Tag Archive 'Programming'

Nov 14 2012

Beating CRM2011 Anti-XSS with a Web Resource Shim

Published by under Microsoft CRM

Background

In Microsoft Dynamics CRM we’ve got several places that documents relating to an account can be uploaded to SharePoint.  Some are custom solutions developed whilst we were using CRM4 and others are using the built-in CRM2011 SharePoint integration.

To keep things simple for users, I have created a SharePoint web part that allows them to see a consolidated view of documents relating to each account.  This web part has a menu against each document that allows users to open the record that the document was uploaded against.

The Problem

Previously, I was just opening the CRM record in an Internet Explorer (IE) window and everything was fine.  However, now CRM has got a nifty Xrm.Utility.openEntityForm() JavaScript function that will open entity forms in either an IE or Outlook window, depending on which client the user is using to access CRM.

If you are using a CRM Web Page WebResource, you’ve got the option of either including ClientGlobalContext.js.aspx or using parent.Xrm to access the Microsoft Xrm JavaScript object model.  Unfortunately, Crm is on one website address and SharePoint is another website address.  Therefore, although SharePoint is being displayed in CRM using an iFrame, Anti-XSS (Cross Site Scripting) prevents the use of parent.Xrm in the SharePoint page.

The Solution

Given that the Xrm JavaScript object model needs to be used from a page in CRM the solution I came up with is to use a WebResource html page that will act as a shim for SharePoint:

!DOCTYPE html>
<html>
<head>
    <title>Xrm Shim</title>
    <base>
    <script type="text/javascript" src="../ClientGlobalContext.js.aspx"></script>
    <script type="text/javascript" src="../c5_javascript/lib/jquery.min.js"></script>
    <script type="text/javascript">
        $(function () {
            var data = Xrm.Page.context.getQueryStringParameters();
            Xrm.Utility.openEntityForm(data.typename, data.id);
        });
    </script>
    <meta charset="utf-8">
</head>
<body>
</body>
</html>

I then updated my SharePoint web part to run the following script when the user clicks the CRM Record menu item:

crmRecordMenuItem.ClientOnClickScript =
    string.Format(@"ifrm = document.createElement('IFRAME');
        ifrm.setAttribute('src', '{0}/{1}/WebResources/xrmshim.htm?typename=%DocTypeName%&amp;id=%CRMDocID%');
        ifrm.style.width = 1+'px';
        ifrm.style.height = 1+'px';
        document.body.appendChild(ifrm);", crmUrl, crmOrgName);

This creates an iFrame that loads from html shim from CRM which in turn calls Xrm.Utility.openEntityForm using the typename and id passed from SharePoint in the query string parameters.

The shim is simple enough that it can be used on any page that is hosted on any site other that CRM.  It could be extended to call any Xrm object model methods provided by ClientGlobalContext.js.aspx.

No responses yet

May 15 2009

VisendoSMTPExtender Management Web Service

Published by under .NET,Programming,Software

Background:

For work, I’m using a Windows 2008 Server virtual machine for doing all my SharePoint and .Net development on.  As it has got all of the cool stuff I’m working on, it is also the machine that I use to demo what I can do to clients.  Recently I’ve had a bit of a serge in the number of clients wanting to see Nintex Workflow 2007 (NFW2007) for SharePoint.

One of the cool features of NWF2007 is the whole Lazy Approval system, whereby users don’t have to go into SharePoint to approve to decline requests, they can just reply to the notification email with “approved”, “declined”, “ok”, “yes”, “no” or any other recognised word as the first line of the email.  In or to demonstrate this I need to setup and email system on my local machine.  The SMTP (sending) side of things is easy as it is built in to Windows 2008.  However, POP3 is a bit of a problem.  Previous version of IIS had a simple POP3 service but that has been dropped in IIS7.  The Microsoft way would be to install Exchange Server but that is a little too heavyweight for what I am trying to acheive.  Luckily a company called Visendo provides a free solution to plug the gap.  So now I can demo Nintex notification features.

Another feature I also wanted to demonstrate was setting up Active Directory accounts and then using those new accounts.  Nintex has got actions that allow you to interact with Active Directory but to then do anything usefull with the account required modifying xml config files and restarting the Visendo service.  But Nintex can call web services, so I’ve created a web service that has an AddAccount and DeleteAccount methods to update the Visendo configuration and restart the service.

