Gridview edit event stopped working after unsafe-inline removed from CSP

Question

1.00/5 (2 votes)

See more:

Dear All,

As mentioned in subject, I am using GridView in my page. It was working till the time I have unsafe-inline mentioned in content security policy. However, now same has to remove due to security issues. After removing it, edit/update/cancel events with file download click events stopped working.

Kindly help and suggest.

What I have tried:

I have added addEventListener in separate Java script file. It is adding the events, however on editing it is catching last index of records.

Quote:

ASP.NET

<asp:GridView ID="gv_Master" HorizontalAlign="Center" runat="server" Width="100%" AutoGenerateColumns="False" DataKeyNames="ID" EmptyDataText="No records found.">
                            <HeaderStyle CssClass="gvHeader" />
                            <Columns>
                                <asp:TemplateField HeaderText="Action" ItemStyle-Width="4%">
                                    <ItemTemplate>
                                        <asp:LinkButton ID="btnEdit" Text="Edit" runat="server" CommandName="Edit"  CommandArgument="Edit"  />
                                    </ItemTemplate>
                                    <EditItemTemplate>
                                        <asp:LinkButton ID="btnUpdate" Text="Update" runat="server" CommandName="Update" CommandArgument="Update" />
                                        <asp:LinkButton ID="btnCancel" Text="Cancel" runat="server" CommandName="Cancel" CommandArgument="Cancel" />
                                    </EditItemTemplate>
                                </asp:TemplateField>
                                <asp:TemplateField HeaderText="Id" Visible="false">
                                    <ItemTemplate>
                                        <asp:Label ID="lblID" runat="server" Text='<%# Eval("ID")%>'></asp:Label>
                                    </ItemTemplate>
                                    <ItemStyle HorizontalAlign="Left"  />
                                </asp:TemplateField>
                                <asp:TemplateField HeaderText="No." ItemStyle-Width="6%">
                                    <ItemTemplate>
                                        <asp:Label ID="NO" runat="server" Text='<%# Eval("NO")%>' Style="text-transform: uppercase"></asp:Label>
                                    </ItemTemplate>
                                    <ItemStyle HorizontalAlign="Left" Wrap="True" />
                                </asp:TemplateField>
                                <asp:TemplateField HeaderText="Name" ItemStyle-Width="24%">
                                    <ItemTemplate>
                                        <asp:Label ID="NAME" runat="server" Text='<%# Eval("NAME")%>' Style="text-transform: uppercase"></asp:Label>
                                    </ItemTemplate>
                                    <ItemStyle HorizontalAlign="Left" />
                                </asp:TemplateField>
                                <asp:TemplateField HeaderText="Active Status" ItemStyle-Width="10%">
                                    <ItemTemplate>
                                        <asp:DropDownList ID="ddlActive" runat="server" Enabled="false" SelectedValue='<%# Eval("[BEM_ACTIVE]")%>'>
                                            <asp:ListItem Value="1" Text="Active"></asp:ListItem>
                                            <asp:ListItem Value="0" Text="De - active"></asp:ListItem>
                                        </asp:DropDownList>
                                    </ItemTemplate>
                                </asp:TemplateField>
                                 <asp:TemplateField HeaderText="Download Files" ItemStyle-Width="18%">
                                    <ItemTemplate>
                                       <asp:LinkButton ID="hl_file" runat="server" Text='<%# Eval("File")%>' CommandArgument='<%# Eval("File_Path")%>' CommandName='lnkAttachment'></asp:LinkButton>  
                                    </ItemTemplate>
                                    <ItemStyle HorizontalAlign="Left" />
                                    <EditItemTemplate>
                                      <asp:FileUpload runat="server" ID="fld_file" />  
                                     <asp:LinkButton ID="hl_file" runat="server" Text='<%# Eval("File")%>' CommandArgument='<%# Eval("File_Path")%>' CommandName='lnkAttachment'></asp:LinkButton>  
</EditItemTemplate>
                                </asp:TemplateField>
                                <asp:TemplateField HeaderText="Reason" ItemStyle-Width="18%">
                                    <ItemTemplate>
                                        <asp:Label ID="REASON" runat="server" Text='<%# Eval("REASON")%>' Style="text-transform: uppercase"></asp:Label>
                                    </ItemTemplate>
                                    <ItemStyle HorizontalAlign="Left" />
                                    <EditItemTemplate>
                                        <asp:TextBox ID="REASON" runat="server" Text='<%# Bind("REASON")%>' Width="90%" MaxLength="200" Style="text-transform: uppercase"></asp:TextBox>
                                    </EditItemTemplate>
                                </asp:TemplateField>
                            </Columns>
                        </asp:GridView>

Public Sub binddata()
        Dim dsExeRpt As New DataTable
        con = New SqlClient.SqlConnection(System.Configuration.ConfigurationManager.AppSettings("MyConnectionString"))

        Cmd = New SqlClient.SqlCommand("GET_MasterData", con)
        Cmd.CommandType = CommandType.StoredProcedure
        con.Open()

        dr = Cmd.ExecuteReader
        dsExeRpt.Load(dr)

        If dsExeRpt.Rows.Count > 0 Then

            gv_Master.DataSource = dsExeRpt
            gv_Master.DataBind()
            gv_Master.Visible = True
            

        Else
            gv_Master.DataSource = dsExeRpt
            gv_Master.DataBind()
            gv_Master.Visible = True
        
