I’m excited to announce the June 2012 release of the Ajax Control Toolkit. You can download the new release by visiting http://AjaxControlToolkit.CodePlex.com or (better) download the new release with NuGet:
Install-Package AjaxControlToolkit
The Ajax Control Toolkit continues to be super popular. The previous release (May 2012) had over 87,000 downloads from CodePlex.com and over 16,000 downloads from NuGet. That’s over 100,000 downloads in less than 2 months.
Security Improvements for the HtmlEditorExtender
Unfortunately, in the previous release, we made the HtmlEditorExtender too secure! We upgraded the version of the Microsoft Anti-Cross Site Scripting Library included in the Ajax Control Toolkit to the latest version (version 4.2.1) and the latest version turned out to be way too aggressive about stripping HTML. It not only strips dangerous tags such as <script> tags, it also strips innocent tags such as <b> tags.
When the latest version of the Microsoft Anti-Cross Site Scripting Library is used with the HtmlEditorExtender, the library strips all rich content from the HtmlEditorExtender control which defeats the purpose of using the control.
Therefore, we had to find a replacement for the Microsoft Anti-Cross Site Scripting Library. In this release, we’ve created a new HTML sanitizer built on the HTML Agility Pack. If you were using the AntiXssSanitizerProvider then you will need to substitute the HtmlAgilityPackSanitizerProvider. In particular, you need to modify the sanitizer sections in your Web.config file like this:
<configuration> <configSections> <sectionGroup name="system.web"> <section name="sanitizer" requirePermission="false" type="AjaxControlToolkit.Sanitizer.ProviderSanitizerSection, AjaxControlToolkit" /> </sectionGroup> </configSections> <system.web> <sanitizer defaultProvider="HtmlAgilityPackSanitizerProvider"> <providers> <add name="HtmlAgilityPackSanitizerProvider" type="AjaxControlToolkit.Sanitizer.HtmlAgilityPackSanitizerProvider"></add> </providers> </sanitizer> </system.web> </configuration>
We made one other backwards-breaking change to improve the security of the HtmlEditorExtender. We want to make sure that users don’t accidently use the HtmlEditorExtender without an HTML sanitizer by accident. Therefore, if you don’t configure a HTML sanitizer provider in the web.config file then you’ll get the following error:
If you really want to use the HtmlEditorExtender without using an HTML sanitizer – for example, you are using the HtmlEditorExtender for an Intranet application and you trust all of your fellow employees – then you can explicitly indicate that you don’t want to enable HTML sanitization by setting the EnableSanitization property to false like this:
<ajaxToolkit:HtmlEditorExtender TargetControlID="txtComments" EnableSanitization="false" runat="server" />
Please don’t ever set the EnableSanitization property to false for a public website. If you disable HTML sanitization then you are making your website an easy target for Cross-Site Scripting attacks.
Lots of Fixes for the ComboBox Control
In the latest release, we also made several important bug fixes and feature enhancements to the ComboBox control. Here’s the list of issues that we fixed:
- 22930 — ComboBox doesn’t close its drop down list when losing input focus to another ComboBox control
- 23140 — ComboBox Issues – Delete, Backspace, Period
- 23142 — ComboxBox SelectedIndex = -1 does not clear text
- 24440 — ComboBox postback on enter
- 25295 — ComboBox problems when container is hidden at page load
- 25469 — ComboBox – MaxLength ignored
- 26686 — Backspace and Delete exception when optionList is null
- 27148 — Combobox breaks if ClientIDMode is static
Fixes to Other Controls
In this release, we also made bug fixes and enhancements to the UpdatePanelAnimation, Tabs, and Seadragon controls:
- 21310 — OnUpdated animation starts before OnUpdating has finished
- 26690 — Seadragon Control’s openTileSource() method doesn’t work (with fix) Title is required
We also fixed an issue with the Tabs control which would result in an InvalidOperation exception.
Summary
I want to thank the Superexpert team for the hard work that they put into this release. In particular, I want to thank them for their effort in researching, building, and writing unit tests for the HtmlAgilityPack HTML sanitizer.
Hi,
We had the problem with AjaxFileUpload control! Suppose if you have two AjaxFileUpload controls in a page, and two different OnUploadComplete events! But always it is hitting single event handler! Can you please check it!
Thanks,
Roopesh Reddy C
Hi Roopesh, can you please file an issue for this at http://ajaxcontroltoolkit.codeplex.com/workitem/list/basic — that way, we can track the issue.
Thanks,
Stephen
I can get the HTMLEditorExtender to work fine on a regular page, but I am unable to get it to work within the EditItemTemplate or InsertItemTemplate in DetailsView. The control does not render or operate correctly. Is this supported> If so, what do I need to do to get this to work?
Thanks!
Hi Michael,
It should work, but there might be a bug. Please file an issue here: http://ajaxcontroltoolkit.codeplex.com/workitem/list/basic
— Stephen
Ajax tool kit is far inferior to JQuery. It is so inferior that Microsoft who made it dumped it. Rather than nurse this hag or encouraging developers to nurse the code they build with it and want to maintain for decades, it is better to create tutorial to help people move to JQuery. At a certain point a technology is dead and helping people nurse it is a waste.