Download:

I’ve made the source code for this web service freely available should anyone else want to have this sort of functionality: VisendoSMTPService.  The code is written against .Net 3.5 and is provided “as is” with no sort of warranty and is most definitely NOT recommended for live systems.  The code is released under a BSD License.

3 responses so far

Mar 10 2009

The SharePoint Adrenalin Moment

Published by under Programming,Software

I’ve been developing with SharePoint for about 9 month now, and by developing I don’t mean airy-fairy SharePoint Designer drag-and-drop, I mean proper getting your hands dirty in code because SharePoint doesn’t have an *cough* out of the box *cough* feature that does what you want.

Mostly, deployment is done in two stages, firstly to a UAT box and then to a Live box.  Obviously the most efficient way to do this is to bundle your features into a solution which can easily be deployed onto any number of machines.  But, it does mean you have to make sure you’ve got everything right.  Untangling mistakes in your code can be a right royal pain in the arse.

By the time you’ve developed your solution, tested it out, deployed it to UAT and tested it again you should be fairly confident that when you come to deploy it on the Live server things should go pretty smoothly.  And, touch wood, to date things have gone smoothly.

But I still can’t get over that rush of adrenaline that comes with clicking “Activate Feature” after deploying the solution on Live.  In the second or two whilst the page waits to reload my mind runs through all the possible things that could go wrong and how long it would take me to unpick the changes my code might have got half way though.  Then the page finally loads…..

….. “Feature Activated”, phew!  Time for a lie down to clam my nerves.

2 responses so far

Feb 25 2009

CRM 4 iFrame Printing

Published by under Programming,Software

Last year I was working with a client to develop some ISV add-ins for Microsoft Dynamics CRM.  Recently I was alerted to the fact that one of them – a seperate aspx page that loads in an iFrame on the account details panel – wasn’t printing correctly.

It displayed correctly in the normal view form, appeared correctly on the print preview form but when actually printed it was collapsed down to one or two pixels high.

After doing a bit of research, I found this post by Vince Bullinger, in which he gets around the problem by, as far as I can tell, modifying a core CRM css file.  Whilst this will work, it should be noted that any modification to core CRM files is not supported and will almost certainly break or be lost by updates and hotfixes.

Another problem with the code Vince Bullinger gives is that the iFrames a fixed height and that applies to ALL ISV iFrames.  However, with this knowledge I was able to  come up with my own solution that uses a bit of Javascript to ensure that iFrames are printed and at the correct height to display all the content:

<%@ Page Language="C#" AutoEventWireup="true"
    CodeBehind="Summary.aspx.cs" Inherits="CRMWeb.SummaryStatus.Summary" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"
    "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
    <title>Summary Status</title>
    <style type="text/css">
        #pageWrapper
        {
            position: absolute;
            top: 0;
            left: 0;
        }
    </style>
</head>
<body>
    <div id="pageWrapper">
    <form id="form1" runat="server">
        <!-- content goes here -->
    </form>
    </div>
    <script language="javascript" type="text/javascript">
        var dh = document.getElementById("pageWrapper").offsetHeight;
        document.parentWindow.frameElement.height = dh;
        document.parentWindow.frameElement.style.display = "block";
        document.parentWindow.frameElement.style.height = dh + "px";
    </script>
</body>
</html>

This solutions requires that you surround the content of your page with a div, in this case <div id=”pageWrapper”></div>.  This is used by the block of Javascript at the end.

The purpose of the Javascript is to use the pageWrapper div to find out the height of the content.  This height is then used to set the height of the iFrame that contains the page and to set the display style of the iFrame to block.

It probably doesn’t require the iFrame height and the iFrames style.height both being set but I decided to take a belts and braces approach.

In addition to ensuring the iFrame content is printed, I am also planning on implementing the code on Vince Bullingers page for loading a specific css stylesheet for printing.

kick it on DotNetKicks.com

2 responses so far

Aug 11 2008

Try…Catch For No Reason

Published by under .NET,Programming

I’ve seen this time and time again and I’m sure just about every developer out there has seem the same sort of thing:

try {
    //many lines of code
catch (Exception ex) {
    throw new Exception("Something went wrong dude!");
}

This is probably the single most un-helpful piece of code a developer can write.  All you are doing is making you life and future developers lives harder when it comes to debugging.  The whole point of the try…catch block is for times when you know an exception may happen and it allows you to gracefully handle it without the whole system crashing to the ground.

