AllowHtml不工作的ASP.Net MVC 3网站 [英] AllowHtml not working for ASP.Net Mvc 3 site

问题描述

我们正在尝试使用[AllowHtml]装修我们的视图模型的属性之一，使我们能够避免YSOD：

  

从检测到潜在危险的Request.Form值
  客户端（RequestText = ＆LT; BR＆gt;中）

。

当我们试图提交HTML文本，如：＆LT; BR＆GT; 。我们希望再使用Server.HtmlEn code控制器动作来prevent攻击范围内，但是当我们用装饰属性[AllowHtml] 它有没有影响，如果我们尝试使用 [ValidateInput（假）] 的控制器动作，它没有任何效果。我们看到了一个<一个href=\"http://stackoverflow.com/questions/4415451/asp-net-mvc3-rc2-allowhtml-not-working\">StackOverflow帖子说，在MVC 3 RC2，你必须添加：

  

ModelMetadataProviders.Current =新
  DataAnnotationsModelMetadataProvider（）;要在Global.asax

我们尝试了，太多，即使我们使用MVC 3，不RC2的发布版本，但没有任何效果。有谁知道如何解决这一问题？

型号：

 命名空间UI.Models.ViewModel
{
    公共类CustomerRequestSupport
    {
        ///＆LT;总结＆gt;
        ///获取或设置由客户所输入的文字说明
        ///的支持请求。
        ///＆LT; /总结＆gt;
        [AllowHtml]
        公共字符串RequestText {搞定;组; }
    }
}
 

控制器：

  [HttpPost]
    [TabsActionFilter]
    公众的ActionResult RequestSupport（CustomerRequestSupport集合）
    {
        如果（ModelState.IsValid）
        {            票票=新票（）;            ticket.Requestor = LoggedInCustomer;            ticket.Summary =一般支持票;
            ticket.Notes = Server.HtmlEn code（collection.RequestText）;            VAR误差= _ticketService.SubmitTicket（票）;            如果（errors.Any（））
            {
                ModelState.AddModelError（收藏，
                    的String.Format（发生在您的支持请求的错误：+
                    {0}请稍后再试或打电话到服务台+
                    立即提供援助。
                    errors.Aggregate（（ACC，ST）=＆GT; ACC ++ ST）））;
            }
            其他
            {
                TempData的[FlashMessage] =的String.Format（您的支持请求一直以+
                        中提出，票号为：{0}，ticket.TicketNumber）;                返回AutoMapView＆LT;为CustomerDetails＆GT;（视图（详细资料，base.LoggedInCustomer））;
            }
        }        //需要的标签，以显示
        ViewData.CustomerContactSet（base.LoggedInCustomer）;        返回查看（）;
 

查看：

 ＆LT;％@页标题=LANGUAGE =C＃的MasterPageFile =〜/查看/共享/的Site.Master继承=System.Web.Mvc.ViewPage＆LT; UI.Models.ViewModel.CustomerRequestSupport＆gt;中％GT;＆LT; ASP：内容ID =内容1ContentPlaceHolderID =TitleContent=服务器＆GT;
 请求支持
＆LT; / ASP：内容＆GT;＆LT; ASP：内容ID =内容2ContentPlaceHolderID =的PageTitle=服务器＆GT;
 请求支持
＆LT; / ASP：内容＆GT;＆LT; ASP：内容ID =Content3ContentPlaceHolderID =日程地址搜索Maincontent=服务器＆GT;
＆LT;使用％（Html.BeginForm（））
   {％GT;
    ＆所述;％= Html.ValidationSummary（）％＆GT;
    ＆LT; H2＆GT; LT输入必要的支持和说明; / H2＆GT;
    ＆LT;％：Html.TextAreaFor（M = GT; m.RequestText，4，90，NULL）％GT;
    ＆LT;输入类型=提交值=提交/＆GT;
＆LT;％}％GT;
＆LT; / ASP：内容＆GT;
＆LT; ASP：内容ID =Content4ContentPlaceHolderID =JavaScriptContent=服务器＆GT;
＆LT; / ASP：内容＆GT;
 

解决方案

在他的答案达林肯定是到的东西时，他问

  

所以你得做一些比我在这里表现出不同。
  这是什么？

我猜你有别的东西影响了ASP.NET管道正在访问的FormCollection 之前，你的 [AllowHtml] 被考虑在内。关闭我的头顶那一抹管线一些常见的ASP.NET MVC OSS库 ELMAH 掠影，的 WebActivator ， MvcContrib ，还有更多，但你的想法。

