I'm trying to post a Form through a MVC Model into a Save function in a controller. I'm also using tinymce on the client side which results a HTML code based string such like <p> Content text blah blah ...</p>.
我试图通过MVC模型将一个表单发布到控制器的保存函数中。我还在客户端使用tinymce,结果是一个基于HTML代码的字符串,比如
内容文本等等…
。The problem is that I cannot post a string that includes <p> something </p> But surprisingly, < p > something < / p > this string (with spaces after "<") has NO problem. But, I cannot handle this html code and make these spaces before posting every time. There must be a better way.
问题是,我不能发布包含
的字符串
,但令人惊讶的是,的字符串(在"<"后面有空格)没有问题。但是,我不能处理这个html代码并在每次发布之前创建这些空格。一定有更好的办法。
So, How can I post a string that includes HTML code through $.post method? (If you must know, this project is a Content Management System. So, I have to save the HTML based content text into a SQL table.) I saw by debugging, the post action does not even reach to the Controller and I think this is a only javascript problem, am I right?
因此,如何通过$发布包含HTML代码的字符串。post方法?如果你一定要知道,这个项目是一个内容管理系统。因此,我必须将基于HTML的内容文本保存到SQL表中。我通过调试看到,post操作甚至没有到达控制器我认为这是唯一的javascript问题,对吗?
Here is the code I am using:
Javascript
下面是我正在使用的代码:Javascript
function JqueryFromPost(formId) {
var form = $(formId);
var action = form.attr("action");
var serializedForm = form.serializeArray();
$.post(action, serializedForm, function (data) {
//Getting the data Result here...
});
}
CS Code
c代码
[HttpPost]
public JsonResult SaveArticle(ArticleModel model)
{
JsonResult JResult = new JsonResult();
if (ModelState.IsValid)
//I do the saving here ending with "JResult.Data = "Success";" (this could also be Failed. So, its just to explain)
return JResult;
}
3 个解决方案
#1
48
ASP.NET has built-in request validation that automatically helps protect against XSS and HTML injection attacks. If you want to explicitly disable this validation you could decorate the action you are posting to with the [ValidateInput(false)] attribute:
ASP。NET具有内置的请求验证,可以自动帮助防止XSS和HTML注入攻击。如果您想要显式地禁用此验证,您可以使用[ValidateInput(false)]属性来修饰您正在发布的动作:
[HttpPost]
[ValidateInput(false)]
public ActionResult SaveArticle(ArticleModel model)
{
var JResult = new JsonResult();
if (ModelState.IsValid)
{
...
}
return JResult;
}
Also if you are running this on ASP.NET 4.0 for this attribute to take effect you need to add the following to your web.config:
如果你在ASP上运行这个。此属性的NET 4.0将生效,您需要将以下内容添加到web.config:
<httpRuntime requestValidationMode="2.0" />
And if you are using ASP.NET MVC 3.0 you could decorate only the property on your model that requires HTML with the [AllowHtml] attribute:
如果你在使用ASP。NET MVC 3.0你只能用[AllowHtml]属性来装饰模型上需要HTML的属性:
public class ArticleModel
{
[AllowHtml]
public string SomeProperty { get; set; }
public string SomeOtherProperty { get; set; }
}
Also in your javascript function you probably want serialize() instead of serializeArray():
同样,在javascript函数中,您可能希望使用serialize()而不是serializeArray():
function JqueryFromPost(formId) {
var form = $(formId);
$.post(form.action, form.serialize(), function (data) {
//Getting the data Result here...
});
}
#2
3
You shouldn't use ValidateInput(false) as MSN said here: http://msdn.microsoft.com/en-us/magazine/hh708755.aspx Just use [AllowHtml] on your model property you want take html.
您不应该使用ValidateInput(false),就像MSN所说的:http://msdn.microsoft.com/en-us/magazine/hh708755.aspx在您的模型属性上使用[AllowHtml],您需要使用html。
[AllowHtml]
public String htmlContainer { get; set; }
Additionally I think that is better if you encode html and then post it to server.
另外,我认为如果您对html进行编码,然后将其发布到服务器上,那就更好了。
#3
1
Using [ValidateInput(false)] is a very bad practice which leads to many security breaches, [AllowHtml] on a model property is more secured and reliable way of doing this. But there is a much cleaner solution if you can't use a model property.
使用[ValidateInput(false)]是一种非常糟糕的做法,会导致许多安全漏洞,在模型属性上使用[AllowHtml]更安全、更可靠。但是如果你不能使用模型属性,有一个更干净的解决方案。
Simply Encode the text on Client Side(mycase javascript), Decode it on the serve side(Controller function). I used the below for my vb.net project.