So lets have a closer look at what’s wrong with this code:

Continue Reading »

One response so far

Feb 08 2008

Character Counter

Published by under .NET,Software

Whilst reading an article I was curious about the number of commas and full-stops that the author used – when you become an editor of a newsletter you start to think about things like this.  After hunting around the various utilities on my system I discovered that I didn’t have anything that could easily do this.  So, I did what any self-respecting programmer would do and threw together a quick app to do it for me.

I have made both the source code and pre-compiled binary available for download under a BSD license (share, remix, no endorsement).  It is written in C# and requires the .Net 2.0 framework, if you want to compile the source you will probably require MS Visual Studio (Express should be ok), although it may work with SharpDevelop or Mono.

It is a console application (sorry, no pretty GUI this time) that reads the contents of input.txt (in the same directory as the app), it then counts the occurrences of each character and outputs the results to the console. Simple!

If you make any improvements to the code please leave a comment and/or email the changes to me: gringod [at] gmail [dot] com.

No responses yet

Nov 20 2007

Test Driven Porting

Published by under .NET,Bell Ringing,Programming

Recently I’ve had reason to take an code library written in C++ and port it to C#.  Whilst I dabbled in C++ on a compilers course at university, I hated it then and I still hate it now.  I personally think it’s an abomination and should be consigned to the great garbage collector in the sky.   Whilst I can just about read the C++ syntax there is a lot that I don’t understand about it.

The library I was porting had semi reasonable documentation outlining what classes exist and their methods and a brief description of the overall usage.  This gave me a good starting point, however the documentation didn’t include example usages and expected results, for this I was forced to delve into the code.

One development paradigm I have been interested in but have been unable to find a decent project to test it on is Test-Driven-Development and this seemed like the perfect project to try it on.  So I set to work on the first iteration getting the test set up.   Without knowing exactly what results I should be expecting I was finding it hard going, so once again I dived back into the old code.

Thankfully, the developers of the C++ library had create a fairly comprehensive set of unit tests and with my limited C++ knowledge and a text editor with RegEx Find & Replace I was quickly able to convert their unit tests into NUnit based unit tests.

For example, what started out life as:

 1: void test_row_multiply_change(void)
 2: {
 3:  row r;
 4:  RINGING_TEST( ( r *= change( 6, "X" ) ) == "214365" );
 5:  RINGING_TEST( ( r *= change( 6, "1" ) ) == "241635" );
 6:  RINGING_TEST( ( r *= change( 8, "X" ) ) == "42615387" );
 7:  RINGING_TEST( ( r *= change( 5, "3" ) ) == "24651387" );
 8:  
 9:  RINGING_TEST( row( "214365" ) * change( 7, "5" ) == row( "1234675" ) );
 10: }

Quickly became:

 1: [Test]
 2: public void TestMultiplicationByChange()
 3: {
 4:  Row r = new Row();
 5:  Assert.AreEqual((Row)"214365", r *= new Change(6, "X") );
 6:  Assert.AreEqual((Row)"241635", r *= new Change(6, "1"));
 7:  Assert.AreEqual((Row)"42615387", r *= new Change(8, "X" ));
 8:  Assert.AreEqual((Row)"24651387", r *= new Change(5, "3"));
 9:  
 10:  Assert.AreEqual((Row)"1234675", new Row("214365") * new Change(7, "5"));
 11: }

Now, with a full set of unit tests at my disposal I was quickly able to bash away at the library and very quickly got working code without the need to trawl through ghastly C++ code.

Hooray for Test-Driven-Development and three cheers for Test-Driven-Porting.

ps. The library I’m porting is an open source library for Bell Ringing – yes I know I’m a geek but anyone that has followed everything else in this post must also be a geek ;-) .  Once I’m finished I will be releasing my code under an open source license as well, I just need to pick the right one.

pps. I may have exaggerated my hate of C++ a little.  I believe all languages have their place, even the esoteric languages like LOLCode.

kick it on DotNetKicks.com

No responses yet