我要相信你正在使用的上方的工具或类似的东西之一。假设你是确保您每次的最新版本，并检查他们的开放的bug报告。

最后，一个快速的方法来确定其是否您code，你的MVC实例或OSS库将创建一个测试项目。尝试创建一个香草ASP.NET MVC项目。确保 AllowHtml 的作品。然后在你的各种OSS组件添加直至断裂。只要确保当您在OSS组件并称版本，匹配您使用在当前项目中的内容。

We're trying to use the [AllowHtml] decoration on one of our ViewModel properties so that we can avoid the YSOD:

A potentially dangerous Request.Form value was detected from the client (RequestText="<br>").

when we try to submit html text, like: <br>. We want to then use Server.HtmlEncode within the controller action to prevent attacks, but when we decorate the property with [AllowHtml] it has no affect, and if we try to use [ValidateInput(false)] on the controller action, it has no effect either. We saw a StackOverflow Post saying that in MVC 3 RC2 that you have to add:

ModelMetadataProviders.Current = new DataAnnotationsModelMetadataProvider(); to the global.asax

We tried that too, even though we are using the release version of MVC 3, not RC2, but that had no effect either. Does anyone know how to fix this?

Model:

namespace UI.Models.ViewModel
{
    public class CustomerRequestSupport
    {
        /// <summary>
        /// Gets or Sets the textual description entered by the Customer for 
        /// the support requested.
        /// </summary>
        [AllowHtml]
        public string RequestText { get; set; }
    }
}

Controller:

    [HttpPost]
    [TabsActionFilter]
    public ActionResult RequestSupport(CustomerRequestSupport collection)
    {
        if (ModelState.IsValid)
        {

            Ticket ticket = new Ticket();

            ticket.Requestor = LoggedInCustomer;

            ticket.Summary = "General Support Ticket";
            ticket.Notes = Server.HtmlEncode(collection.RequestText);

            var errors = _ticketService.SubmitTicket(ticket);

            if (errors.Any())
            {
                ModelState.AddModelError("collection",
                    String.Format("An error has occurred in your Request for Support: " +
                    "{0} Please try again later or call the help desk " +
                    "for immediate assistance.",
                    errors.Aggregate((acc, st) => acc + " " + st)));
            }
            else
            {
                TempData["FlashMessage"] = String.Format("Your request for support has been " +
                        "submitted, the Ticket Number is: {0}.", ticket.TicketNumber);

                return AutoMapView<CustomerDetails>(View("Details", base.LoggedInCustomer));
            }
        }

        //needed for tabs to show
        ViewData.CustomerContactSet(base.LoggedInCustomer);

        return View();

View:

<%@ Page Title="" Language="C#" MasterPageFile="~/Views/Shared/Site.Master"     Inherits="System.Web.Mvc.ViewPage<UI.Models.ViewModel.CustomerRequestSupport>" %>

<asp:Content ID="Content1" ContentPlaceHolderID="TitleContent" runat="server">
 Request Support
</asp:Content>

<asp:Content ID="Content2" ContentPlaceHolderID="PageTitle" runat="server">
 Request Support
</asp:Content>

<asp:Content ID="Content3" ContentPlaceHolderID="MainContent" runat="server">
<% using (Html.BeginForm())
   { %>
    <%= Html.ValidationSummary() %>
    <h2>Enter a description of the support needed</h2>
    <%: Html.TextAreaFor( m => m.RequestText, 4, 90, null) %>
    <input type="submit" value="Submit" />
<% } %>
</asp:Content>
<asp:Content ID="Content4" ContentPlaceHolderID="JavaScriptContent" runat="server">
</asp:Content>

解决方案

In his answer Darin is definitely onto something when he asks

So you gotta be doing something different than what I showed here. What is it?

I am guessing you have something else affecting the ASP.NET pipeline that is accessing the FormCollection prior to your [AllowHtml] being taken into account. Off the top of my head some common ASP.NET MVC OSS libraries that touch the pipeline are ELMAH, Glimpse, WebActivator, MvcContrib, there are many more but you get the idea.

I have to believe you are using one of the tools above or something similar. Assuming you are make sure you are on the latest release of each and check their open bug reports.

Finally, a quick way to determine if its your code, your MVC instance or an OSS library would be to create a test project. Try creating a vanilla ASP.NET MVC project. Ensure that AllowHtml works. Then add in your various OSS components until it breaks. Just be sure when you are adding in OSS components that the versions match what you are using in your current project.

这篇关于AllowHtml不工作的ASP.Net MVC 3网站的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！