RIP Sportsmanship. An antiquated idea that has been abandoned.

I think we are all watching the death throes of sportsmanship and gentlemanly conduct on the Tour de France this year.

It has traditionally been the practice that, when one rider falls or has mechanical trouble, his competition will wait for him to get back on his bike and catch up before resuming racing.  We saw Fabian Cancellara marshalling the peloton in Belgium when the Schleck brothers fell.

However, by the time the race had progressed to the Pyrenees, we had seen Alberto Contador fail to wait for Andy Schleck when the latter’s chain came off, and consequently to take eight seconds off him in the classement général.  And Carlos Sastre, after another incident, issued a statement saying, “I didn’t wait.  Why should I? No-one waited for me.  Anyone who has any issue with my behaviour can talk to me directly.”

Road cycling in Europe is a sport in which the concertive power of peer expectations is very powerful, with all those French and Belgian riders.  They have no qualms about insulting foreigners who step out of line and they have a number of subtle French insults to deploy if they feel like it.  I’m not sure it is exactly gentlemanly conduct that they are up to.  But certainly respecting traditional codes of behaviour.  And it does seem to have broken down before our eyes over the last week.

I guess next week we will hear the results of the blood-tests.  If it is the same as last year then the top ten riders will all be disqualified…

I was actually surprised to see that this level of sportsmanship and consideration for one’s adversary is still being practiced in road cycling.  Most other sports abandoned it years ago.  I recall from the ‘70s that it was common in the game of cricket for a batsman to ‘walk.’  This is a practice where the batsman knows that he snicked the ball with bat or pad, but the umpire missed it.  Without saying a word the batsman would take off his gloves, tuck his bat under his arm and walk back to the pavillion.  In recent years I have never seen a batsman walk and in fact the official policy of the Australian cricket team is not to walk.  Cricketers give interviews saying, “I don’t believe in walking.  The umpire missed it.  Good for me.  The important thing is winning.”

In Rugby Union last year when Sterling Mortlock came back from shoulder reconstruction surgery I observed the Springbok forwards deliberately land on his shoulder in the tackle again and again in an effort to ‘pop it.’  In AFL that sort of behaviour is completely normal and a player coming back from a hamstring injury will be kicked accidentally in the hamstring.  A player known to have his ribs taped, will catch elbows all day long.  Even in the World Cup we saw Dutch strikers being stamped on by Uruguayan players.

That’s it these days, I’m afraid.  Winning is everything.  Money talks.  The rest is naïveté and historical anachronism.  And if you watch children playing sport you will see them doing all the same things because they imitate what they see on television.  Makes me feel old and inconsequential.  All I can do is write blog posts observing the passing.

RequestValidation Changes in ASP.NET 4.0

There’s been a change in the way the ValidateRequest attribute on WebForms works in ASP.NET 4.0. I noticed this today while updating a post on my WebLog all of which contain raw HTML and so all pretty much trigger request validation. I recently upgraded this app from ASP.NET 2.0 to 4.0 and it’s now failing to update posts. At first this was difficult to track down because of custom error handling in my app – the custom error handler traps the exception and logs it with only basic error information so the full detail of the error was initially hidden.

After some more experimentation in development mode the error that occurs is the typical ASP.NET validate request error (‘A potentially dangerous Request.Form value was detetected…’) which looks like this in ASP.NET 4.0:

At first when I got this I was real perplexed as I didn’t read the entire error message and because my page does have:

<%@ Page Language="C#" AutoEventWireup="true" CodeBehind="NewEntry.aspx.cs" Inherits="Westwind.WebLog.NewEntry" 
         MasterPageFile="~/App_Templates/Standard/AdminMaster.master"  
         ValidateRequest="false"         
         EnableEventValidation="false"
         EnableViewState="false" 
%>

WTF? ValidateRequest would seem like it should be enough, but alas in ASP.NET 4.0 apparently that setting alone is no longer enough. Reading the fine print in the error explains that you need to explicitly set the requestValidationMode for the application back to V2.0 in web.config:

<httpRuntime executionTimeout="300" requestValidationMode="2.0" />

Kudos for the ASP.NET team for putting up a nice error message that tells me how to fix this problem, but excuse me why the heck would you change this behavior to require an explicit override to an optional and by default disabled page level switch? You’ve just made a relatively simple fix to a solution a nasty morass of hard to discover configuration settings??? The original way this worked was perfectly discoverable via attributes in the page. Now you can set this setting in the page and get completely unexpected behavior and you are required to set what effectively amounts to a backwards compatibility flag in the configuration file.

It turns out the real reason for the .config flag is that the request validation behavior has moved from WebForms pipeline down into the entire ASP.NET/IIS request pipeline and is now applied against all requests. Here’s what the breaking changes page from Microsoft says about it:

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

Ok, so ValidateRequest of the form still works as it always has but it’s actually the ASP.NET Event Pipeline, not WebForms that’s throwing the above exception as request validation is applied to every request that hits the pipeline. Creating the runtime override removes the HttpRuntime checking and restores the WebForms only behavior. That fixes my immediate problem but still leaves me wondering especially given the vague wording of the above explanation.

