I'm using SSRS Action -> Go To Url like this:
="javascript:void(window.open('http://xxx/xxx/Pages/ReportViewer.aspx?%2fDevelopment%2fReport&rs:Command=Render&Parameter="& Parameters!Parameter.Value &"'))"
generated link should be:
http://xxx/xx/Pages/ReportViewer.aspx?/Development/Report&rs:Command=Render&Parameter=Úxxx
I need to somehow escape special characters with diacritics like character 'Ú' in example above. Without escaping this character the above link is broken.
Thanks for you help.
You need to URL encode your parameter, however referencing System.Web (as many suggest) is problematic, since later versions of the Reporting Services designer seem to run in a partial trust context, and System.Web does not have APTCA.
Instead, in later framework versions you have the choice of using System.Uri.EscapeDataString or System.Net.WebUtility
See SO question How do you UrlEncode without using System.Web? for examples of both, neither of which require full trust
You need to add Url encoding to your outgoing parameters. This article explains how to reference the library in the report and user UrlEncode() to process your parameters.
Related
While moving a website - that I did not build - I have run into the use of %3F.
%3F is the percent-encoded version of ?.
It seems to be used like this a lot:
Example
when linking to a file named example_lang=1.html.
So, I replaced %3F with _, and all works again.
I am missing something here. The old website worked. After being moved, it no longer worked. After the replacement of %3F to _, the links worked again. Why?
First, you should elaborate your question to understand it better after all If I understood it correctly then this might be the answer.
"_" is not a reserved URI character.
As you said that %3F is reserved for "?" then you are absolutely right but if you read the documentation written on wiki states that "_"(underscore) is not a reserved URI character.
So that for example if the URL for a web page is "example_test.html" then its encoded URL must be "example_test.html" if there is not any mechanism applied on that URL. Now I will take an another example of PHP based web page that may answer your question.
In PHP there is a function "str_replace" that is used to replace the string by programmer defined characters or string.
Let assume that I have a page named "example_test.html" and for some xyz reasons I want to change it to "example%3Ftest.html" then I can use
str_replace("%3F","_","<a href='example%3Ftest.html'>Example Test</a>");
This function will search for all occurences of "%3F" and replace it with "_" in provided string(here "href=example%3Ftest.html") and output as "href='example_test.html" which is the actual link for my file.
I am trying to use SSRS URL access to send parameters to a SSRS report.
The most recommended approach online was to use following syntax:
http://Server1/ReportServer?http://server1/sites/Test/Reports/YearlyTrend.rdl&rs:command=render¶meter1=Value1¶meter2=value2
The above works except in cases where parameter values contains special characters for example:
one of my parameters (pOrganization) is:
[Organization].[Hierarchy - Department].[Organization].&[Corporate]&[Support]&[Vancouver]
This does not work because it contains many special characters.
I tried to use HTML encoding for & and [ using %26 and %5B but it still doesn't work.
I would greatly appreciate if anyone can help me solve this mystery, or correct my syntax. Thanks.
Thanks to #alejandroZuleta, I was able to fix this issue by using UrlEncode function available within .Net library.
Step by Step details can be found here: http://capstonebi.blogspot.com.co/2010/04/url-encoding-in-reporting-services.html
What is the difference between name.html.erb vs name.erb?
In particular, are there any reasons why name.erb could be bad to use?
I understand that name.html.erb is the convention - this indicates a HTML template and ERB Engine. But I can't find information if are there any reasons not to use name.html.erb, but name.erb instead.
My new workplace asks me to use name.erb, so I want to know: might there be any problems with this?
In short, no, there won't be any problems. Erb files simply output text. In many cases the file extension is ignored by the reading app as the reading app reads/interprets the containing text and its syntax validity. As #taglia suggests, the file extensions are mostly a 'hint' for you and may also be used by the OS to select a default app to open the file with. See here for a more thorough explanation: Output Type for an ERB File
Rails convention dictates template files to include the extension of the output type and the name of the file should end with the .erb extension. As you mentioned, name.html.erb indicates an HTML template and ERB extension that allows any instance variables in your controller's index action to get passed into the template and used. Similarly, name.js.erb indicates a JavaScript template. See here under 'Conventions or Template Files': An Introduction to ERB Templating
ERB is just a templating language, it is not limited to HTML (you could have name.txt.erb, or name.js.erb). Removing html from the name is just going to make your life more difficult (assuming it works), because you won't be able to know what file you are dealing with unless you open it.
I am using POEdit for translations in a web application.
However, when I start POEdit I can't find any sources when I run 'Catalog > Update from Sources'. I only have .CSHTML-Files where the texts need to be translated.
What I've already tried:
Set the source path in Catalog > Properties and the charset to
'UTF-8'.
Added additional keyword ("[[[w+]]]") for matching words in my files (the words to translate always have the following form: [[[wordToTranslate]]]
Added a cshtml-extractor (In File > Settings > Extractor). When I did this, the following error message appeared: "warning: unterminated string constant". Warning: ')' found where '}' was expected.
Browsing the web without finding any clue of how to include cshtml-files.
Any hints are appreciated.
Any solutions are MUCH appreciated. :-)
Added additional keyword ("[[[w+]]]") for matching words in my files
I don’t know why you assume the keyword values are regexes of all things; they are not. The GNU gettext manual makes it clear what “keyword” is in the gettext context: name of the function used to call gettext with translatable string literals as the argument.
Added a cshtml-extractor
You get errors coming from this, it would be reasonable to assume that’s the problem. Because you gloss over this crucial step and don’t reveal the details of how you configured it, it’s impossible to give you a concrete answer (not without a crystal ball, anyway).
So I can only make an educated guess: if you didn’t actually add a proper extractor that understands the syntax of the template language you use, and used some gross hack like using the Python parser, then that’s the cause of your errors, together with the use of keyword value that can’t possibly be valid.
I save two versions of user input in the following sequence:
Untrusted user enters raw markdown.
Raw markdown is stored in one table.
A copy of the raw markdown is converted into HTML.
HTML is sanitized and persisted, and is displayed upon request.
The raw markdown version is only displayed when users edit a entry; it's loaded into a textarea of a form.
Is there any risk in loading raw markdown (which could potentially contain unsafe HTML) into a textarea? It would never be displayed outside of a textarea.
I can't sanitize the markdown because it would result in inconsistencies between the markdown and HTML versions I'm saving.
FYI: I always sanitize SQL, regardless of what I'm saving to the DB.
You don't have to sanitize it there, just take care of correctly escaping HTML special characters such as < and >.
For instance, Stackoverflow allows you to post HTML code in your posts, it does not remove anything. This is achieved by encoding, not sanitizing.
It depends how you're "loading" it into the textarea. If you're doing it server-side through simple string concatenation, e.g. in php,
$output = '<textarea>' + $markdown + '</textarea>';
...then there is absolutely a risk, because that markdown could very easily close out the textarea and embed whatever else it wants. If you're using some sort of a component framework (e.g., ASP.NET), then you should be protected as long as you use a safe API method, such as MyTextArea.Value = markdown;.
If you're doing it client-side, it also depends on how you're doing this. You would be safe if you used something like jQuery's .val() setter, but could still expose yourself to XSS vulnerabilities through other approaches.
In short, the general answer is yes, depending on how you're actually creating and populating the textarea.
Are you at least doing SQL sanitation? When you INSERT or UPDATE the data, are you using some type of DAO that escapes the SQL or, if using Java, using a Prepared Statement where you set the arguments?
You must always sanitize things before they go into the DB. Otherwise people could add a stray
'); --Malicious procedure here.
..into a request.
There are some security risks to leaving unsanitized input in the text box; mainly if the user is infected with something that's injecting Javascript, it will show up for him or her each time.
Why even save that? Then you're giving your user a totally inconsistent view from what they enter to what is displayed? They won't match up. It's best to clean the input so when they user views it again he or she can clearly see that the offending HTML was removed for security.