I'm trying pass a html code trough Ajax like this:
Using plugin 'summernote' (WYSIWYG Editor)
var description = $('#ticketDescription').code();
This give me for example:
<span style="font-weight: bold;">asdasdasd<span>sadasd
and when Ajax process this give an 500 internal error
$.ajax({
url: '/Ticket/NewTicket',
type: 'POST',
data: {
companyId: companyId,
subject: subject,
ticketDescription: description
},
success: function(result) {
....
},
error: function(result) {
}
});
The problem is solved by removing the '<' character from string.
Any solution to this?
Thanks
Edit: The only way I found so far is:
In javascript:
description = escape(description);
and in the controller:
ticketDescription = HttpUtility.UrlDecode(ticketDescription);
Is it correct?
ValidateInput and AllowHtml attribute is what you need to set in the property
By default Asp.Net MVC doesn't allow a user to submit html for avoiding Cross Site Scripting attack to your application.
ValidateInput Attribute
This is the simple way to allow the submission of HTML. This attribute can enable or disable input validation at the controller level or at any action method.
ValidateInput at Controller Level
[ValidateInput(false)]
public class HomeController : Controller
{
public ActionResult AddArticle()
{
return View();
}
[HttpPost]
public ActionResult AddArticle(BlogModel blog)
{
if (ModelState.IsValid)
{
}
return View();
}
}
Now, the user can submit Html for this Controller successfully.
ValidateInput at Action Method Level
public class HomeController : Controller
{
public ActionResult AddArticle()
{
return View();
}
[ValidateInput(false)]
[HttpPost]
public ActionResult AddArticle(BlogModel blog)
{
if (ModelState.IsValid)
{
}
return View();
}
}
Now, the user can submit Html for this action method successfully.
Limitation of ValidateInput attribute
This attribute also has the issue since this allow the Html input for all the properties and that is unsafe. Since you have enable Html input for only one-two properties then how to do this. To allow Html input for a single property, you should use AllowHtml attribute.
AllowHtml Attribute
This is the best way to allow the submission of HTML for a particular property. This attribute will be added to the property of a model to bypass input validation for that property only. This explicit declaration is more secure than the ValidateInput attribute.
using System.ComponentModel.DataAnnotations;
using System.Web.Mvc;
public class BlogModel
{
[Required]
[Display(Name = "Title")]
public string Title { get; set; }
[AllowHtml]
[Required]
[Display(Name = "Description")]
public string Description{ get; set; }
}
Make sure, you have removed the ValidateInput attribute from Conroller or Action method. Now, the user can submit Html only for the Description property successfully.
Related
I'm writing a web application running in an Active Directory environment using MVC5.
I have an AdminController controller, routing to a View where I can add users to the db.
public class AdminController : Controller
{
// some initializing code
public ActionResult AggiungiUtente()
{
if (Request.IsAjaxRequest())
{
return PartialView();
}
else
{
return View();
}
}
[HttpPost]
public ViewResult AggiungiUtente(AggiungiUtenteViewModel viewModel)
{
if (ModelState.IsValid)
{
return View(viewModel);
}
else
{
return View();
}
}
}
Within this View I want to put a simple textbox with a button where the user can write an employee's ID or name and he's presented a modal form with the list of AD objects found, then I'll take it from there.
As of now I have the code for all the "pieces", especially the AD tree research method that returns a serialized JSON object that is currently a static method within the ViewModel:
public static string ElencoPersonaleJSON(string chiave)
{
List<ADQuery.Elemento> ElencoPersonale = ADQuery.RicercaGenerica(chiave);
return ElencoPersonale.ToJSON(); //extension method
}
but how can I make it work with the rest of the application? How can I call this method, or how can I call it without being redirected to another view?
Thanks,
Davide.
