Include Page in FP2003

[Thomas A. Rowe]

John,

If you include ASP code in a .htm or .html page it will not execute, unless
the server has been set to process .htm or .html pages as ASP pages. At
least this is what I have been seeing when using Classic ASP, I don't use
ASPX so maybe that is why the change was made.

I use both FP Includes and ASP/SSI Includes. I always use FP Includes with
site navigation, since this allow FP to maintain all any links relative to
the page using the include, instead of the page to be included which is what
you get when using ASP/IIS Includes.

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[Kathleen Anderson \(MVP - FrontPage\)]

John,
I always use FP Includes
with site navigation, since this allow FP to maintain all any links
relative to the page using the include, instead of the page to be
included which is what you get when using ASP/IIS Includes.

Me, too.


--

~ Kathleen Anderson
Microsoft FrontPage MVP
Spider Web Woman Designs
http://www.spiderwebwoman.com/resources/

 

[Thomas A. Rowe]

John,

Additional comment...

If the issue is the including of ASP/ASPX in a .htm or .html page, is
somehow a security issue, then FP2003 should check the file extension of the
container page and compare it to the file extension of the page to be
included.

I was testing with a container page named test.asp and trying to include a
file named testinc.asp.

FP Users the understand how ASP/ASPX works, would never include a .asp page
in a .htm or .html page.
--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

 

[John Jansen \(MSFT\)]

I agree with your logic Thomas (I expected it would work for ASP/ASPX if you
were authoring from an ASP/ASPX page), I am not sure why it was disabled for
this scenario.

Thanks too for the user scenario (that Kathleen dittoed).

As for your last post, the fear for the security concern was not that the
ASP would execute, it was that users who didn't understand ASP would
accidentally include ASP in an HTM page and then users who viewed source on
that HTM page would be able to see all the backend code (potentially
usernames, passwords, server names, etc).

As I said, I'm checking around, but for now we're going to need to use the
workarounds posted.

-John

John,

Additional comment...

If the issue is the including of ASP/ASPX in a .htm or .html page, is
somehow a security issue, then FP2003 should check the file extension of the
container page and compare it to the file extension of the page to be
included.

I was testing with a container page named test.asp and trying to include a
file named testinc.asp.

FP Users the understand how ASP/ASPX works, would never include a .asp page
in a .htm or .html page.
--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

Oh jeeze,

Yeah, I misunderstood. This looks like an issue that needs to be
re-evaluated. I'm going to talk to the PM about this change. Your
workaround is correct: include an HTM page and then change it in code view.

As I look at the issue, it was disabled because including ASP/ASPX

inside

an
HTM page is a security risk; but it looks to me like the fix was too
stringent.

As an alternative work around, I would also recommend using actual ASP
include syntax rather than our bot for including ASP code:

<!-- #include file="foo.asp" -->

-John

John,

I think you are misunderstanding the issue.

The issue is that using the FP2003 Include Page Component, you are only
allowed to include pages that have a .htm or .html file extension. In FP2000
or FP2002 you are not limited to only including pages with .htm or ..html
file extensions.

However you can include any .htm or html file, then switch to code

view
and

 

[Thomas A. Rowe]

John,

Here is a article related to this issue:

http://www.4guysfromrolla.com/webtech/020400-2.shtml

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================

I agree with your logic Thomas (I expected it would work for ASP/ASPX if you
were authoring from an ASP/ASPX page), I am not sure why it was disabled for
this scenario.

Thanks too for the user scenario (that Kathleen dittoed).

As for your last post, the fear for the security concern was not that the
ASP would execute, it was that users who didn't understand ASP would
accidentally include ASP in an HTM page and then users who viewed source on
that HTM page would be able to see all the backend code (potentially
usernames, passwords, server names, etc).

As I said, I'm checking around, but for now we're going to need to use the
workarounds posted.

-John

 

[John Jansen \(MSFT\)]

Outstanding resource, Thomas, thanks!

John,

Here is a article related to this issue:

http://www.4guysfromrolla.com/webtech/020400-2.shtml

--

==============================================
Thomas A. Rowe (Microsoft MVP - FrontPage)
WEBMASTER Resources(tm)

FrontPage Resources, Forums, WebCircle,
MS KB Quick Links, etc.
==============================================


include

 

[MD WebsUnlimited.com]

The fix is to write a macro to insert the webbot code for the include webbot
pointing at a .asp page.

 

[MD WebsUnlimited.com]

Hi Paul,

You may wish to take a look at are new product IncludeASP which replaces
this functionality in FP 2003.
http://www.websunlimited.com/order/products/includeasp/includeASP.htm

 

[MD WebsUnlimited.com]

Oops, typo in the URL
http://www.websunlimited.com/order/product/includeASP/includeASP.htm