Gabe enjoys it when clients request that he does updates on old software. For Gabe, it's exciting: you never know what you'll discover.
Public Sub AspJavaMessage(ByVal Message As String)
System.Web.HttpContext.Current.Response.Write("<SCRIPT LANGUAGE=""JavaScript"">" & vbCrLf)
System.Web.HttpContext.Current.Response.Write("alert(""" & Message & """)" & vbCrLf)
System.Web.HttpContext.Current.Response.Write("</SCRIPT>")
End Sub
This is server-side ASP .Net code.
Let's start with the function name: AspJavaMessage
. We already know we're using ASP, or at least I hope we are. We aren't using Java, but JavaScript. I'm not confident the developer behind this is entirely clear on the difference.
Then we do a Response.Write
to output some JavaScript, but we need to talk about the Response
object a bit. In ASP .Net, you mostly receive your HttpResponse
as part of the event that triggered your response. The only reason you'd want to access the HttpResponse
through this long System.Web.HttpContext.Current.Response
accessor is because you are in a lower-level module which, for some reason, hasn't been passed an HTTP response.
That's a long-winded way of saying, "This is a code smell, and this function likely exists in a layer that shouldn't be tampering with the HTTP response."
Then, of course, we have the ALL CAPS HTML tag, followed by a JavaScript alert()
call, aka, the worst way to pop up notifications in a web page.
Ugly, awful, and hinting at far worse choices in the overall application architecture. Gabe certainly unearthed a… delightful treat.
This post originally appeared on The Daily WTF.