I am working with Workflow in SharePoint 2013, I got unexpected error today while creating association form.
Error was,
Solution:
After searching it on internet I got to know that “State Services” was not started. So I have started it from central admin
.
And now forms are rendering
Features
Specifications
Preview
Workflow not completed, Canceled automatically
Visit Site:
Overview
After completing configuration of the workflow, I have created simple test workflow, but workflow shows an error, that “Error Occured”
and when I see the workflow status, It shows that workflow canceled, I confused and added 2-3 new items in list, still same error.
Then I also tried for another lists and applied workflow, but same issues. Workflow canceled with big error.
Error was something like this
RequestorId: 55c6990b-c4a6-352c-4a5b-449fc1aecac4. Details: System.ApplicationException: HTTP 401 {“x-ms-diagnostics”:[“3001000;reason=\”There has been an error authenticating the request.\”;category=\”invalid_client\””],”SPRequestGuid”:[“55c6990b-c4a6-352c-4a5b-449fc1aecac4″],”request-id”:[“55c6990b-c4a6-352c-4a5b-449fc1aecac4″],”X-FRAME-OPTIONS”:[“SAMEORIGIN”],”SPRequestDuration”:[“61″],”SPIisLatency”:[“1″],”Server”:[“Microsoft-IIS\/8.0″],”WWW-Authenticate”:[“Bearer realm=\”61e7a76b-024e-40d5-9185-2887a044d7cc\”,client_id=\”00000003-0000-0ff1-ce00-000000000000\”,trusted_issuers=\”00000005-0000-0000-c000-000000000000@*,00000003-0000-0ff1-ce00-000000000000@61e7a76b-024e-40d5-9185-2887a044d7cc\””,”Negotiate”,”NTLM”],”X-Powered-By”:[“ASP.NET”],”MicrosoftSharePointTeamServices”:[“15.0.0.4420″],”X-Content-Type-Options”:[“nosniff”],”X-MS-InvokeApp”:[“1; RequireReadOnly”],”Date”:
After little search about error, I got to know that , User profile synchronization service should started.
In my case it was not configured and not started.
Start the service
Also keep in mind that , The user by whom you are logged is available in User Profile list.
and you have to do full synchronization of User Profile Application.
Implement security policies for Secure web application with XSS (Cross Site Scripting)
Visit Site:
Overview
Cross Site Scripting (XSS)
Cross-site scripting (XSS) is a type of computer security vulnerability typically found in Web applications. XSS enables attackers to inject client-side script into Web pages viewed by other users.
The expression “cross-site scripting” originally referred to the act of loading the attacked, third-party web application from an unrelated attack site, in a manner that executes a fragment of JavaScript prepared by the attacker in the security context of the targeted domain (a reflected or non-persistent XSS vulnerability). The definition gradually expanded to encompass other modes of code injection, including persistent and non-JavaScript vectors (including ActiveX, Java, VBScript, Flash, or even HTML scripts), causing some confusion to newcomers to the field of information security.
Untrusted Data
Untrusted data is most often data that comes from the HTTP request, in the form of URL parameters, form fields, headers, or cookies. But data that comes from databases, web services, and other sources is frequently untrusted from a security perspective. That is, untrusted data is input that can be manipulated to contain a web attack payload.
Untrusted data should always be treated as though it contains an attack. That means you should not send it anywhere without taking steps to make sure that any attacks are detected and neutralized. As applications get more and more interconnected, the likelihood of a buried attack being decoded or executed by a downstream interpreter increases rapidly
Rules to be follow to avoid XSS
Never Insert Untrusted Data Except in Allowed Locations
...NEVER PUT UNTRUSTED DATA HERE... directly in a script
<!--...NEVER PUT UNTRUSTED DATA HERE...--> inside an HTML comment
in an attribute name
in a tag name
...NEVER PUT UNTRUSTED DATA HERE... directly in CSS
Most importantly, never accept actual JavaScript code from an untrusted source and then run it. For example, a parameter named “callback” that contains a JavaScript code snippet. No amount of escaping can fix that.