Hi Ben,
I’m a big fan of jQuery — in fact, I worked with the jQuery team while I worked at Microsoft. My company uses jQuery (and Knockout) heavily in several projects which we are currently developing.
That said, not everyone wants to develop in JavaScript. One of the benefits of using ASP.NET Web Forms is that the framework shields developers from needing to work directly with HTML/JavaScript. ASP.NET Web Forms, unlike ASP.NET MVC, enables you to work at a higher level of abstraction.
There are still a huge number of developers using the Ajax Control Toolkit as evidenced by the download numbers. The last release had over 100,000 downloads in less than 2 months.
— Stephen
Hi,
I like the latest AjaxFileUpload control and pretty happy to use it. But I have a big concern regarding multi language, when I changed the langauge from English to French, the language of the calendar was changed to French and displayed French format, but AjaxFileUpload control was still English, and displayed English labels. So my question is AjaxFileUpload control will support multi languages or not?
Thanks,
Michael
I saw a resource file that already define the key AjaxFileUpload_SelectFile in english version, but in French resource file, those keys didn’t define yet. So How can I add those resource to French version?
Thanks,
Michael
The client French resource file is located at AjaxControlToolkit\Client\MicrosoftAjax.Extended\ScriptResources\ScriptResource.fr.resx — you should be able to add the key/value to this file. If that does not work then please file an issue at http://AjaxControlToolkit.CodePlex.com
That means I have to recompile the AjaxToolKit myself right? And use this new dll, instead of original dll.
Thanks,
Michael
Actually, it works, I added the keys and values to French resource and compiled the dll, and referenced the new dll, after changed the language to french, I saw French.
Thank you so much,
Michael
Hi Stephen,
I think this is a defect that doesn’t postback when enter a string which doesn’t exist in this list. if enter a string exists in this list, the control will postback and fired selectedindexchange and textchange events.
Thanks,
Michael
Has anyone noticed that the new Sanitation provider strips out tags from the html code?
Hi Veronica,
That’s intentional — if a tag is not on a white list (in other words, not needed by an HtmlEditorExtender button) then it gets stripped. We want to do everything that we can to prevent Cross-Site Scripting attacks so we need to limit the types of tags, attributes, and attribute values which you are allowed to use. If you set the HtmlEditorExtender property EnableSanitization=”false” then no stripping occurs — but then you open yourself up to Cross-Site Scripting attacks.
Ha. It stripped my tag. It strips line break i.e. tags
Hi Stephen,
Thank you for this article. I have two questions regarding sanitization.
1. The latest release of Microsoft Anti-Cross Site Scripting Library (v4.2.1) is essentially broken with respect to HTML sanitization. Many people are complaining about the release and the project contributors seem to have gone quiet on the subject. I wondered if you have any insight into what is happening?
2. Because this is causing me major problems I would like to leverage the HtmlAgilityPackSanitizerProvider directly for my HTML sanitization requirements. Are you able to comment on the suitability of this and perhaps provide some documentation on the SanitizationProvider.GetSafeHtmlFragment method? I believe I can get a reference to the SanitizationProvider implementation using the following code.
var config = (ProviderSanitizerSection)WebConfigurationManager.GetSection(“system.web/sanitizer”);
var providers = new SanitizerProviderCollection();
ProvidersHelper.InstantiateProviders(config.Providers, providers, typeof(SanitizerProvider));
SanitizerProvider provider = providers[config.DefaultProvider];
Thanks,
Matt
Hi Matt,
I’ve talked to the contributors for the Anti-Cross Site Scripting Library and I know they are very aware of the problem. I can’t provide any insight into their plans.
The code for the Ajax Control Toolkit HTML sanitizer (based on the HTML Agility Pack) is located here:
http://ajaxcontroltoolkit.codeplex.com/SourceControl/changeset/view/1014bf767f65#Server%2fSanitizerProviders%2fHtmlAgilityPackSanitizerProvider.cs
We’ve included our unit tests for the sanitizer with the Ajax Control Toolkit source:
http://ajaxcontroltoolkit.codeplex.com/SourceControl/changeset/view/1014bf767f65#Server%2fTests%2fUnitTests%2fHtmlAgilityPackSanitizerTests%2fHtmlAgilityPackSanitizerProviderTest.cs
We can’t make any guarantees here about our sanitization provider. There are a frightening number of different types of XSS attacks. The best we can do is update our sanitization provider when new types of XSS attacks are discovered.
— Stephen
Hi Stephen,
I got a very strange issue. Our application is under Microsoft IAG 2007 (Intelligent Application Gateway). The users logged in IAG to access our applications. The issue is when upload a file using new AjaxFileUpload control, the session always reset a new session, so means, all of sessions are gone when upload a file. But it works on my local machine, doesn’t work in IAG.
Any idea?
Thanks,
Michael