One thing that’s missing in the description is above is one important detail: The request validation is applied only to application/x-www-form-urlencoded POST content not to all inbound POST data.

When I first read this this freaked me out because it sounds like literally ANY request hitting the pipeline is affected. To make sure this is not really so I created a quick handler:

public class Handler1 : IHttpHandler
{

    public void ProcessRequest(HttpContext context)
    {
        context.Response.ContentType = "text/plain";
        context.Response.Write("Hello World <hr>" + context.Request.Form.ToString());
    }

    public bool IsReusable
    {
        get
        {
            return false;
        }
    }
}

and called it with Fiddler by posting some XML to the handler using a default form-urlencoded POST content type:

and sure enough – hitting the handler also causes the request validation error and 500 server response.

Changing the content type to text/xml effectively fixes the problem however, bypassing the request validation filter so Web Services/AJAX handlers and custom modules/handlers that implement custom protocols aren’t affected as long as they work with special input content types. It also looks that multipart encoding does not trigger event validation of the runtime either so this request also works fine:

POST http://rasnote/weblog/handler1.ashx HTTP/1.1
Content-Type: multipart/form-data; boundary=------7cf2a327f01ae
User-Agent: West Wind Internet Protocols 5.53
Host: rasnote
Content-Length: 40
Pragma: no-cache

<xml>asdasd</xml>--------7cf2a327f01ae

*That* probably should trigger event validation – since it is a potential HTML form submission, but it doesn’t.

New Runtime Feature, Global Scope Only?

Ok, so request validation is now a runtime feature but sadly it’s a feature that’s scoped to the ASP.NET Runtime – effective scope to the entire running application/app domain. You can still manually force validation using Request.ValidateInput() which gives you the option to do this in code, but that realistically will only work with the requestValidationMode set to V2.0 as well since the 4.0 mode auto-fires before code ever gets a chance to intercept the call. Given all that, the new setting in ASP.NET 4.0 seems to limit options and makes things more difficult and less flexible. Of course Microsoft gets to say ASP.NET is more secure by default because of it but what good is that if you have to turn off this flag the very first time you need to allow one single request that bypasses request validation??? This is really shortsighted design… <sigh>

Social Media Fatigue
I love using social media and I really love helping clients use it for their business, but sometimes I find myself on the verge of burnout or social media fatigue. There are so many things to keep on top of, from the latest Facebook changes, to the newest location based service or the newest tool. [...]

And then there was light – Xamling is born
So the news is if you missed it: I quit my job at Readify and started a new company with my brother Alex. Our new company is called Xamling (pronounced Zam-ling) ! Holy crap it took us ages to think of a name, we even ran a help name us site – which turned up [...]

A New Podcast for Developers - This Developer's Life

Windows Phone 7 Developer Launch Events

Windows Phone 7 gives you the power to build complex, robust applications using consistent hardware specs, a comprehensive development toolkit, and the all-new, full-service Marketplace for selling your apps. We want you to be ready to capitalize on this new frontier, so we’re launching two days of fast-paced learning to get you up and running with Windows Phone 7 development. Check out the agenda and pick the day that best fits your needs – or join us for both. The choice is yours. Whatever you can imagine, you’ll get the information you need to build high-demand apps with Windows Phone 7.

DAY 1: Jump-Start Your Mobile Development - Lecture based event

DAY 2: Unleash Your Best App Workshop - Hands On Lab environment

Day 1: Jump-Start Your Mobile Development | 8:30am - 5:15pm
In the first of this two-day launch event, we'll take you under the hood of Windows Phone 7 and the Windows Phone 7 platform with a progressive set of learning sessions. We'll start with the basic tools and fundamentals of Windows Phone 7 application development and as the day unfolds, we'll go deeper into development scenarios using Silverlight, XNA and the Windows Phone 7 SDK. You'll also see how to earn cash for your apps in the fully loaded Marketplace.

Day 2: Unleash Your Best App Workshop | 9:00am - 4:00pm
This hands-on workshop is designed to help you turn those napkin sketches and subway scribbles into real, sellable apps. You'll apply fundamental Windows Phone 7 design principles to build an app and upload it to the fully revamped Marketplace. Go at your own pace or follow along with a proctored group lab. Either way, you'll get step-by-step advice from Microsoft and community experts. It's an unprecedented opportunity to stake your claim in the marketplace – using familiar tools and consistent specs

Orange County, CA
Hilton Orange County
September 29 - 30, 2010

Mountain View, CA
Microsoft Silicon Valley Office

San Francisco, CA
San Francisco Design Center
October 20 - 21, 2010

To Register for These Events Please Visit: http://msdnevents.com/wp7 or call 1-877-MSEVENT

Does MR have some catching up to do?
Browsing a couple of ad agency bloggers, and came across a couple of interesting pieces. This deck uploaded by Jason Oke demonstrates the issues with connections planning: Connections Planningness View more documents from Jason Oke. If agencies are moving towards a new understanding of what people do, and how they use media; and towards identifying people’s real problems. [...]