        End If

        dr.Close()
        dr.Dispose()
        con.Close()
    End Sub


    Protected Sub gv_MemMaster_RowCancelingEdit(sender As Object, e As GridViewCancelEditEventArgs) Handles gv_Master.RowCancelingEdit
        gv_Master.EditIndex = -1
        Session("Edit") = 0
        binddata()
    End Sub

    Protected Sub gv_MemMaster_RowCommand(sender As Object, e As GridViewCommandEventArgs) Handles gv_Master.RowCommand
        If e.CommandName = "lnkAttachment" Then
            DocumentUploadDownload.ClsFileDownload.DocumentDownload(e.CommandArgument.ToString())
        End If
    End Sub

    Protected Sub gv_MemMaster_RowEditing(sender As Object, e As GridViewEditEventArgs) Handles gv_Master.RowEditing

        gv_Master.EditIndex = e.NewEditIndex
        row = gv_Master.Rows(gv_Master.EditIndex)
        ID = gv_Master.DataKeys(row.RowIndex)("ID")
        hd_gvIndex.Value = row.RowIndex


        Session("Edit") = 1
        binddata()
    End Sub

JavaScript

var gv_Master= document.getElementById('gv_Master');

    if (gv_Master!= null) {

        
        for (var rowId = 1; rowId < gv_Master.rows.length; rowId++) {
            var InnerText = gv_Master.rows[rowId].cells[0].children[0].innerText;

            if (InnerText == 'Edit') {
                
                var btnEdit = gv_Master.rows[rowId].cells[0].children[0].id;
                var Ehref = gv_Master.rows[rowId].cells[0].children[0].href.replace("javascript:__doPostBack(", "");
                var Ehref1 = Ehref.replace(",'')", "");
                var Ehref2 = Ehref1.replace("'", "");
                var EhreFinal = Ehref2.replace("'", "");

                var btnEdit = document.getElementById(btnEdit, gv_Master);
                btnEdit.addEventListener('click', function () { __doPostBack(EhreFinal, ''); }, false);
            }

            if (InnerText == 'Update') {
      
                var btnUpdate = gv_Master.rows[rowId].cells[0].children[0].id;

                var Uhref = gv_Master.rows[rowId].cells[0].children[0].href.replace("javascript:__doPostBack(", "");
                var Uhref1 = Uhref.replace(",'')", "");
                var Uhref2 = Uhref1.replace("'", "");
                var UhreFinal = Uhref2.replace("'", "");

                var btnUpdate = document.getElementById(btnUpdate, gv_Master);
                btnUpdate.addEventListener('click', function () { __doPostBack(UhreFinal, ''); }, true);

                var btnCancel = gv_Master.rows[rowId].cells[0].children[1].id;

                var Chref = gv_Master.rows[rowId].cells[0].children[1].href.replace("javascript:__doPostBack(", "");
                var Chref1 = Chref.replace(",'')", "");
                var Chref2 = Chref1.replace("'", "");
                var ChreFinal = Chref2.replace("'", "");

                var btnCancel = document.getElementById(btnCancel, gv_Master);
                btnCancel.addEventListener('click', function () { __doPostBack(ChreFinal, ''); }, true);

            }
        }
    }


<pre> //<![CDATA[
    var theForm = document.forms['form1'];
    if (!theForm) {
        theForm = document.form1;
    }
    function __doPostBack(eventTarget, eventArgument) {
        var theForm = document.forms['form1'];
        if (!theForm.onsubmit || (theForm.onsubmit() != false)) {
            theForm.__EVENTTARGET.value = eventTarget;
            theForm.__EVENTARGUMENT.value = eventArgument;
            theForm.submit();
        }
    }
    //]]>

Posted 18-Jun-23 21:53pm

Magic Wonder

Updated 19-Jun-23 0:47am

v5

Add a Solution

Comments

Richard Deeming 19-Jun-23 5:23am

Clearly you have some JavaScript code loaded "inline" within the source of your page, which the CSP is blocking.

But since you haven't shown any of your code, we can't help you.

Magic Wonder 19-Jun-23 5:46am

Kindly find source code as needed.

1 solution

Add a Solution

Add your solution here

Treat my content as plain text, not as HTML

Preview 0

…

Existing Members

Sign in to your account

...or Join us

Download, Vote, Comment, Publish.

Your Email
Password
Forgot your password?

Your Email
This email is in use. Do you need your password?
Optional Password

I have read and agree to the Terms of Service and Privacy Policy
Please subscribe me to the CodeProject newsletters

When answering a question please:

Read the question carefully.
Understand that English isn't everyone's first language so be lenient of bad spelling and grammar.
If a question is poorly phrased then either ask for clarification, ignore it, or edit the question and fix the problem. Insults are not welcome.
Don't tell someone to read the manual. Chances are they have and don't get it. Provide an answer or move on to the next question.

Let's work to help developers, not make them feel stupid.

This content, along with any associated source code and files, is licensed under The Code Project Open License (CPOL)

Richard Deeming · Answer 1 · 2023-06-19T00:47:00

The problem is that you're using WebForms - a framework which was last updated at least a decade before the first CSP specification.

WebForms emits a buttload of inline scripts, many of which are dynamically generated so you can't add their hashcode to the policy.

Unfortunately, there are very few options available to you. Short of intercepting the entire page rendering process to add a "nonce" to each inline script element, you'll either need to keep the unsafe-inline option in your policy, or completely rewrite your application in a more modern framework.