I am trying to pass dynamic parameters from jquery to mvc controller. This is my jquery function
function OpenBrowserUrl(type, params)
{
window.open("{0}?linkType={1}&{2}".format(URL.openBrowserLinkURL, type, $.param(params)), '_blank');
}
params would be different things based on who passes it in. For example, it's an object like this: var param = { P1: "Test1", P2: "Test2" }
I am trying to bind those in MVC Controller. This is what it looks like right now:
public virtual RedirectResult OpenBrowserLink(object urlParameters)
{
IDictionary<string, object> paramsPair = new RouteValueDictionary(urlParameters);
foreach (var item in paramsPair)
{
System.Diagnostics.Debug.WriteLine(item.Key);
}
}
However, it's not binding properly. the values are empty. On fiddler, this is how it's sending data: http://www.url.com?param1=1¶m2=2¶m3=3
Any idea what's going on? or Is there a better way to handle this? Basically I am trying to mimic the way Html Helpers send parameters and bind it from the controller side using JQuery. HtmlHelper example: Html.TextboxFor(m => m.Text, new { Param1=1, Param2=2, Param3=3 });
Thanks a lot for the help
Model binder won't work because your object urlParameters has no properties. You should either create strongly typed model:
public class UrlParamerters
{
public string Param1 {get; set;}
public string Param2 {get; set;}
public string Param3 {get; set;}
}
or change your action signature:
public virtual RedirectResult OpenBrowserLink(string[] params)
and just pass an array or parameters.
I am using Telerik.MVC extensions and certain controls to not pass data to the controller on events.
Tee dropdown must call this.form.submit during an OnChange event to register that the user made a selection.
function ddl_OnChange(e)
{
this.form.submit();
}
In the controller I have:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult Index([Bind()] ViewModel.Designer model, string ddlDatabase,
string ddl, string cboTemplate, string command)
{
if (ModelState.IsValid)
{.....
On the OnChange, the value of the ddl control is passed through the ddl value.
My problem is, I have multiple dropdown and combos and would like to control the action taken by the controller depending on the choice made. How can I direct the this.form.submit();
to other functions. Also, how can I pass data additional data back to this other method.
Solution:
In the script, set the action property:
function ddlTable_OnChange(e)
{
this.form.action += '\\ddlTable_OnChange';
this.form.submit();
}
In the controller, create matching function:
[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult ddlTable_OnChange([Bind()] ViewModel.Designer model, string ddlDatabase,
string ddlTable, string cboTemplate, string command)
{
return Index();
}
I am using a userControl in MVC 4 that has a telerik radeditor.
I want to submit the content of the radeditor the the action method but if I user editor.get_html() the code doesn't execute.
the javascript call to the action method is the following:
function Save() {
var editor = $find("<%=radEdit.ClientID%>");
var editorHtmlContent = editor.get_html();
var entityId = document.getElementById('hdEntityId').value;
var url = '<%=Url.Action("SaveNote", "staticController")%>';
$.post(url, { EntityId: entityId, Desc: editorHtmlContent }, function (result) { });
}
any clue?
Posting HTML tags is being considered a security threat (HTML Injection and Cross-site Scripting (XSS)), so it is blocked by default. You have three ways out of this:
Encode your HTML on client side before sending to the server. You can find a lot of reading about that on SO, for example here: Fastest method to escape HTML tags as HTML entities?
If you have strongly typed model class and want to get the actual HTML, you can use AllowHtmlAttribute:
public class XMLModel
{
public int EntityId { get; set; }
[AllowHtml]
public string Desc { get; set; }
}
Last option is to disable input validation for entire action, which can be done with ValidateInputAttribute:
[ValidateInput(false)]
[HttpPost]
public ActionResult SaveNote(...)
{
...
}
You should choose the option most suitable for you.
I am using tinyMCE (a rich text editor in js).
Currently, I have a function as such:
function GetEditorValue() {
var val = tinyMCE.get('valueTextArea').getContent()
}
which returns the text that was entered into the rich text editor.
Now, is there a way to pass this data using POST to my mvc controller
and access it there?
(All this is being done in ASP.NET MVC 2 using C#)
You could send this value using AJAX. For example jQuery provides the .post() function:
var val = tinyMCE.get('valueTextArea').getContent();
$.post('<%= Url.Action("foo") %>', { value: val }, function(result) {
// TODO: handle the success
alert('the value was successfully sent to the server');
});
and inside your controller action:
[HttpPost]
public ActionResult Foo(string value)
{
// Do something with the value
}
Now obviously because this is a RichText editor the value might contain dangerous characters and ASP.NET will reject them by throwing an exception. To avoid this you could decorate your controller action with the [ValidateInput(false)] attribute:
[HttpPost]
[ValidateInput(false)]
public ActionResult Foo(string value)
{
// Do something with the value
}
and if you are using ASP.NET 4.0 you should also add the following to your web.config:
<httpRuntime requestValidationMode="2.0" />