I recently faced an interesting customer scenario. The customer had several document libraries in MOSS 2007. The documents in the library contained links that were all hard coded and they had recently changed the URL of their SharePoint site. Therefore, when a user would try to click a link in the document that linked to another document, the user would receive a 404 error. Yes, there are ways to solve this using re-directs and other mechanisms, but the customer was actually interested in trying to determine which links in which documents were actually broken.
The challenge with this is that SharePoint does not index the links inside of Word documents. So the there was no straight forward way to be able to use the native SharePoint search interface to try to find the mangled links.
Instead, I wrote a client that would allow the customer to specify their SharePoint site and the particular text of the link they are interested in searching for. From there, I use the SharePoint Lists.asmx service to search through each list in the site, determine if the list is a Document Library, search for .doc and .docx files in the library, then search the content of each file. The application also supports searching sub folders inside of the Document Library.
Here is a link to the solution.
Researchers at eEye Digital Security have pinpointed two high-risk vulnerabilities in iTunes and QuickTime that could put millions of Windows and Mac users at risk of code execution attacks.
http://www.eweek.com/article2/0,1895,1936596,00.asp
Microsoft just released its first version of the Anti-Cross Site Scripting Library V1.0.
Irena Kennedy briefly blogged about the differences between the System.Web.HttpUtility.HtmlEncode and the HtmlEncode function found in the XSS library. I want to examine this a bit further. Using Lutz Roeder's Reflector, let's crack open each method and look at the specific differences.
The HttpUtility.HtmlEncode(string) method internally calls the HtmlEncode(string, TextWriter) call. That method is plotted below:
public static unsafe void HtmlEncode(string s, TextWriter output)
{
if (s != null)
{
int num1 = HttpUtility.IndexOfHtmlEncodingChars(s, 0);
if (num1 == -1)
{
output.Write(s);
}
else
{
int num2 = s.Length - num1;
fixed (char* local1 = s)
{
char* chPtr1 = local1;
char* chPtr2 = chPtr1;
while (num1-- > 0)
{
chPtr2++;
output.Write(chPtr2[0]);
}
while (num2-- > 0)
{
chPtr2++;
char ch1 = chPtr2[0];
if (ch1 > '>')
{
goto Label_00C4;
}
char ch2 = ch1;
if (ch2 != '"')
{
if (ch2 == '&')
{
goto Label_00AD;
}
switch (ch2)
{
case '<':
{
output.Write("<");
continue;
}
case '=':
{
goto Label_00BA;
}
case '>':
{
output.Write(">");
continue;
}
}
goto Label_00BA;
}
output.Write(""");
continue;
Label_00AD:
output.Write("&");
continue;
Label_00BA:
output.Write(ch1);
continue;
Label_00C4:
if ((ch1 >= '\x00a0') && (ch1 < 'A'))
{
output.Write("&#");
int num3 = ch1;
output.Write(num3.ToString(NumberFormatInfo.InvariantInfo));
output.Write(';');
continue;
}
output.Write(ch1);
}
}
}
}
} |
As you can see, the function essentially replaces brackets, ampersands, and not much else.
Now lets take a look at what the AntiXSSLibrary.HtmlEncode(string) method looks like:
public static string HtmlEncode(string s)
{
if (s == null)
{
return string.Empty;
}
StringBuilder builder1 = new StringBuilder(string.Empty, s.Length * 2);
string text1 = s;
for (int num1 = 0; num1 < text1.Length; num1++)
{
char ch1 = text1[num1];
if ((((ch1 > '`') && (ch1 < '{')) || ((ch1 > '@') && (ch1 < '['))) || (((ch1 == ' ') || ((ch1 > '/') && (ch1 < ':'))) || (((ch1 == '.') || (ch1 == ',')) || ((ch1 == '-') || (ch1 == '_')))))
{
builder1.Append(ch1);
}
else
{
int num2 = ch1;
builder1.Append("&#" + num2.ToString() + ";");
}
}
return builder1.ToString();
} |
A few things to note here. The first is that this method call is MUCH more compact that its cousin. The second is that this method only ALLOWS certain characters to be present in the text.
Ron Jacobs just posted a new
Architecture Wiki on Channel 9. Right now it's got some info on Smart Clients, and SOA. Looks promising.
There are a lot of RSS aggregators out there. A quick search on the internet and you'll see ones from Google, Newsgator, etc. But I wanted to have everything in one place: Outlook. I get my work e-mail, my MSN e-mail, and now all of my RSS feeds in Outlook as well, so I can stay in one client for everything and don't have to jump around a lot. I found Attensa for Outlook from the startup company Attensa. Right now its in beta version and works pretty well. It's got an easy interface from both within Outlook and within IE to be able to add new feeds. Right now the product is free. I've seen talks about making it like $20 once it goes live, but that's all speculation.
