Analysis on the use of ASP. NET control designer

What are precautions for using the ASP. NET control designer?

I. solutions used by ASP. NET control designer

There are two common solutions for using the ASP. NET control designer: developing custom controls and Developing visual design tools.

If you develop custom Web server controls, you can create an associated designer to improve the page developer's ability to configure controls during design. This solution is particularly useful if the control may be reused by many page developers. For example, you may create a custom chart control. If an associated control designer is provided, you can use different styles to configure controls on the page for developers on different intranets.

If you develop a Visual Web design tool similar to Visual Studio 2005 or Microsoft FrontPage, you can use the control designer to host components. This enables your tools to provide services and interact with the control designer to provide design-time rendering for custom controls.

For more information about the. NET Framework designer structure, see the design-time structure. For more information about creating your own designer for custom Web server controls, see Walkthrough: creating a basic widget designer for Web server controls. For more information about creating a custom control designer with a service and operation list to provide the UI, see the sample control designer with an operation table and service.

Ii. ensure the security of the custom ASP. NET Control designer

When the control is in the design view, the designer component processes property changes and presents the markup in the design host, such as Visual Studio. During design, the widget designer component runs at the same level of trust as its design host. The designer component may perform the following operations: access the database, call the website on the remote server, create a file, write it to the developer's computer, and send an email, and execute the code in other assemblies.

The information in this section describes some best practices to help you improve the security of the control designer functions.

In addition to following the encoding and configuration best practices to help improve application security, ensure that the latest security updates from Microsoft Windows and Internet Information Service (IIS) are used, keep the application server up to date. You shall also ensure that you have the latest version of any commercial custom control packages installed on your computer.

In the Writing Secure Code "Write security Code" written by Michael Howard and David LeBlanc, you can find more details about best practices for writing security code and protecting application security. For other guidance, see Microsoft Patterns and PracticesMicrosoft mode and practices) websites and guidelines and best practices.

◆ Security issues faced by custom controls

You should be aware that custom controls from unknown sources may contain a designer that exposes sensitive data on your computer online or runs malicious code at design time. You cannot use the code access configuration to restrict access to the control designer because these designers must always run in the design host with full trust. For more information about the trust level, see ASP. NET trust level and policy file. For more information about code access security, see code access security.

◆ Security problems faced by custom control developers

Use the configuration properties of classes and members to limit permissions to the minimum level required by the control function, and do not provide adequate security protection for designer components, because these components must run in the design host with full trust.

If possible, do not use real-time data in the database to display the sample structure when previewing data controls such as the GridView control. This exposes sensitive data in the database. You should change the sample data structure to build a preview data.

◆ Security problems faced by the design host developers

If you want to develop a design host such as Visual Studio, you should check whether there is a security risk in HTML Tag, text, and other data returned from the designer. Only when there is no security risk,. In addition, the size of the HTML Tag string and designer area is limited to a manageable size. For more information about HTML authentication, see verifying user input on the ASP. NET page

Iii. ASP. NET control designer supports multiple development tools

Microsoft Visual Web Developer supports all the features discussed in this topic, but other development tools may not. Some examples of features that may not be supported are:

◆ Region.

Control developers can check the SupportsRegions attribute and modify the behavior of the control designer accordingly.

◆ Host service.

Before using this service, the control developer can check the return value of the GetService method. For examples, see How to: use the service and operation list for the control designer.

◆ Region set.

Both versions of the GetDesignTimeHtml method should be overwritten because some development tools do not support regional collections.

The basic usage of the ASP. NET Control designer is introduced here. I hope to help you understand the ASP. NET control designer.

1. Analysis of ASP. NET control design support
2. Usage of ASP. NET2.0 data source controls
3. Analysis on automatic format settings supported during ASP. NET Control Design
4. Analysis on the operation list and template editing during ASP. NET Control Design
5. Analysis of ASP. NET control designer