homepage Welcome to WebmasterWorld Guest from 54.204.141.129
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
Forum Library, Charter, Moderators: ocean10000

Microsoft IIS Web Server and ASP.NET Forum

    
Norton Internet Security blocking my ASP/VBScript Code?
Script blocking service is blocking my ASP code? How can this be?
ProductivePC




msg:949278
 4:31 am on Sep 9, 2005 (gmt 0)

I am unsure what is happening here. If I have my norton 2004 internet security enabled (The script blocking part of it), then I can get to a certain part on my web site and go no further. When you click continue, the page just refreshes with no action. However, If I disable the NSB Service I can continue on with no issues. Below is the code. It references an ASP page to process the form. How can Norton Block the ASP page? Can I get around this?

Thanks for any insight.

Wayne


<form><INPUT name="continue" border='0' type=image src="images/vpnav_continueshopping.gif">&nbsp;<INPUT
name="checkout" type=image border='0' src="images/vpnav_checkout.gif">&nbsp;</form><b>
<font face='Verdana, Arial, Helvetica, sans-serif'>Items in shopping cart: 1</font></b>


<P>
<FORM action="shopaddtocart.asp" method="POST">


<script type="text/javascript">
function openPOPUPwindow(prodid) {
var myWin;
var myWinName = "";
myWin=window.open('',myWinName,
'menubar=no,toolbar=no,location=no,status=yes,directories=no,copyhistory=no,resizable=yes,scrollbars=yes,fullscreen=yes');
myWin.location.href = 'shopexd_MC.asp?id='+[prodid]+'&popupB=true';
myWin.focus();
}
</script>
<div align='center'><table border='0' cellpadding='3' cellspacing='2' width='600'><TR bgcolor='#F9F3FD'>
<td bgcolor='#F1DDFD'><p align=center><b>
<font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'>Remove</font></b></td>
<td bgcolor='#F1DDFD'><p align=center><b><font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'>
Description </font></b></td><td bgcolor='#F1DDFD'><p align=center><b>
<font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'>Qty</font></b></td>
<td bgcolor='#F1DDFD'><p align=center><b><font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'>
Unit Price </font></b></td><td bgcolor='#F1DDFD'><p align=center><b>
<font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'>Total</font></b></td></tr>
<TR bgcolor='#F9F3FD'>
<TD align=center width='5%'>
<a href="shopremoveitem.asp?cartid=1"><img border="0" src="images/vpnav_remove.gif"></a></TD>


<TD align="left" width="50%">
<table border=0 cellpadding=1 cellspacing=1>
<tr><td align=left>
<a href="#" onclick="openPOPUPwindow('340');">
<img border='0' src='images/products/category/1023.jpg'></a>
</td>
<td align=left valign=middle>
<font face='Verdana, Arial, Helvetica, sans-serif'>Picnic in the Park<br><br><b>
<font color=660099>Gift Basket Prices</font><br></b> Medium</font>
</td></tr>
</table>
</TD>
<TD width='10%' align=center><INPUT type='text' maxlength=3 size=1 name=quantity1 value=1></TD>
<TD align="right" width="10%"><font face='Verdana, Arial, Helvetica, sans-serif'>$142.95</font></TD>


<TD align="right" width="10%"><font face='Verdana, Arial, Helvetica, sans-serif' size=>$142.95</font></TD>
</tr><TR><TD></TD><td></td><TD colspan='2' bgColor='#F1DDFD'><b>
<font face='Verdana, Arial, Helvetica, sans-serif' color='#660099'
size='14px'>Total Product Price</font></b></td><TD align='right' bgColor='#F9F3FD'><b>
<font face='Verdana, Arial, Helvetica, sans-serif'>$142.95</font></b></td></tr></table></center></div><br><INPUT
name="continue" border='0' type=image src="images/vpnav_continueshopping.gif">&nbsp;<INPUT
name="recalculate" border='0' type=image src="images/vpnav_recalculate.gif">&nbsp;<INPUT name="checkout"
type=image border='0' src="images/vpnav_checkout.gif">&nbsp;
</P></FORM>

[edited by: Xoc at 12:27 pm (utc) on Sep. 9, 2005]

 

txbakers




msg:949279
 10:56 am on Sep 9, 2005 (gmt 0)

ASP is a server script, s the Script Blocking will block it.

