使用jQuery将数据模型发布到MVC4的安全性错误

I have an MVC4 controller with the following signature:

我有一个带有以下签名的MVC4控制器：

[HttpPost]
public JsonResult SubmitPage(PageSubmissionModel model)
{
   ...
   return Json(result);
}

where the return model is either a simple model:

返回模型是一个简单的模型：

public class Page 
{
    public Guid PageId { get; set; }
    public Guid SurveyId { get; set; }
    public int PageNo { get; set; }
    public string Title { get; set; }
    public string Introduction { get; set; }
}

or a JSON encoded url string:

或JSON编码的url字符串：

return Json(new {
        RedirectTo = Url.RouteUrl(route.RouteName, route.RouteValues)
});

This controller is called from the client using the following jQuery method:

使用以下jQuery方法从客户端调用此控制器：

ajaxPost: function (responseData, callback) {
    $.ajax({
        type: "POST",
        url: ""/Surveys/Ajax/SubmitPage",
        data: JSON.stringify(data),
        dataType: "json",
        contentType: "application/json; charset=utf-8",
        cache: false,
        success: function (data) {
            if (typeof callback === 'function') {
                callback(data);
            }
        },
        error: function (xmlHttpRequest, errorMessage, exception) {
            var msg = "Problem calling " + url + "()\r\n" + errorMessage;
            alert(msg);
        }
    });
}

where the data argument is a JavaScript object constructed as follows:

其中data参数是一个JavaScript对象，其构造如下：

responseData = {
    SurveyResponseId: 23,
    SubscriberResponseId: 47,
    PageId: 1,
    Responses: [
        {id: 24, value: "Tom" },
        ....
    ]
  };

When I run this code I get the following server error:

当我运行此代码时，我收到以下服务器错误：

This request has been blocked because sensitive information could be disclosed to third party web sites when this is used in a GET request

此请求已被阻止，因为在GET请求中使用此信息时，可能会向第三方网站披露敏感信息

Researching this error (http://haacked.com/archive/2009/06/25/json-hijacking.aspx) I am confused because, as far as I can see, and born out by Fiddler, the client is POSTing the JavaScript model so I don't see why the server is throwing the GET request error. In addition, the Controller is marked with the [HttpPost] attribute.

研究这个错误（http://haacked.com/archive/2009/06/25/json-hijacking.aspx）我很困惑，因为据我所知，并且由Fiddler出生，客户端正在发布JavaScript模型，所以我不明白为什么服务器抛出GET请求错误。此外，Controller标有[HttpPost]属性。

If anyone can help it would be much appreciated.

如果有人可以帮助它将非常感激。

2 个解决方案

#1

please try your code like below

请尝试下面的代码

[HttpPost]
public JsonResult SubmitPage(PageSubmissionModel model)
{
   ...
   return Json(result,JsonRequestBehavior.AllowGet);
}

#2

Thanks to Bardo's earlier comment, I have tracked down what is happening here.

感谢Bardo先前的评论，我已经找到了这里发生的事情。

In some circumstances, the client-script constructed data model was assigning the wrong data value to the model. This potentially caused an uncaught exception on the server whose error message (I think) was causing the GET exception.

在某些情况下，客户端脚本构造的数据模型将错误的数据值分配给模型。这可能导致服务器上的未捕获异常，其错误消息（我认为）导致GET异常。

By tightening up the initial model validation and adding some more robust error management in the controller I was able to identify the error in the submitted model and therefore trace that back to its (JavaScript) constructor.

通过加强初始模型验证并在控制器中添加一些更强大的错误管理，我能够识别提交的模型中的错误，并因此将其追溯到其（JavaScript）构造函数。

Ultimately, this problem demonstrates the need to be able to replicate the production environment exactly in development, I had not achieved this well enough in this instance. Once I could replicate the problem under a debugger it was easy to identify.

最终，这个问题表明需要能够在开发中完全复制生产环境，在这种情况下我还没有达到这个目标。一旦我可以在调试器下复制问题，就很容易识别。

#1