If I use #html.Raw() Html is executing very well.. but some people saying that displaying data(html) using #html.Raw() will lead to XSS attacks.
But alternatively we don't have any choice to display html data in mvc...
Is there any way to achieve this?
<h1 class="art-heading">#Html.DisplayFor(model => model.Article_Name)</h1>
<div>
#Html.DisplayFor(model => model.Article_Content)
</div>
<section>
#Html.Raw(Model.code)
</section>
Try to use: MvcHtmlString look here for more information about this class
public MvcHtmlString OutputHtml() {
return MvcHtmlString.Create("<div>My div</div>");
}
then in view:
#OutputHtml()
How can I store post.content as html in database and how can I display with rendered html without tags. I am trying with following way, but it's not working. It can stored encode html in database but its not displayed rendered html. Any best practice would be appreciated.
1)
//Saving post content in database as html
public ActionResult Edit(Post post, FormCollection obj)
{
post.Content = Server.HtmlEncode(post.Content);
}
2)
//Displaying post content to view
<%: System.Web.HttpUtility.HtmlDecode(item.Content)%>
OR
<%: item.Content%>
MVC3/Razor:
#Html.Raw(item.Content)
MVC2/WebForms:
<%: MvcHtmlString.Create(item.Content) %>
Now I've seen some questions like this, but it's not exactly what I want to ask, so for all those screaming duplicate, I apologize :).
I've barely touched ASP.NET MVC but from what I understand there is no ViewState/ControlState... fine. So my question is what is the alternative to retaining a control's state? Do we go back to old school ASP where we might simulate what ASP.NET ViewState/ControlState does by creating hidden form inputs with the control's state, or with MVC, do we just assume AJAX always and retain all state client-side and make AJAX calls to update?
This question has some answers, Maintaining viewstate in Asp.net mvc?, but not exactly what I'm looking for in an answer.
UPDATE: Thanks for all the answers so far. Just to clear up what I'm not looking for and what I'm looking for:
Not looking for:
Session solution
Cookie solution
Not looking to mimic WebForms in MVC
What I am/was looking for:
A method that only retains the state on postback if data is not rebound to a control. Think WebForms with the scenario of only binding a grid on the initial page load, i.e. only rebinding the data when necessary. As I mentioned, I'm not trying to mimic WebForms, just wondering what mechanisms MVC offers.
The convention is already available without jumping through too many hoops. The trick is to wire up the TextBox values based off of the model you pass into the view.
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult CreatePost()
{
return View();
}
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult CreatePost(FormCollection formCollection)
{
try
{
// do your logic here
// maybe u want to stop and return the form
return View(formCollection);
}
catch
{
// this will pass the collection back to the ViewEngine
return View(formCollection);
}
}
What happens next is the ViewEngine takes the formCollection and matches the keys within the collection with the ID names/values you have in your view, using the Html helpers. For example:
<div id="content">
<% using (Html.BeginForm()) { %>
Enter the Post Title: <%= Html.TextBox("Title", Model["Title"], 50) %><br />
Enter the Post Body: <%= Html.TextArea("Body", Model["Body"]) %><br />
<%= Html.SubmitButton() %>
<% } %>
</div>
Notice the textbox and textarea has the IDs of Title and Body? Now, notice how I am setting the values from the View's Model object? Since you passed in a FormCollection (and you should set the view to be strongly typed with a FormCollection), you can now access it. Or, without strongly-typing, you can simply use ViewData["Title"] (I think).
POOF Your magical ViewState. This concept is called convention over configuration.
Now, the above code is in its simplest, rawest form using FormCollection. Things get interesting when you start using ViewModels, instead of the FormCollection. You can start to add your own validation of your Models/ViewModels and have the controller bubble up the custom validation errors automatically. That's an answer for another day though.
I would suggest using a PostFormViewModel instead of the Post object, but to each-his-own. Either way, by requiring an object on the action method, you now get an IsValid() method you can call.
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult CreatePost(Post post)
{
// errors should already be in the collection here
if (false == ModelState.IsValid())
return View(post);
try
{
// do your logic here
// maybe u want to stop and return the form
return View(post);
}
catch
{
// this will pass the collection back to the ViewEngine
return View(post);
}
}
And your Strongly-Typed view would need to be tweaked:
<div id="content">
<% using (Html.BeginForm()) { %>
Enter the Post Title: <%= Html.TextBox("Title", Model.Title, 50) %><br />
Enter the Post Body: <%= Html.TextArea("Body", Model.Body) %><br />
<%= Html.SubmitButton() %>
<% } %>
</div>
You can take it a step further and display the errors as well in the view, directly from the ModelState that you set in the controller.
<div id="content">
<%= Html.ValidationSummary() %>
<% using (Html.BeginForm()) { %>
Enter the Post Title:
<%= Html.TextBox("Title", Model.Title, 50) %>
<%= Html.ValidationMessage("Title") %><br />
Enter the Post Body:
<%= Html.TextArea("Body", Model.Body) %>
<%= Html.ValidationMessage("Body") %><br />
<%= Html.SubmitButton() %>
<% } %>
</div>
What is interesting with this approach is that you will notice I am not setting the validation summary, nor the individual validation messages in the View. I like to practice DDD concepts, which means my validation messages (and summaries) are controlled in my domain and get passed up in the form of a collection. Then, I loop throught he collection (if any errors exist) and add them to the current ModelState.AddErrors collection. The rest is automatic when you return View(post).