You need to disable that in order to run your scripts.

A small flaw with Norton.

PCInk




msg:949280
 11:17 am on Sep 9, 2005 (gmt 0)

window.open

Norton has a pop-up blocker, window.open will not work with Norton enabled.

ASP is a server script, s the Script Blocking will block it.

Norton shouldn't block any server scripts (I have never had the problem), but it may block client side (such as JavaScript).

Also check all your filenames are working correctly and are not being blocked by the advert blocker (eg shopremoveitem.asp?cartid=1). To do this, open the page in a browser, go to view source and check that all the href="" tags are still there and are correct, as well as <form> action urls.

ProductivePC




msg:949281
 2:38 pm on Sep 9, 2005 (gmt 0)

The whole shopping cart is ASP/VBScript. Everthing else works with no issues.

Well, I know that Norton shouldn't be blocking it however the fact still stands that if I have the script blocking service on, it stops me from getting past the code you see above. If the script blocking service is off, then I can get past that page with no qualms.

Now, I did see the fact that we have a <form> with no action there however the strange thing is those buttons still work when the script blocking is off.

The ASP page that it refers to is the processing script for that form. This is what is being blocked.

The Window.Open script is only a picture on that page that opens to a popup window. It still works with the script blocking on.

PM me and I can give you the URL.

Wayne

txbakers




msg:949282
 7:50 pm on Sep 9, 2005 (gmt 0)

I would just turn off the script blocker. ASP is a script, especially stuff like File System Object scripts.

ProductivePC




msg:949283
 5:24 am on Sep 10, 2005 (gmt 0)

How can I turn off the script blocker from every single person that visits our web site? I have to find a way around this.

Does anyone have any ideas. I have someone checking into the form idea. Anything else?

txbakers




msg:949284
 12:21 pm on Sep 10, 2005 (gmt 0)

You turn it off at your site on your server.

mattur




msg:949285
 12:48 pm on Sep 10, 2005 (gmt 0)

How can I turn off the script blocker from every single person that visits our web site? I have to find a way around this.

Break the problem down to solve it. Where is the problem occurring?

Norton Script Blocking can prevent ASP pages executing (check the Norton help or Knowledge Base articles). But ASP pages don't execute on the client, they execute on the server and then return normal web pages to the client to display.

If you are developing on your own PC's web server (you don't describe your set-up), then your PC is the server and the client. I'd guess Norton is blocking the server processing, not the client processing. Visitors will not have turn off script blocking to visit your web site (client processing). Visitors would only have to turn off script blocking if they were hosting your web site on their PC (server processing).

So try turning off script blocking on your PC (the server), then browse to the website from another PC with script blocking on (the client).

If it works then the script blocking is happening on the ASP and you have nothing to worry about - the live web server won't have script blocking on. If it doesn't work, then there's a client-side problem in the HTML/javascript your ASP returns and for some reason Norton is blocking it. Fix it.

Millions of websites work for visitors with Norton script blocking on, your website will too :)

ProductivePC




msg:949286
 1:37 pm on Sep 10, 2005 (gmt 0)

I don't have Norton Script Blocking on our server. It is client based. That is what is blocking it.

Fix it...? That is what I am attempting to do here to see if anyone has any ideas.

I have been through the Symantec Knowledge Base. I have also Googled the issue.

I have also seen Norton Script Blocking block a lot of things before including items on a web page. This is just my first direct experience with it.

This was just a last resort because I don't know what is causing it.

mattur




msg:949287
 3:51 pm on Sep 10, 2005 (gmt 0)

Are you sure it's a script blocking problem, and not pop-up blocking? When you turn off script blocking does it also turn off ad blocking?

If the problem is pop-up blocking, then it's nothing to do with ASP/VBscript and your problem won't just be with Norton Internet Security users...

