Search This Blog

Monday, May 11, 2015

Redirecting from an external hyperlink to a View in an XAF Web app with the ASP.NET Forms Authentication - YOUR FEEDBACK IS NEEDED

I wanted to ask the XAF community members interested in this functionality to test a simpler solution to the problem described in this thread. Long story short, you have a hyperlink to an XAF Web application form like this: 

and want to include it in an email and send it to a user so that he or she is able to navigate to that view on your web site (e.g., open a user profile or changed order details). If that app has a security system  with a logon form enabled, then the URL fragment after # is cut after a successful authentication, which makes navigation to the required app screen not possible by default. Instead, the URL fragment before the hash symbol is opened (see similar threads on StackOverFlow for more details: one, two, three).
There was a tricky solution to work around the default ASP.NET request processing mechanism in the original Support Center thread, but today I wanted to share a simpler solution for our users.

Here it comes:
1. In the Solution Explorer, right-click the YourSolutionName.Web/Login.aspx file and invoke the View Markup command from the context menu.
2. Paste the <script/> element with the JavaScript code below before the </body> element, as follows:

<body class="Dialog">
    <div id="PageContent" class="PageContent DialogPageContent">
        <form id="form1" runat="server">
            <cc4:ASPxProgressControl ID="ProgressControl" runat="server" />
            <div id="Content" runat="server" />
    <%--This part is added.--%>
    <script type="text/javascript">
    function encodeLocationHash() {
        var search =;
        if (search && search.indexOf('ReturnUrl=') > -1) {
            var hash = window.location.hash;
            if (hash && hash.length > 1) {
                var newUrl = window.location.href.replace(hash, '');
                newUrl += encodeURIComponent(hash);
    attachWindowEvent('load', encodeLocationHash);

This simple solution worked fine in many internal tests, but we wanted to make sure there are no tricky situations in your real apps, which are left uncovered.

I look forward to hearing from you on whether you:
Q1. ever experienced such a requirement in your XAF web sites.
Q2. got this new and simple solution working in your Web apps with the logon form.
Thanks in advance!


  1. Nice Post Dennis
    I have tried and it change url from


    Which gives a 404
    Also using Xpand so dont know if that could be the cause, any ideas ?

  2. Hello Wayne, thanks for your comment! This non-standard situation was not handled by our solution. We will consider either ignoring such URLs or making it to work as expected. Would you please also point out a specific eXpand Framework feature you are using? Looking at the query string, I guess it has something to do with making user-friendly URLs, but I am not 100% sure.

  3. Hi
    Thank you for the post
    I have a question. Howto generate the url of a detailview to sending it by email to a user?

  4. @MohAl: You can use the two solutions from

  5. @Wayne Van Rooyen: This situation is now handled. See the updated code snipped for more details.

  6. @Dennis
    Thanks only came across your reply now.

  7. Hi Dennis,
    We migrated our application where we use this code to new XAf Web UI and this code does not work anymore as is.
    during debugging javascript told us attachWindowEvent does not exist or something like that. So I found out I must change attachWindowEvent by method addEventListener (parameters are the same as in attachWindowEvent ) and code again works as expected.

    1. Petr,

      The attachWindowEvent function is from the XAF's CommonFunctions.js file, which contains a lot of standard functionality and cannot be missing. This function internally uses the addEventListener method you used, which should be working in the latest web browsers such as IE9+ and others. We need to use this custom function for compatibility with the old web browsers XAF supported at the time of writing this article.

      function attachElementEvent(element, name, handler) {
      if (element.addEventListener) {
      element.addEventListener(name, handler, false);
      else {
      element.attachEvent('on' + name, handler);

  8. So one of my clients uses a penetration tester. The Penn tester is warning that this is unsafe because of the potential for Cross-site Scripting and that there is potential for a malicious user to 'craft a request that may run arbitrary JavaScript in a victim's web browser'. It goes on to say that malicious users could use this to steal session tokens or private data of authenticated users.

    Thoughts on this accusation?
    Any other way around this?

    1. Hello, Ambur! Would you please provide a detailed description of a possible attack or step-by-step instructions that can be used to reproduce it with the MainDemo.Web app using the aforementioned approach? With that, we will be able to research and give additional information on this issue, which can eventually be a 'false positive' as well.
      Please email this info at or rather submit a private ticket using the Support Center (