Tag Archive 'C#'

Nov 14 2012

Beating CRM2011 Anti-XSS with a Web Resource Shim

Published by under Microsoft CRM

Background

In Microsoft Dynamics CRM we’ve got several places that documents relating to an account can be uploaded to SharePoint.  Some are custom solutions developed whilst we were using CRM4 and others are using the built-in CRM2011 SharePoint integration.

To keep things simple for users, I have created a SharePoint web part that allows them to see a consolidated view of documents relating to each account.  This web part has a menu against each document that allows users to open the record that the document was uploaded against.

The Problem

Previously, I was just opening the CRM record in an Internet Explorer (IE) window and everything was fine.  However, now CRM has got a nifty Xrm.Utility.openEntityForm() JavaScript function that will open entity forms in either an IE or Outlook window, depending on which client the user is using to access CRM.

If you are using a CRM Web Page WebResource, you’ve got the option of either including ClientGlobalContext.js.aspx or using parent.Xrm to access the Microsoft Xrm JavaScript object model.  Unfortunately, Crm is on one website address and SharePoint is another website address.  Therefore, although SharePoint is being displayed in CRM using an iFrame, Anti-XSS (Cross Site Scripting) prevents the use of parent.Xrm in the SharePoint page.

The Solution

Given that the Xrm JavaScript object model needs to be used from a page in CRM the solution I came up with is to use a WebResource html page that will act as a shim for SharePoint:

!DOCTYPE html>
<html>
<head>
    <title>Xrm Shim</title>
    <base>
    <script type="text/javascript" src="../ClientGlobalContext.js.aspx"></script>
    <script type="text/javascript" src="../c5_javascript/lib/jquery.min.js"></script>
    <script type="text/javascript">
        $(function () {
            var data = Xrm.Page.context.getQueryStringParameters();
            Xrm.Utility.openEntityForm(data.typename, data.id);
        });
    </script>
    <meta charset="utf-8">
</head>
<body>
</body>
</html>

I then updated my SharePoint web part to run the following script when the user clicks the CRM Record menu item:

crmRecordMenuItem.ClientOnClickScript =
    string.Format(@"ifrm = document.createElement('IFRAME');
        ifrm.setAttribute('src', '{0}/{1}/WebResources/xrmshim.htm?typename=%DocTypeName%&amp;id=%CRMDocID%');
        ifrm.style.width = 1+'px';
        ifrm.style.height = 1+'px';
        document.body.appendChild(ifrm);", crmUrl, crmOrgName);

This creates an iFrame that loads from html shim from CRM which in turn calls Xrm.Utility.openEntityForm using the typename and id passed from SharePoint in the query string parameters.

The shim is simple enough that it can be used on any page that is hosted on any site other that CRM.  It could be extended to call any Xrm object model methods provided by ClientGlobalContext.js.aspx.

No responses yet

May 15 2009

VisendoSMTPExtender Management Web Service

Published by under .NET,Programming,Software

Background:

For work, I’m using a Windows 2008 Server virtual machine for doing all my SharePoint and .Net development on.  As it has got all of the cool stuff I’m working on, it is also the machine that I use to demo what I can do to clients.  Recently I’ve had a bit of a serge in the number of clients wanting to see Nintex Workflow 2007 (NFW2007) for SharePoint.

One of the cool features of NWF2007 is the whole Lazy Approval system, whereby users don’t have to go into SharePoint to approve to decline requests, they can just reply to the notification email with “approved”, “declined”, “ok”, “yes”, “no” or any other recognised word as the first line of the email.  In or to demonstrate this I need to setup and email system on my local machine.  The SMTP (sending) side of things is easy as it is built in to Windows 2008.  However, POP3 is a bit of a problem.  Previous version of IIS had a simple POP3 service but that has been dropped in IIS7.  The Microsoft way would be to install Exchange Server but that is a little too heavyweight for what I am trying to acheive.  Luckily a company called Visendo provides a free solution to plug the gap.  So now I can demo Nintex notification features.

Another feature I also wanted to demonstrate was setting up Active Directory accounts and then using those new accounts.  Nintex has got actions that allow you to interact with Active Directory but to then do anything usefull with the account required modifying xml config files and restarting the Visendo service.  But Nintex can call web services, so I’ve created a web service that has an AddAccount and DeleteAccount methods to update the Visendo configuration and restart the service.

Download:

I’ve made the source code for this web service freely available should anyone else want to have this sort of functionality: VisendoSMTPService.  The code is written against .Net 3.5 and is provided “as is” with no sort of warranty and is most definitely NOT recommended for live systems.  The code is released under a BSD License.

3 responses so far

Mar 23 2009

ScriptManager vs ClientScript

Published by under .NET,General,Programming

As part of a Microsoft Dynamics CRM customisation project, I was recently tasked with modifying an ISV add-in page so that individual sections of the page could be refreshed without having to refresh the entire page.