How to fix it: don't use pop-ups ;)

ProductivePC




msg:949288
 4:03 pm on Sep 10, 2005 (gmt 0)

I am sure. I have the client computer with script blocking on... the error happens.

I go to the services on the client computer, stop the script blocking service from running and it goes through with no issues.

The window.open that you see there is a blow up image. It works with script blocking on or off.

aspdaddy




msg:949289
 9:49 pm on Sep 10, 2005 (gmt 0)

If its client based why are you worrying about it?

There are thousands of things clients might haveswitched on that prevent them seeing your page - I even seen clisents disable https!

All you can do is develop the site to work under "normal" conditions.

ProductivePC




msg:949290
 10:01 pm on Sep 10, 2005 (gmt 0)

If clients cannot get past the page then they cannot purchase. If they do not purchase, then we lose money. :)

ProductivePC




msg:949291
 10:02 pm on Sep 10, 2005 (gmt 0)

Is there anyone out there that has any actual ideas rather than remarks as to why this issue should not be fixed?

emsaw




msg:949292
 5:51 am on Sep 11, 2005 (gmt 0)

ProductivePC,

Let's first prove/disprove that this is a client-side scripting issue.

Turn off Norton IS.
Now, in your browser, disable JavaScript.
Does your site application work?
If so, Norton IS is doing something funky, although I can't imagine what. You'll have to search Symantec's KBs for some answers on that.
If your application doesn't work, then it's a JavaScript dependency issue.

As far as Norton IS preventing some sort of server side code from executing correctly, that is impossible. The server, as stated earlier, is doing it's processing and sending plain old HTML and maybe some client-side script for your computer to do something with.

Also, please confirm that we are talking about a client-server model here. I.E you are not opening a browser on the same box that you are accessing the site from.

If it turns out to be a JavaScript dependency issue. Post some code and we can find out how to make the JavaScript into a convenience if it's enabled, rather than a show-stopper if it's not.

Mark

ProductivePC




msg:949293
 6:14 am on Sep 11, 2005 (gmt 0)

Thanks for the reply mark.

Here is a full scenario

1. World Famous Gift Baskets Temp Site is hosted on a Server in Tampa, FL.

2. As we are developing the web site, we are walking different people through navigating it and getting the responses. To our surprise, they could not get past the shopaddtocart.asp page. None of them. At this time, we did not know what was going on.

3. I run a computer repair company. One of the laptops that I maintain just happens to have norton 2004 internet security on it. I was using this laptop while working on the temp site for World Famous Gift Baskets. I all of a sudden could not get past the shopaddtocart.asp page. I started looking and breaking down what that computer had on it. I started troubleshooting. It is definitely without a doubt the Norton Script Blocking Service that is stopping these people from getting past that page.

The code, I posted on the first post is the code in question. Is there some other code that you require?

If you want to PM or email me I will give you the URL and the page in question.

NSB is not allowing the following action to occur:
<FORM action="shopaddtocart.asp" method="POST">

The javascript that you see there is just an popup window that a bigger image appears on. It works no problems.

The only thing that I can see being an issue is the following bit of code:
<form><INPUT name="continue" border='0' type=image src="images/vpnav_continueshopping.gif">&nbsp;<INPUT
name="checkout" type=image border='0' src="images/vpnav_checkout.gif">&nbsp;</form><b>
<font face='Verdana, Arial, Helvetica, sans-serif'>Items in shopping cart: 1</font></b>

There is no action in the form. The strange thing is that the form still works from the other forms action. I don't understand it personally but it works.

If I have norton script blocking enabled on that laptop I mentioned, then I cannot click any button on that page or the page will refresh.

If I have norton script blocking disabled, then I can click any button with no issues whatsoever.

Thanks for any insight

Wayne

aspdaddy




msg:949294
 11:07 am on Sep 11, 2005 (gmt 0)

Turn off Norton IS

Wont actually prove anything, simply shutting doen a client security application rarely stops the underlying services from running or malicious code could simply do the same.

