Scott Hanselman's ComputerZen.com

I don't know if this qualifies as evil, stupid, both, or neither, but here's a story. 

Many clients move at a very, shall we say "measured" pace and don't take upgrading from Framework 1.0 to Framework 1.1 lightly.  We are very security focused here and javascript injection attacks are always a problem.  The client doesn't want want to upgrade to ASP.NET 1.1 until later this year, but they want to make sure they are in some way for script attacks. 

So, what to do?  Using Lutz's Reflector, Anakrino, and ILDASM I "examined" System.Web.CrossSiteScriptingValidation, HttpValidationException and others, and back-ported the equivalent to ASP.NET @Page Directive "validateInput = true" into an custom validateInput HttpModule.  I hook PreRequestHandlerExecute and quite happily detect scripting attacks in ASP.NET 1.0.

Again, may be evil, but felt so good.   When the site is upgraded to ASP.NET 1.1 later this year I'll just remove this line from the Web.config:

<httpModules>
    <add name="ValidateInput" type="Corillian.Web.ValidateInput,ValidateInputASPNET10" />
</httpModules>

A couple of interesting questions came up, one of which was...

A while loop is expanded when compiling IL, and the C# equivalent is something like this:

goto L_0045;
L_0040:
   index = (index + 1);
L_0045:
if (index >= len)
{
   goto L_005E;
}
if (CrossSiteScriptingValidation.IsAtoZ(s[index]))
{
   goto L_0040;
}
L_005E:

Should I (for tidying up's sake) roll it back up to something like this:

//Programmer intent: look for non-alphas...
while (index < len)
{
  if (!CrossSiteScriptingValidation.IsAtoZ(s[index]))
     break;
  index++;
}

or just leave well-enough (and well-equivalent) alone?  Remembering that this is a so very temporary and marginally not cool thing to do, perhaps it's best to let sleeping dogs lie.

I performed my new beat poem ". <dot> Common" at the LuvJonz last night around 10:30pm to a smoke filled room of very supportive and jazzy people at Ohm. 

(By the way, The Ohm is now the new home of Johnny Ray's Grill.  I spoke with Johnny Ray briefly, and it's he's got some fantastic beef brisket for like $2.  He'll be open 24 hours on the weekends, so you just gotta get down there and get some grub.)

Anyway, it was a blast, and I hope to be down there more often.  It's a different vibe than Standup, and very different vibe than C# and PowerPoint. (although, not that different if you've ever seen one of my presentations! )

I shall be there.  I'm really looking forward to this one.  TechEd is fun, but PDC is the social and technical event of any season.

using System;
namespace Corillian.Testing
{
      class PrivateClass
      {
            public string Name;
            public int    Age;
            private PrivateClass() 
            { 
                  Name = "not initialized";
                  Age = 0;
            }
      } 

      class Test
      {
            static void Main(string[] args)
            {
                  /// The following statement will not work as the constructor is private
                  /// PrivateClass newpTest = new PrivateClass();
                  /// But you can create the object through Serialization 
                  PrivateClass ptest = (PrivateClass)System.Runtime.Serialization.FormatterServices.GetUninitializedObject( typeof(PrivateClass) );
                  ptest.Name = "Scott";
                  ptest.Age = 0x1D;

                  Console.WriteLine( String.Format("{0} {1}",ptest.Name,ptest.Age );
            }
      }
}