HtmlEn code上张贴ASP.Net MVC 3 Html.TextAreaFor [英] HtmlEncode on Post for ASP.Net MVC 3 Html.TextAreaFor

问题描述

我有一个ASP.Net MVC 3页，其中我有一个Html.TextAreaFor控制，请看以下code。如果我尝试到页面提交给HTTP POST行动在尖括号中的文字，如：＆lt;试验＆GT; ，我得到一个黄色的错误屏幕说：

  

从检测到潜在危险的Request.Form值
  客户端（RequestText =）。

我不明白为什么我得到这个，因为我发现<一个href=\"http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx\">an本文由Scott Guthrie的，说新的＆LT;％：％GT; 在.NET 4中，会自动HtmlEn $ C $语法C的元素。由于我使用的＆lt;％：％>语法Html.TextAreaFor控制，我认为它会自动照顾这和尖括号转换为适当的＆放大器; LT和＆放大器; GT。字符串

 ＆LT;使用％（Html.BeginForm（））
   {％GT;
    ＆LT;％：Html.ValidationSummary（）％GT;
    ＆LT; H2＆GT; LT输入必要的支持和说明; / H2＆GT;
    ＆LT;％：Html.TextAreaFor（M = GT; m.RequestText，4，90，NULL）％GT;
    ＆LT;输入类型=提交值=提交/＆GT;
＆LT;％}％GT;
 

解决方案

基本上是正确的，现在，你编码的 TextAreaFor 的输出内容。这不会帮助你在丝毫因为你要处理的输入

如果您要提交潜在危险的内容，你需要为

1）装饰你的视图模型中的 RequestText 财产 [AllowHtml] 。 （preferred）

  [AllowHtml]
公共字符串RequestText {搞定;组; }
 

2）禁止 validateRequest

 ＆LT;＆的System.Web GT;
    ＆LT;编译调试=真targetFramework =4.0/＆GT;
    ＆LT;的httpRuntime requestValidationMode =2.0/＆GT;
＆LT; /system.web>
 

然后你的必须确保您适当消毒的数据和/或提交给你的版本库层或数据库之前，您的控制器编码的。

I have an ASP.Net MVC 3 page in which I have an Html.TextAreaFor control, see code below. If I try to submit the page to the http post action with text in angle brackets like: <test>, I get a yellow error screen saying:

A potentially dangerous Request.Form value was detected from the client (RequestText="").

I don't understand why I am getting this because I found an article by Scott Guthrie that says the new <%: %> syntax in .Net 4, will automatically HtmlEncode the element. Since I'm using the <%: %> syntax for the Html.TextAreaFor control, I thought it would automatically take care of this and convert the angle brackets to the proper "&lt"; and "&gt" strings.

<% using (Html.BeginForm())
   { %>
    <%: Html.ValidationSummary() %>
    <h2>Enter a description of the support needed</h2>
    <%: Html.TextAreaFor( m => m.RequestText, 4, 90, null) %>
    <input type="submit" value="Submit" />
<% } %>

解决方案

Basically right now, you're encoding the content of the TextAreaFor on the output. This doesn't help you in the slightest since you're trying to deal with input

If you want to submit "potentially dangerous" content, you need to either

1) decorate the RequestText property within your ViewModel with [AllowHtml]. (preferred)

[AllowHtml]
public string RequestText { get; set; }

2) disable validateRequest

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime requestValidationMode="2.0" />
</system.web>

Then you must ensure you're appropriately sanitizing that data and/or encoding it in your controller before submitting it to your Repository Layer or Database.

这篇关于HtmlEn code上张贴ASP.Net MVC 3 Html.TextAreaFor的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！