I'v had client with Zone Alarm Pro have very similar problems to the problem you are having, shutting down zone alarm fixed the problem but it wasnt actually ZA causing the problem it was a broken TCP/IP stack on the client and once fixed the sites worked with or without ZA running.

aspdaddy




msg:949295
 12:27 pm on Sep 11, 2005 (gmt 0)

oops!

[edited by: aspdaddy at 12:29 pm (utc) on Sep. 11, 2005]

aspdaddy




msg:949296
 12:28 pm on Sep 11, 2005 (gmt 0)

Why do you do a simple test page with a simple form with an action and no javascript or popups.

If that works OK then its possibly the javascript, pop-ups or form without the action thats the problem.

ProductivePC




msg:949297
 5:23 pm on Sep 11, 2005 (gmt 0)

I am working on it. I will be testing that tonight.

Now, the javascript works no problems whatsoever even when script blocking is on so I highly doubt that is it however I will be removing those buttons at the top in order to test whether or not it is that form with no action setting it off. That is very much a possiblility. I have not been able to get into there yet. The person that was supposed to be testing it is dropping the ball and not getting back to me whether or not he tested it.

Wayne

mrMister




msg:949298
 2:36 am on Sep 12, 2005 (gmt 0)

If I could put how much I hate Norton Internet Security in to words, WebmasterWorld would run out of storage space ;-)

I highly recommend you uninstall it. Then trample on the disc, smash it against a wall, chuck it in the bin, burn it, throw the bin out of the window, bury it, lay concrete over the top and build a scyscraper on the land. Then put an armed military unit in the basement of the skyscraper to ensure that it never resurfaces. Then demand your money back and sue for damages.

I believe it's likely that this problem is caused by Norton Internet Security blocking the HTTP REFERER header.

I believe this setting is in Norton Firewall. Have a look on how to disable it and see if that works. If it does, you've found the cause of the problem. Then you have to fix the source of it.

By the way, I'm pretty sure you've posted the wrong code. Can you please post the source code of shopaddtocart.asp if you want us to help fix this.

ProductivePC




msg:949299
 4:09 am on Sep 12, 2005 (gmt 0)

Norton Hater here too... LMAO. Now, that was funny. I do not have it on there because I like it. However, I keep it on there in order to troubleshoot this issue.

I tried to post the code as requested however my post was deleted.

I will sticky you the whole code as suggested by WW.com moderators

Wayne

mrMister




msg:949300
 4:43 am on Sep 12, 2005 (gmt 0)

Just as a note to everyone reading this. I've had a look at the site in question and my suspicions were correct.

If I view the site normally, everything works fine. If I disable the HTTP REFERER header in my browser then it just reverts back to the original page.

ProductivePC




msg:949301
 4:50 am on Sep 12, 2005 (gmt 0)

MrMister,

You are absolutely correct. I just looked at the script written and it uses a http_referrer to check to see if it is a blank recalculate.

Thank you very much for helping me pinpoint the issue.

Do you have any suggestions on how I should rewrite this code in order to avoid this?

Wayne

Here is the part in question.


If (inStr(1,Request.ServerVariables("HTTP_REFERER"),"shopaddtocart.asp",1)) < 1 Then
strAction = ""
ELSEIF (Request("Continue") = "") AND (Request("Continue.x") < 1) AND (Request("checkout") = "") AND (Request("checkout.x") = "") AND (inStr(1,Request.ServerVariables("HTTP_REFERER"),"shopaddtocart.asp",1) > 0) Then
strAction = "RECAL"
ELSE


mrMister




msg:949302
 5:56 am on Sep 12, 2005 (gmt 0)

It's a security mechanism by the looks of it (hard to tell from just that section of the code). You need to find another way of ensuring that someone isn't posting data from a source other than your web site.

Logging IP addresses might be one way.

You also need to get the referrer data sent to the page another way. Possible using a hidden field in the posted form or by using the querystring.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Microsoft / Microsoft IIS Web Server and ASP.NET
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved