MVC3中的AllowHTML和自定义IValueProvider [英] AllowHTML and custom IValueProviders in MVC3
问题描述
我有一个编写的自定义IValueProvider,用于处理json值.它是通过
在globa.asax中注册的ValueProviderFactories.Factories.Insert(0, new JsonValueProviderFactory());
它工作正常,但最近我需要发布一个包含HTML的模型.默认情况下会生成旧的
A potentially dangerous Request.Form value was detected from the client
错误消息.看起来解决该问题的方法通常是使用AllowHtml属性装饰model属性.问题是我的价值提供者仍在抛出错误.知道如何让我的价值提供者尊重AllowHtml属性吗?
以下是相关代码:
public class JsonValueProvider : IValueProvider, IValueDeserializer
{
private ControllerContext context;
public JsonValueProvider(ControllerContext controllerContext)
{
this.context = controllerContext;
}
public bool ContainsPrefix(string prefix)
{
return context.HttpContext.Request.Form.AllKeys.FirstOrDefault(i => i.StartsWith(prefix)) != null; //<!------- The error is thrown here
}
.....
如果需要处理潜在危险"数据,则不能在自定义值提供程序中使用经过验证的请求数据(例如Request.Form,Request.QueryString)./p>
相反,您应该使用Request.Unvalidated,HttpContext.Request.Unvalidated()或HttpContext.Request.InputStream之类的方法或属性.
如果您在自定义ValueProvider上实现IUnvalidatedValueProvider,那么它也可以与DefaultModelBinder/AllowHtml很好地配合使用.
IUnvalidatedValueProvider具有重载的GetValue方法,以告知提供者是否跳过验证(这最终由AllowHtml设置).
public interface IUnvalidatedValueProvider : IValueProvider
{
ValueProviderResult GetValue(string key, bool skipValidation);
}
在您的实现中,如果skipValidation为true,则应检索未经验证的请求数据.显然,在您的ContainsPrefix中,您无法访问经过验证的数据(例如,Request.Form).
说过,从 NameValueCollectionValueProvider ,它已经未验证".大多数内置的价值提供者都从中继承.我已经链接到MVC源代码...看看如何实现子类型.
I have a custom IValueProvider that I wrote to handle json values. It is registered in the globa.asax via
ValueProviderFactories.Factories.Insert(0, new JsonValueProviderFactory());
It works fine, but I just recently needed to post a model back that contains HTML. By default this spawns the old
A potentially dangerous Request.Form value was detected from the client
Error message. It looks like the way to get around that normally is to decorate the model property with an AllowHtml attribute. The problem is my value provider is still throwing the error. Any idea how to get my value provider to respect the AllowHtml attribute?
Here is the relevant code:
public class JsonValueProvider : IValueProvider, IValueDeserializer
{
private ControllerContext context;
public JsonValueProvider(ControllerContext controllerContext)
{
this.context = controllerContext;
}
public bool ContainsPrefix(string prefix)
{
return context.HttpContext.Request.Form.AllKeys.FirstOrDefault(i => i.StartsWith(prefix)) != null; //<!------- The error is thrown here
}
.....
You cannot use validated request data (e.g. Request.Form, Request.QueryString) within your custom value provider if you need to handle "potentially dangerous" data.
Instead you should use methods or properties such as Request.Unvalidated, HttpContext.Request.Unvalidated() or HttpContext.Request.InputStream.
If you implement IUnvalidatedValueProvider on your custom ValueProvider, then it can also work nicely with DefaultModelBinder / AllowHtml.
IUnvalidatedValueProvider has an overloaded GetValue method to tell the provider whether to skip validation (which is what ultimately gets set by AllowHtml).
public interface IUnvalidatedValueProvider : IValueProvider
{
ValueProviderResult GetValue(string key, bool skipValidation);
}
In your implementation, if skipValidation is true, then you should retrieve unvalidated request data. Obviously within your ContainsPrefix you cannot access validated data (e.g. Request.Form).
Having said that it may be easiest to inherit from NameValueCollectionValueProvider which is already "unvalidated" aware. Most of the built in value providers inherhit from it. I have linked to the MVC source code...take a look at how the sub-types are implemented.
这篇关于MVC3中的AllowHTML和自定义IValueProvider的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