HTML Escape Before Inserting Untrusted Data into HTML Element Content
Escape the following characters with HTML entity encoding to prevent switching into any execution context, such as script, style, or event handlers. Using hex entities is recommended in the spec. In addition to the 5 characters significant in XML (&, , “, ‘), the forward slash is included as it helps to end an HTML entity.
& --> &
<
> --> >
" --> "
' --> '
' not recommended because its not in the HTML spec
' is in the XML and XHTML specs.
--> / forward slash is included as it helps end an HTML entity
Attribute Escape Before Inserting Untrusted Data into HTML Common Attributes
Rule is for putting untrusted data into typical attribute values like width, name, value, etc. This should not be used for complex attributes like href, src, style, or any of the event handlers like onmouseover. It is extremely important that event handler attributes should follow Rule #3 for HTML JavaScript Data Values.
content
inside UNquoted attribute
'>content
inside single quoted attribute
content
inside double quoted attribute
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the &#xHH; format (or a named entity if available) to prevent switching out of the attribute. The reason this rule is so broad is that developers frequently leave attributes unquoted. Properly quoted attributes can only be escaped with the corresponding quote. Unquoted attributes can be broken out of with many characters, including [space] % * + , – / ; < = > ^ and |.
JavaScript Escape Before Inserting Untrusted Data into JavaScript Data Values
Rule is concerns dynamically generated JavaScript code – both script blocks and event-handler attributes. The only safe place to put untrusted data into this code is inside a quoted “data value.” Including untrusted data inside any other JavaScript context is quite dangerous, as it is extremely easy to switch into an execution context with characters including (but not limited to) semi-colon, equals, space, plus, and many more, so use with caution.
DO NOT use any escaping shortcut like \” because the quote character may be matched by the HTML attribute parser which runs first. These escaping shortcuts are also susceptible to “escape-the-escape” attacks where the attacker sends \” and the vulnerable code turns that into \\” which enables the quote.
HTML escape JSON values in an HTML context and read the data with JSON.parse
If using ajax call to read json-
Ensure returned Content-Type header is application/json and not text/html
BAD http request
HTTP/1.1 200
Date: Wed, 06 Feb 2013 10:28:54 GMT
Server: Microsoft-IIS/7.5….
Content-Type: text/html; charset=utf-8 <– bad
….
Content-Length: 373
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
{“Message”:”No HTTP resource was found that matches the request URI ‘dev.net.ie/api/pay/.html?HouseNumber=9&AddressLine
=The+Gardensalert(1)&AddressLine2=foxlodge+woods&TownName=Meath’.”,”MessageDetail”:”No type was found
that matches the controller named ‘pay’.”} <– this script will pop!!
CSS Escape And Strictly Validate Before Inserting Untrusted Data into HTML Style
It’s important that you only use untrusted data in a property value and not into other places in style data. You should stay away from putting untrusted data into complex properties like url, behavior, and custom (-moz-binding). You should also not put untrusted data into IE’s expression property value which allows JavaScript.
Please note there are some CSS contexts that can never safely use untrusted data as input – EVEN IF PROPERLY CSS ESCAPED!
You will have to ensure that URLs only start with “http” not “javascript” and that properties never start with “expression”.
{ background-url : "javascript:alert(1)"; } // and all other URLs
{ text-size: "expression(alert('XSS'))"; } // only in IE
URL Escape Before Inserting Untrusted Data into HTML URL Parameter Values
Rule is for when you want to put untrusted data into HTTP GET parameter value.
Ex
<a href="http://www.somesite.com?test=...ESCAPE UNTRUSTED DATA BEFORE PUTTING HERE...">link</a >
Escape ASCII charactors less than 256
Except for alphanumeric characters, escape all characters with ASCII values less than 256 with the \HH escaping format. DO NOT use any escaping shortcuts like \” because the quote character may be matched by the HTML attribute parser which runs first.
These escaping shortcuts are also susceptible to “escape-the-escape” attacks where the attacker sends \” and the vulnerable code turns that into \\” which enables the quote.
Sanitize HTML Markup with a Library Designed for the Job
Use http://htmlpurifier.org/ for purify HTML code or also can use ctrl K+D if you are using visual Studio.
DOM based XSS Prevention
HTML Escape then JavaScript Escape Before Inserting Untrusted Data into HTML Subcontext within the Execution Context
Attributes
element.innerHTML = “<HTML> Tags and markup”;element.outerHTML = “<HTML> Tags and markup”;
Methods
document.write(“<HTML> Tags and markup”);document.writeln(“<HTML> Tags and markup”);
Guideline
To make dynamic updates to HTML in the DOM safe, we recommend
a) HTML encoding, and then
b) JavaScript encoding all untrusted input, as shown in these examples:
Note: The Encoder.encodeForHTML() and Encoder.encodeForJS() are just notional encoders. There can be various ways by which we can encode the data. For ex. .Net user can use System.Web.Security.AntiXss Namespace
JavaScript Escape Before Inserting Untrusted Data into HTML Attribute Subcontext within the Execution Context
The general rule is to HTML Attribute encode untrusted data (data from the database, HTTP request, user, back-end system, etc.) placed in an HTML Attribute. This is the appropriate step to take when outputting data in a rendering context, however using HTML Attribute encoding in an execution context will break the application display of data.
SAFE but BROKEN example
var x = document.createElement(“input”);x.setAttribute(“name”, “company_name”);// In the following line of code, companyName represents untrusted user input// The Encoder.encodeForHTMLAttr() is unnecessary and causes double-encodingx.setAttribute(“value”, ‘<%=Encoder.encodeForJS(Encoder.encodeForHTMLAttr(companyName))%>’); var form1 = document.forms[0];form1.appendChild(x);
The problem is that if companyName had the value “Johnson & Johnson”. What would be displayed in the input text field would be “Johnson & Johnson”. The appropriate encoding to use in the above case would be only JavaScript encoding to disallow an attacker from closing out the single quotes and in-lining code, or escaping to HTML and opening a new script tag.
SAFE and FUNCTIONALLY CORRECT example
var x = document.createElement(“input”);
x.setAttribute(“name”, “company_name”);x.setAttribute(“value”, ‘<%=Encoder.encodeForJS(companyName)%>’);var form1 = document.forms[0];form1.appendChild(x);
It is important to note that when setting an HTML attribute which does not execute code, the value is set directly within the object attribute of the HTML element so there is no concerns with injecting up.
Be Careful when Inserting Untrusted Data into the Event Handler and JavaScript code Subcontexts within an Execution Context
Putting dynamic data within JavaScript code is especially dangerous because JavaScript encoding has different semantics for JavaScript encoded data when compared to other encodings. In many cases, JavaScript encoding does not stop attacks within an execution context. For example, a JavaScript encoded string will execute even though it is JavaScript encoded.
Therefore, the primary recommendation is to avoid including untrusted data in this context. If you must, the following examples describe some approaches that do and do not work.
var x = document.createElement("a");x.href="#”;// In the line of code below, the encoded data on the right (the second argument to setAttribute) // is an example of untrusted data that was properly JavaScript encoded but still executes.x.setAttribute("onclick", "\u0061\u006c\u0065\u0072\u0074\u0028\u0032\u0032\u0029");var y = document.createTextNode("Click To Test");x.appendChild(y);document.body.appendChild(x);
The setAttribute(name_string,value_string) method is dangerous because it implicitly coerces the string_value into the DOM attribute datatype of name_string. In the case above, the attribute name is an JavaScript event handler, so the attribute value is implicitly converted to JavaScript code and evaluated. In the case above, JavaScript encoding does not mitigate against DOM based XSS. Other JavaScript methods which take code as a string types will have a similar problem as outline above (setTimeout, setInterval, new Function, etc.). This is in stark contrast to JavaScript encoding in the event handler attribute of a HTML tag (HTML parser) where JavaScript encoding mitigates against XSS.
JavaScript Escape Before Inserting Untrusted Data into the CSS Attribute Subcontext within the Execution Context
Normally executing JavaScript from a CSS context required either passing javascript:attackCode() to the CSS url() method or invoking the CSS expression() method passing JavaScript code to be directly executed. From my experience, calling the expression() function from an execution context (JavaScript) has been disabled. In order to mitigate against the CSS url() method, ensure that you are URL encoding the data passed to the CSS url() method.
URL Escape then JavaScript Escape Before Inserting Untrusted Data into URL Attribute Subcontext within the Execution Context
The logic which parses URLs in both execution and rendering contexts looks to be the same. Therefore there is little change in the encoding rules for URL attributes in an execution (DOM) context.
var x = document.createElement(“a”);
x.setAttribute(“href”, ‘<%=Encoder.encodeForJS(Encoder.encodeForURL(userRelativePath))%>’);
var y = document.createTextElement(“Click Me To Test”);
x.appendChild(y);
document.body.appendChild(x);
If you utilize fully qualified URLs then this will break the links as the colon in the protocol identifier (“http:” or “javascript:”) will be URL encoded preventing the “http” and “javascript” protocols from being invoked.
Guidelines for Developing Secure Applications Utilizing JavaScript
1. Untrusted data should only be treated as displayable text. Never treat untrusted data as code or markup within JavaScript code.
2. Always JavaScript encode and delimit untrusted data as quoted strings when entering the application (Jim Manico and Robert Hansen)
var x = “<%=encodedJavaScriptData%>”;
3. Use document.createElement(“…”), element.setAttribute(“…”,”value”), element.appendChild(…), etc. to build dynamic interfaces. Please note, element.setAttribute is only safe for a limited number of attributes. Dangerous attributes include any attribute that is a command execution context, such as onclick or onblur. Examples of safe attributes includes align, alink, alt, bgcolor, border, cellpadding, cellspacing, class, color, cols, colspan, coords, dir, face, height, hspace, ismap, lang, marginheight, marginwidth, multiple, nohref, noresize, noshade, nowrap, ref, rel, rev, rows, rowspan, scrolling, shape, span, summary, tabindex, title, usemap, valign, value, vlink, vspace, width.
4. Avoid use of HTML rendering methods:
element.innerHTML = “…”;
element.outerHTML = “…”;
document.write(…);
document.writeln(…);
5. There are numerous methods which implicitly eval() data passed to it. Make sure that any untrusted data passed to these methods is delimited with string delimiters and enclosed within a closure or JavaScript encoded to N-levels based on usage, and wrapped in a custom function. Ensure to follow step 4 above to make sure that the untrusted data is not sent to dangerous methods within the custom function or handle it by adding an extra layer of encoding.
Move Html elements with jquery is one of the common task that programmer has to do in UI. We can have many ways to do this task. Its depends on the requirement
ways I am going to discus are as follows 1) we can move with changing the css by jquery
here I have used a flag and set first to 0 and then if user clicked on the button then change the position of button and flag has been changed and then set to 1
then next if user click to button , then flag is already 1 then move the button to its original position again
<strong>2) move elements with changing the div’s id </strong>
here I will change the position of the button. Means Initialy i will take the element in one div and then onclick of that button that button will move to the other div
HTML
[sourcecode language=”csharp”]
<!————————————————-
move element with changin div id
————————————————–>
<div id="panel1">
<input type="button" value="add" id="btn1" />
<br>
<input type="button" value="add" id="btn2" />
<br>
<input type="button" value="add" id="btn3" />
</div>
<div id="panel2" style="background-color:gray"></div>
3) Change class of the element with toggleClass function of the JQuery
this is little bit tricky , here what I will do is , onclick of the element I will toggle the class and change the property of the class ie change the position of the class
HTML
[sourcecode language=”csharp”]</span>
<!– chage the position of the button and name with classToggle –>
<div id="panel1" class="p1">
<input type="button" value="add" id="btn1" />
<br>
<input type="button" value="add" id="btn2" />
<br>
<input type="button" value="add" id="btn3" />
</div>
<div class="p2"></div>