Friday, December 4, 2015

Debugging return values in C#


I found an extremly helpful feature in Visual Studio 2013: showing the value which is returned by a function.

public bool CheckExists(string itemId)
   return ItemList.Exists(item => item.ItemId == itemId);
} // <- breakpoint

With the debugger it is hard to find whether the itemId is or is not in the list (if the list has thousands of entries), BUT as shown in the link it is possible to get this value through the "Autos" window or the immediate window in visual studio while having a breakpoint on the "}" in line 4. The good news is that it even works with "$ReturnValue" in the watch window, but in contrary it seems not to work properly for any use case (with all above introduced solutions). I'm pretty sure that this is reasonable if we have a look on the disassambly, but that is out of scope here.
kind regards,

Wednesday, December 2, 2015

javascript functions in html elements


I was wondering today about the following possibility to declare functions in html:

<div id="divid">content</div>

<a href="#" onClick="document.getElementById('divid').setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');" >attack 1</a>
<a href="#" onClick="
var x = function() {
 document.getElementById('divid').setAttribute('style', 'font-weight: bold; color: red; font-size:150%;');
" >attack 2</a>

both versions of the link are really scary... (tested in chrome).

So in server generated code even here HTMLEncoding must be considered to prevent XSS-attacks.

kind regards,