MVC 3 RTM allowHtml doesn't work when using FormCollection

后端 未结 2 1454
独厮守ぢ
独厮守ぢ 2021-01-19 18:35

MVC 3 RTM. Have a model that has an attribute with AllowHtml. In my controller action, if the action has FormCollection as parameter, it throws the exception:



        
相关标签:
2条回答
  • 2021-01-19 19:36

    You can't use AllowHtml with FormCollection. You could use the [ValidateInput] attribute but obviously this disabled validation for all values:

    [HttpPost]
    [ValidateInput(false)]
    public ActionResult Edit(FormCollection collection, int id)
    {
        var myEntity = _myRepo.Get(id);
        TryUpdateModel(objective);
        return DoSave(objective);
    }
    

    This being said I would use the following:

    [HttpPost]
    public ActionResult Edit(MyEntity entity)
    {
        if (ModelState.IsValid)
        {
            _myRepo.Save(entity);
            return RedirectToAction("Success");
        }
        return View(entity);
    }
    
    0 讨论(0)
  • 2021-01-19 19:40

    For security-reasons, simply disabling validation is not a good solution, as you're inadvertently disabling security for that action-method entirely.

    When you need just one GET or POST value, this is extremely annoying - for example, Request.Params["xyz"] will throw if there's an HTML-value anywhere in your GET/POST data, even if the "xyz" value you posted does not contain HTML.

    (This is true as of the latest MVC 3.1 release.)

    To get around this issue, I extended my Controller base-class with the following method:

        /// <summary>
        /// Gets a value from the current Controller's ValueProvider, bypassing post-data validation.
        /// </summary>
        public string GetUnvalidatedValue(string key)
        {
            ValueProviderResult result;
    
            if (ValueProvider is IUnvalidatedValueProvider)
            {
                result = ((IUnvalidatedValueProvider)ValueProvider)
                    .GetValue(key, skipValidation: true);
            }
            else
            {
                result = ValueProvider.GetValue(key);
            }
    
            return result == null ? null : result.AttemptedValue;
        }
    

    This effectively allows you to get an individual GET/POST value while bypassing the validation.

    I believe this is better, safer and more correct than turning off validation altogether - your application does benefit from the added security, even if the way it's implemented gets in the way, and apparently is pretty painful to get around.

    (I don't think this is by design, or at least not by very good design...)

    0 讨论(0)
提交回复
热议问题