Lots of lots of convention is out. A few books I highly recommend that cover these patterns in much more detail are:
Professional ASP.NET MVC 1.0
Pro ASP.NET MVC 1.0 Framework
And in that order the first covers the raw nuts and bolts of the entire MVC framework. The latter covers advanced techniques outside of the Microsoft official relm, with several external tools to make your life much easier (Castle Windsor, Moq, etc).
The View is supposed to be dumb in the MVC pattern, just displaying what the Controller gives it (obviously we do often end up with some logic there but the premise is for it not to be) as a result, controls aren't responsible for their state, it'll come from the controller every time.
I can't recommend Steven Sanderson's book Pro ASP.NET MVC by Apress enough for getting to grips with this pattern and this implementation of it.
In Web Forms, control values are maintained in the viewstate so you (theoretically) don't need to reinitialize and such with each postback. The values are (again theoretically) maintained by the framework.
In ASP.NET MVC, if you follow the paradigm, you don't need to maintain state on form elements. The form element values are available on post where your controller can act on them (validation, database updates, etc.). For any form elements that are displayed once the post is processed, you (the developer) are responsible for initializing them - the framework doesn't automatically do that for you.
That said, I have read about a mechanism called TempData that allows your controller to pass data to another controller following a redirect. It is actually a session variable (or cookie if you configure it as such) but it is automatically cleaned up after the next request.
The answer really depends on the types of controls you are trying to maintain state for. For basic Html controls then it is very easy to maintain state with your Models, to do this you need to create a strongly typed view.
So if we had a User model with the properties: Username, FullName, Email, we can do the following in the view:
<%= Html.ValidationSummary() %>
<% using (Html.BeginForm()) { %>
<fieldset>
<legend>User details</legend>
<%= Html.AntiForgeryToken() %>
<p>
<label for="Username">Username:</label>
<%= Html.Textbox("Username", Model.Username, "*") %>
</p>
<p>
<label for="FullName">FullName:</label>
<%= Html.Textbox("FullName", Model.FullName, "*") %>
</p>
<p>
<label for="Email">Email:</label>
<%= Html.Textbox("Email", Model.Email, "*") %>
</p>
<p>
<input type+"submit" value="Save user" />
</p>
</fieldset>
<% } %>
We would then have two controller actions that display this view, one for get and another for post:
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult User()
{
return View(new User())
}
[AcceptVerbs(HttpVerbs.Post)]
[ValidateAntiForgeryToken]
public ActionResult User([Bind(Include = "Username,FullName,Email")]User user)
{
if (!ModelState.IsValid()) return View(user);
try
{
user.save()
// return the view again or redirect the user to another page
}
catch(Exception e)
{
ViewData["Message"] = e.Message;
return View(user)
}
}
Is this what you are looking for? Or do you want to maintain the state of Models that are not being displayed in a form between requests?
The key thing to remember is that your code executes on the server for the duration of the request and ends, the only information you can pass between your requests is basic html form data, url parameters and session information.
As other people have mentioned, I'd highly recommend Steve Sandersan's Pro ASP.NET MVC Framework for a complete understanding of working with the MVC Framework.
hidden fields, like:
<% using (Html.BeginForm<SomeController>(c=>c.SomeAction(null))) {%>
<%= Html.Hidden("SomeField", Model.SomeField)%>
<%= Html.Hidden("AnotherField", Model.AnotherField)%>
setting the specific model & not having any explicit fields (gives u hidden fields). In the example below, the Model is filled by the controller with values received from the last post, so this enables a no js option in the page that can filter based on a status:
Some Filter: <% using( Html.BeginForm<SomeController>(
c => c.SomeAction(model.SomeField, model.AnotherField, model.YetAnotherField, null, model.SomeOtherField)
)) { %>
<%= Html.DropDownList("status", Model.StatusSelectList)%>
<input type="submit" value="Filter" class="button" />
<% } %>
use extension methods to create fields, if u just want the fields to be filled with posted values when u are showing failed validation messages on the submitted form
on asp.net mvc 2 they introduced a way to save an instance in a hidden field ... encoded + (I think) signed
TempData if everything of the above doesn't do it (goes through session - cleaned on the next request)
as u mentioned, when using ajax the state is already in the previously loaded fields in the client site. If u l8r on need to do a full post, update any field u might need to with your js.
The above are all different independent options to achieve it that can be used in different scenarios. There are more options I didn't mention i.e. cookies, session, store stuff in db (like for a resumable multi step wizard), parameters passed to an action. There is no 1 single mechanism to rule them all, and there shouldn't be.