That in itself was nice and easy, it just required the use of a couple of UpdatePanel and UpdateProgress controls to be dropped on the page along with a ScriptManager control to handle the partial postback requests.

However, there were a couple of gotchas that I didn’t foresee.  Along with the partial updates, the client wanted the parts of the page to load the first time after the page had first loaded in the following order:

  1. Load base page.
  2. Start load of Application Status section.
  3. Start load of Risk section.
  4. Start load of Alerts section.

Unfortunately, the ScriptManager that comes with ASP.Net AJAX only handles one postback at a time.  Any subsequent postbacks take precedence over earlier request, which is fine if you only have one update panel on a page but this initially resulted in only the Alerts section being loaded – the other postbacks being canceled.

Luckily I found a very useful post on Amit’s Blog: Asp.Net Ajax UpdatePanel Simultaneous Update.  This post provides code that queues postback requests.  Ideally I would have liked to have the requests happening at the same time, but this is the next best thing.

The other problem that I found was that one of the sections on the page had previously been dynamically creating and reqistering script that got loaded and executed when the page loaded using:

Page.ClientScript.RegisterClientScriptBlock(this.GetType(),
    "ShowNavBarItem", script.ToString());

Unfortunately that doesn’t work with the AJAX ScriptManager.  Instead I had to change the code to use the ScriptManager to load and execute the code using the following:

ScriptManager.RegisterClientScriptBlock(updatePanelApplications,
    typeof(UpdatePanel), "showNavBarItems", script.ToString(), true);

This means that each time the section is updated I can re-generate the script and it will be executed again.

With this AJAX loading and some enhancements to the SQL code, users now get a much fasted load and response time for the page as the no longer have to wait for the whole page to be rendered before seeing information appearing on the page.

kick it on DotNetKicks.com

One response so far

Nov 20 2007

Test Driven Porting

Published by under .NET,Bell Ringing,Programming

Recently I’ve had reason to take an code library written in C++ and port it to C#.  Whilst I dabbled in C++ on a compilers course at university, I hated it then and I still hate it now.  I personally think it’s an abomination and should be consigned to the great garbage collector in the sky.   Whilst I can just about read the C++ syntax there is a lot that I don’t understand about it.

The library I was porting had semi reasonable documentation outlining what classes exist and their methods and a brief description of the overall usage.  This gave me a good starting point, however the documentation didn’t include example usages and expected results, for this I was forced to delve into the code.

One development paradigm I have been interested in but have been unable to find a decent project to test it on is Test-Driven-Development and this seemed like the perfect project to try it on.  So I set to work on the first iteration getting the test set up.   Without knowing exactly what results I should be expecting I was finding it hard going, so once again I dived back into the old code.

Thankfully, the developers of the C++ library had create a fairly comprehensive set of unit tests and with my limited C++ knowledge and a text editor with RegEx Find & Replace I was quickly able to convert their unit tests into NUnit based unit tests.

For example, what started out life as:

 1: void test_row_multiply_change(void)
 2: {
 3:  row r;
 4:  RINGING_TEST( ( r *= change( 6, "X" ) ) == "214365" );
 5:  RINGING_TEST( ( r *= change( 6, "1" ) ) == "241635" );
 6:  RINGING_TEST( ( r *= change( 8, "X" ) ) == "42615387" );
 7:  RINGING_TEST( ( r *= change( 5, "3" ) ) == "24651387" );
 8:  
 9:  RINGING_TEST( row( "214365" ) * change( 7, "5" ) == row( "1234675" ) );
 10: }

Quickly became:

 1: [Test]
 2: public void TestMultiplicationByChange()
 3: {
 4:  Row r = new Row();
 5:  Assert.AreEqual((Row)"214365", r *= new Change(6, "X") );
 6:  Assert.AreEqual((Row)"241635", r *= new Change(6, "1"));
 7:  Assert.AreEqual((Row)"42615387", r *= new Change(8, "X" ));
 8:  Assert.AreEqual((Row)"24651387", r *= new Change(5, "3"));
 9:  
 10:  Assert.AreEqual((Row)"1234675", new Row("214365") * new Change(7, "5"));
 11: }

Now, with a full set of unit tests at my disposal I was quickly able to bash away at the library and very quickly got working code without the need to trawl through ghastly C++ code.

Hooray for Test-Driven-Development and three cheers for Test-Driven-Porting.

ps. The library I’m porting is an open source library for Bell Ringing – yes I know I’m a geek but anyone that has followed everything else in this post must also be a geek ;-).  Once I’m finished I will be releasing my code under an open source license as well, I just need to pick the right one.

pps. I may have exaggerated my hate of C++ a little.  I believe all languages have their place, even the esoteric languages like LOLCode.

kick it on DotNetKicks.com

No responses yet