDataGrid the total number of data items (rows) available by setting VirtualItemCount. And respond to the OnPageIndexChanged event. In the event handler, use the NewPageIndex property of the event parameter to fetch the new page of data from data source. For MySQL database, this can be done by using LIMIT clause in an SQL select statement. -
--Besides traditional class inheritance, extensibility of TDataGrid is mainly through developing new datagrid column components. For example, one may want to display an image column. He may use TTemplateColumn to accomplish this task. A better solution is to develop an image column component so that the work can be reused easily in other projects. -
--All datagrid column components must inherit from TDataGridColumn. The main method that needs to be overridden is initializeCell() which creates content for cells in the corresponding column. Since each cell is also in an item (row) and the item can have different types (such as Header, AltneratingItem, etc.), different content may be created according to the item type. For the image column example, one may want to create a TImage control within cells residing in items of Item and AlterantingItem types. -
--In initializeCell(), remember to call the parent implementation, as it initializes cells in items of Header and Footer types. -
- -+TBD +
+ ++TBD +
+ ++TBD +
+ ++TBD +
+ ++TBD +
+ ++THyperLink displays a hyperlink on a page. The hyperlink URL is specified via the NavigateUrl property, and link text is via the Text property. The link target is specified via the Target property. It is also possible to display an image by setting the ImageUrl property. In this case, Text is displayed as the alternate text of the image. If both ImageUrl and Text are empty, the content enclosed within the control tag will be rendered. +
++TImage displays an image on a page. The image is specified via the ImageUrl property which takes a relative or absolute URL to the image file. The alignment of the image displayed is set by the ImageAlign property. To set alternate text or long description of the image, use AlternateText or DescriptionUrl, respectively. +
++TImageButton is also similar to TButton, except that TImageButton displays the button as an image. The image is specified via ImageUrl, and the alternate text is specified by Text. In addition, it is possible to obtain the coordinate of the point where the image is clicked. The coordinate information is contained in the event parameter of the Click event (not Command). +
++TLabel displays a piece of text on a Web page. The text to be displayed is set via its Text property. If Text is empty, content enclosed within the TLabel component tag will be displayed. TLabel may also be used as a form label associated with some control on the form. Since Text is not HTML-encoded when being rendered, make sure it does not contain dangerous characters that you want to avoid. +
++TLinkButton is similar to TButton in every aspect except that TLinkButton is displayed as a hyperlink. The link text is determined by its Text property. If the Text property is empty, then the body content of the button is displayed (therefore, you can enclose a <img> tag within the button body and get an image button. +
++TPanel acts as a presentational container for other control. It displays a <div> element on a page. The property Wrap specifies whether the panel's body content should wrap or not, while HorizontalAlign governs how the content is aligned horizontally and Direction indicates the content direction (left to right or right to left). You can set BackImageUrl to give a background image to the panel, and you can ste GroupingText so that the panel is displayed as a field set with a legend text. Finally, you can specify a default button to be fired when users press 'return' key within the panel by setting the DefaultButton property. +
++TRadioButton is similar to TCheckBox in every aspect, except that TRadioButton displays a radio button on a Web page. The radio button can belong to a specific group specified by GroupName such that only one radio button within that group can be selected at most. +
++TTable displays an HTML table on a page. It is used together with TTableRow and TTableCell to allow programmatically manipulating HTML tables. The rows of the table is stored in Rows property. You may set the table cellspacing and cellpadding via the CellSpacing and CellPadding properties, respectively. The table caption can be specified via Caption whose alignment is specified by CaptionAlign. The GridLines property indicates how the table should display its borders, and the BackImageUrl allows the table to have a background image. +
++TTextBox displays a text box on a Web page. The content in the text box is determined by the Text property. You can create a SingleLine, a MultiLine, or a Password text box by setting the TextMode property. The Rows and Columns properties specify their dimensions. If AutoPostBack is true, changing the content in the text box and then moving the focus out of it will cause postback action. +
+-Authentication is a process of verifying whether someone is who he claims he is. It usually involves a username and a password, but may include any other methods of demonstrating identity, such as a smart card, fingerprints, etc. -
--Authorization is finding out if the person, once identified, is permitted to manipulate specific resources. This is usually determined by finding out if that person is of a particular role that has access to the resources. -
- --PRADO provides an extensible authentication/authorization framework. As described in application lifecycles, TApplication reserves several lifecycles for modules responsible for authentication and authorization. PRADO provides the TAuthManager module for such purposes. Developers can plug in their own auth modules easily. TAuthManager is designed to be used together with TUserManager module, which implements a read-only user database. -