How to Run a Meeting
I bag on meetings. I bag on meetings because like any nerd I expect the universe to be efficient and orderly and there is no more vile a violation of this sense of orderliness than a room full of people...

Support the EFA
I’ve written in the past (1, 2) about the Australian government and their misguided attempts to censor the internet.  The EFA are a non-profit organisation that defend against the freedoms and rights of online users and one of the (many) battles they’re fighting is against mandatory filtering in Australia. The EFA do good work. They’ve [...]

Displaying Files and Folders in a GridView

The .NET Framework provides a variety of classes in the System.IO namespace that simplify working with the file system. Using these classes it's possible to delete files and folders, to create new files, to edit existing files, and more. These classes, combined with ASP.NET's suite of Web controls and databinding syntax, make it quite easy to present information about the files on the web server's file system to visitors to your website. With a bit of markup and code, it's possible to add a simple file browser to a web page that allows users to view the files and folders from a particular directory on the web server. Such file browsers are useful if you let users upload content to the website and need to let them view their uploaded content. If you have a folder that contains user-accessible content like images, PDF files and Word documents, a file browser offers a quick and easy way for users to see what content is available and to view content of interest.

Back in 2003 I wrote an article titled Displaying the Files in a Directory using a DataGrid that showed how to list the files of a particular folder in a DataGrid Web control. This dated article still attracts a decent amount of traffic and questions from readers, so much so that I thought it worthwhile to update the content to use the latest technology, namely ASP.NET 4 and the GridView Web control. I also added some new features. For example, the file browser now lists both files and folders, allowing users to view the files in subfolders. Also, I moved the markup and code into a User Control, which simplifies adding the file browser to an ASP.NET page. This article walks through this new, updated version; the complete, working code is available for download at the end of this article. Read on to learn more!
Read More >

Review – Clybourne Park, Royal Court Theatre
Why on earth would anyone want to go to see Clybourne Park, the latest offering at the Royal Court? These are the only reasons we could think of off the tops of our heads. Bruce Norris‘s (The Pain And The Itch) play is thought-provoking And squirm-inducing And riotously funny. It’s confidently directed by Dominic Cooke, [...]

Apps vs. the Web
There's an app for that, and you're the folks who are creating it. But should you design a web-based application, or an iPhone app? Each approach has pluses and minuses—not to mention legions of religiously rabid supporters. Apple promotes both approaches (they even gave the web a year-long head start before beginning to sell apps in the store), and the iPhone's Safari browser supports HTML5 and CSS3 and brags a fast JavaScript engine. Yet many companies and individuals with deep web expertise choose to create iPhone apps instead of web apps that can do the same thing. Explore both approaches and learn just about everything you'll need to know if you choose to create an iPhone app—from the lingo, to the development process, to the tricks that can smooth the path of doing business with Apple.

ASP.NET MVC 2.0 Validation
An overview of validation in ASP.NET MVC 2.0.

Script Junkie

Earlier this year in February, I blogged about key software development trends. 

The second trend, The Web as a Platform, continues to grow at an astounding rate.  Browser-based applications such as MugTug show the increasing flexibility and power of web technologies.  New and experienced developers alike are anxious to learn everything they can about how to take advantage of the web to deliver experiences to their audience.

But learning HTML, JavaScript, CSS, and other web standards technologies can be daunting.  The languages, libraries, and interfaces can be complex, and successful development and debugging techniques can be difficult to find among the scrapyard of unsuccessful methods.

Enabling you to better navigate standards based web technologies is the goal behind Script Junkie, MSDN's newest developer hub. 

MSDN's goal has always been to help the developer get their job done more efficiently, and Script Junkie brings that assistance to web-based coding.  Script Junkie is the start of a new generation of centers on MSDN focused on offering the best of Microsoft and non-Microsoft resources to address real life and practical end-to-end developer scenarios.

Script Junkie offers a concise resource for the latest in web site development techniques by providing solutions-based articles, videos and code samples written by JavaScript community luminaries such as Christian Heilmann, Elijah Manor, Emily Lewis, Juriy Zaytsev, and Rey Bango.  And of course, new articles are posted on a regular basis.  Many articles contain code suitable for using in your own projects, such as Mani Sheriar's article on Scrolling Content with jQuery and HTML and Robert Nyman's article on Using Web Storage on the Client-Side.

Come check out Script Junkie, participate on the forum, and learn from the articles and tips.  Are you an expert HTML developer or designer?  If so, consider contributing articles, screencasts, or code samples for Script Junkie to share back with the community of HTML and JavaScript developers.

Namaste!