只需在客户端(mycase javascript)编码文本,在服务端(控制器函数)解码文本。我在vb.net项目中使用了下面的代码。
var SearchStringValue = <p> some blah...blah data </p>
var SearchStringValue =
等等…等等数据< / p >
Now encoding the above variable.
现在对上面的变量进行编码。
var encodedSearchStringValue = window.escape(document.getElementById('SearchStringValue').value)
var encodedSearchStringValue = window.escape(. getelementbyid(“SearchStringValue”)value)
now pass encodeSearchStringValue to controller using ajax.
现在使用ajax将encodeSearchStringValue传递给控制器。
In the controller just decode the variable to get <p> some blah...blah data </p>.
在控制器中,只要解码变量就会得到
等等…< / p >等等数据。
Dim SearchStringValue = HttpUtility.UrlDecode(encodeSearchStringValue)
Hope this helps......... :)
希望这有助于.........:)
#1
48
ASP.NET has built-in request validation that automatically helps protect against XSS and HTML injection attacks. If you want to explicitly disable this validation you could decorate the action you are posting to with the [ValidateInput(false)] attribute:
ASP。NET具有内置的请求验证,可以自动帮助防止XSS和HTML注入攻击。如果您想要显式地禁用此验证,您可以使用[ValidateInput(false)]属性来修饰您正在发布的动作:
[HttpPost]
[ValidateInput(false)]
public ActionResult SaveArticle(ArticleModel model)
{
var JResult = new JsonResult();
if (ModelState.IsValid)
{
...
}
return JResult;
}
Also if you are running this on ASP.NET 4.0 for this attribute to take effect you need to add the following to your web.config:
如果你在ASP上运行这个。此属性的NET 4.0将生效,您需要将以下内容添加到web.config:
<httpRuntime requestValidationMode="2.0" />
And if you are using ASP.NET MVC 3.0 you could decorate only the property on your model that requires HTML with the [AllowHtml] attribute:
如果你在使用ASP。NET MVC 3.0你只能用[AllowHtml]属性来装饰模型上需要HTML的属性:
public class ArticleModel
{
[AllowHtml]
public string SomeProperty { get; set; }
public string SomeOtherProperty { get; set; }
}
Also in your javascript function you probably want serialize() instead of serializeArray():
同样,在javascript函数中,您可能希望使用serialize()而不是serializeArray():
function JqueryFromPost(formId) {
var form = $(formId);
$.post(form.action, form.serialize(), function (data) {
//Getting the data Result here...
});
}
#2
3
You shouldn't use ValidateInput(false) as MSN said here: http://msdn.microsoft.com/en-us/magazine/hh708755.aspx Just use [AllowHtml] on your model property you want take html.
您不应该使用ValidateInput(false),就像MSN所说的:http://msdn.microsoft.com/en-us/magazine/hh708755.aspx在您的模型属性上使用[AllowHtml],您需要使用html。
[AllowHtml]
public String htmlContainer { get; set; }
Additionally I think that is better if you encode html and then post it to server.
另外,我认为如果您对html进行编码,然后将其发布到服务器上,那就更好了。
#3
1
Using [ValidateInput(false)] is a very bad practice which leads to many security breaches, [AllowHtml] on a model property is more secured and reliable way of doing this. But there is a much cleaner solution if you can't use a model property.
使用[ValidateInput(false)]是一种非常糟糕的做法,会导致许多安全漏洞,在模型属性上使用[AllowHtml]更安全、更可靠。但是如果你不能使用模型属性,有一个更干净的解决方案。
Simply Encode the text on Client Side(mycase javascript), Decode it on the serve side(Controller function). I used the below for my vb.net project.
只需在客户端(mycase javascript)编码文本,在服务端(控制器函数)解码文本。我在vb.net项目中使用了下面的代码。
var SearchStringValue = <p> some blah...blah data </p>
var SearchStringValue =
等等…等等数据< / p >
Now encoding the above variable.
现在对上面的变量进行编码。
var encodedSearchStringValue = window.escape(document.getElementById('SearchStringValue').value)
var encodedSearchStringValue = window.escape(. getelementbyid(“SearchStringValue”)value)
now pass encodeSearchStringValue to controller using ajax.
现在使用ajax将encodeSearchStringValue传递给控制器。
In the controller just decode the variable to get <p> some blah...blah data </p>.
在控制器中,只要解码变量就会得到
等等…< / p >等等数据。
Dim SearchStringValue = HttpUtility.UrlDecode(encodeSearchStringValue)
Hope this helps......... :)
希望这有助于.........:)