--When a page request occurs, TAuthManager will try to restore user information from session. If no user information is found, the user is considered as an anonymous or guest user. To facilitate user identity verification, TAuthManager provides two commonly used methods: login() and logout(). A user is logged in (verified) if his username and password entries match a record in the user database managed by TUserManager. A user is logged out if his user information is cleared from session and he needs to re-login if he makes new page requests. -
--During Authorization application lifecycle, which occurs after Authentication lifecycle, TAuthManager will verify if the current user has access to the requested page according to a set of authorization rules. The authorization is role-based, i.e., a user has access to a page if 1) the page explicitly states that the user has access; 2) or the user is of a particular role that has access to the page. If the user does not have access to the page, TAuthManager will redirect user browser to the login page which is specified by LoginPage property. -
- --To enable PRADO auth framework, add the TAuthManager module and TUserManager module to application configuration, -
--In the above, the UserManager property of TAuthManager is set to the users module which is TUserManager. Developers may replace it with a different user management module that is derived from TUserManager. -
--Authorization rules for pages are specified in page configurations as follows, -
--An authorization rule can be either an allow rule or a deny rule. Each rule consists of four optional properties: -
--When a page request is being processed, a list of authorization rules may be available. However, only the first effective rule matching the current user will render the authorization result. -
--In the above example, anonymous users will be denied from posting to PageID1 and PageID2, while User1 and User2 and all users of role Role1 can access the two pages (in both get and post methods). -
- --As aforementioned, TUserManager implements a read-only user database. The user information are specified in either application configuration or an external XML file. -
--We have seen in the above example that two users are specified in the application configuration. Complete syntax of specifying the user and role information is as follows, -
--where the roles attribute in user element is optional. User roles can be specified in either the user element or in a separate role element. -
--Protecting cookies from being attacked is of extreme important, as session IDs are commonly stored in cookies. If one gets hold of a session ID, he essentially owns all relevant session information. -
--There are several countermeasures to prevent cookies from being attacked. -
--Prado implements a cookie validation scheme that prevents cookies from being modified. In particular, it does HMAC check for the cookie values if cookie validation is enable. -
--Cookie validation is disabled by default. To enable it, configure the THttpRequest module as follows, -
--To make use of cookie validation scheme provided by Prado, you also need to retrieve cookies through the Cookies collection of THttpRequest by using the following PHP statements, -
--To send cookie data encoded with validation information, create new THttpCookie objects and add them to the Cookies collection of THttpResponse, -
--Viewstate lies at the heart of PRADO. Viewstate represents data that can be used to restore pages to the state that is last seen by end users before making the current request. By default, PRADO uses hidden fields to store viewstate information. -
--It is extremely important to ensure that viewstate is not tampered by end users. Without protection, malicious users may inject harmful code into viewstate and unwanted instructions may be performed when page state is being restored on server side. -
--To prevent viewstate from being tampered, PRADO enforces viewstate HMAC (Keyed-Hashing for Message Authentication) check before restoring viewstate. Such a check can detect if the viewstate has been tampered or not by end users. Should the viewstate is modified, PRADO will stop restoring the viewstate and return an error message. -
--HMAC check requires a private key that should be secret to end users. Developers can either manually specify a key or let PRADO automatically generate a key. Manually specified key is useful when the application runs on a server farm. To do so, configure TSecurityManager in application configuration, -
--HMAC check does not prevent end users from reading the viewstate content. An added security measure is to encrypt the viewstate information so that end users cannot decipher it. To enable viewstate encryption, set the EnableStateEncryption of pages to true. This can be done in page configurations or in page code. Note, encrypting viewstate may degrade the application performance. A better strategy is to store viewstate on the server side, rather than the default hidden field. -
--Cross site scripting (also known as XSS) occurs when a web application gathers malicious data from a user. Often attackers will inject JavaScript, VBScript, ActiveX, HTML, or Flash into a vulnerable application to fool other application users and gather data from them. For example, a poorly design forum system may display user input in forum posts without any checking. An attacker can then inject a piece of malicious JavaScript code into a post so that when other users read this post, the JavaScript runs unexpectedly on their computers. -
--One of the most important measures to prevent XSS attacks is to check user input before displaying them. One can do HTML-encoding with the user input to achieve this goal. However, in some situations, HTML-encoding may not be preferrable because it disables all HTML tags. -
--PRADO incorporates the work of SafeHTML and provides developers with a useful component called TSafeHtml. By enclosing content within a TSafeHtml component tag, the enclosed content are ensured to be safe to end users. In addition, the commonly used TTextBox has a SafeText property which contains user input that are ensured to be safe if displayed directly to end users. -
-