The best way to do this, i think, is to serialize your original model to a hidden field, then deserialize it and update the model on post. This is somewhat similair to the viewstate approach, only you have to implement it yourself. I use this:
first i need some methods that make things easier:
using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using System.Web.Mvc;
using LuvDaSun.Extensions;
using System.Web.UI;
namespace LuvDaSun.Web.Mvc
{
public static class HtmlHelperExtensions
{
static LosFormatter _losFormatter = new LosFormatter();
public static string Serialize(this HtmlHelper helper, object objectInstance)
{
var sb = new StringBuilder();
using (var writer = new System.IO.StringWriter(sb))
{
_losFormatter.Serialize(writer, objectInstance);
}
return sb.ToString();
}
}
[AttributeUsage(AttributeTargets.Parameter)]
public class DeserializeAttribute : CustomModelBinderAttribute
{
public override IModelBinder GetBinder()
{
return new DeserializeModelBinder();
}
}
public class DeserializeModelBinder : IModelBinder
{
static LosFormatter _losFormatter = new LosFormatter();
public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
if (bindingContext.ModelType.IsArray)
{
var type = bindingContext.ModelType.GetElementType();
var serializedObjects = (string[])bindingContext.ValueProvider.GetValue(bindingContext.ModelName).ConvertTo(typeof(string[]));
var deserializedObjects = Array.CreateInstance(bindingContext.ModelType.GetElementType(), serializedObjects.Length);
for (var index = 0; index < serializedObjects.Length; index++)
{
var serializedObject = serializedObjects[index];
var deserializedObject = _losFormatter.Deserialize(serializedObject);
deserializedObjects.SetValue(deserializedObject, index);
}
return deserializedObjects;
}
else
{
var serializedObject = (string)bindingContext.ValueProvider.GetValue(bindingContext.ModelName).ConvertTo(typeof(string));
var deserializedObject = _losFormatter.Deserialize(serializedObject);
return deserializedObject;
}
}
}
}
then in my controller i have something like this (to update a product)
public ActionResult Update(string productKey)
{
var model = _shopping.RetrieveProduct(productKey);
return View(model);
}
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Update([Deserialize]Shopping.IProduct _model, FormCollection collection)
{
UpdateModel(model);
model.Save();
return RedirectAfterPost();
}
and i need a hidden field that holds the serialized object in the form:
<%
using (Html.BeginRouteForm("Product", FormMethod.Post, new { id = UniqueID, }))
{
%>
<%= Html.Hidden("Model", Html.Serialize(Model)) %>
<h1>
Product bewerken</h1>
<p>
<label for="<%=UniqueID %>_Name">
Naam:</label>
<input id="<%=UniqueID %>_Name" name="Name" type="text" value="<%= Html.AttributeEncode(Model.Name) %>"
class="required" />
<br />
</p>
<p>
Omschrijving:<br />
<textarea id="<%= UniqueID %>_Description" name="Description" cols="40" rows="8"><%= Html.Encode(Model.Description) %></textarea>
<br />
</p>
<p>
<label for="<%=UniqueID %>_Price">
Prijs:</label>
<input id="<%= UniqueID %>_Price" name="Price" type="text" value="<%= Model.Price.ToString("0.00") %>"
class="required" />
<br />
</p>
<ul class="Commands">
<li>Annuleren</li>
<li>
<input type="submit" value="Opslaan" /></li>
</ul>
<%
}
%>
<script type="text/javascript">
jQuery('#<%= UniqueID %>').validate();
</script>
as you can see, a hidden field (Model) is added to the form. It contains the serialization information for the original object. When the form is posted, the hidden field is also posted (ofcourse) and the contents are deserialized by the custom modelbinder to the original object which is then updated and saved by the controller.
Do note that the object you are serializing needs to be decorated with the Serializable attribute or needs to have a TypeConverter that can convert the object to a string.
The LosFormatter (Limited Object Serialization) is used by the viewstate in webforms. It also offers encryptionn of the serialization data.
greets...
AJAX calls is what we do. If you're talking about grids in general, check out JQGrid and how they recommend the AJAX implementation.
Quick question regarding updating a list of items in asp.net mvc.
Basically I have an edit action method that returns a collection of objects (incidentally, the table structure of which looks as follows 'testID, assetID, Result' - a link table).
I basically want this items to be displayed one after another in a form and to be able to edit them. The form should post back and the modelbinder do its magic. But, its not that easy.
I have scoured the net and it seems the majority of the information about this stuff seems to be a little out of date. I've come across this post, which has not been updated in a long time, and this one which seems to suggest that you shouldn't bind to a already existing list for updating, and that there are problems when working with EF or Linq to Sql (which I am).
Is there an easy way to achieve what I want? Has the state of list model binding changed in the release version?
UPDATE - A little closer...
Here's my Edit method:
public ActionResult EditSurveyResults(Guid id)
{
var results = surveyRepository.GetSurveyResults(id);
return PartialView("EditSurveyResults", results);
}
And my form:
<div id="editSurveyResults">
<h2>
EditSurveryResults</h2>
<%= Html.ValidationSummary("Edit was unsuccessful. Please correct the errors and try again.") %>
<% using (Html.BeginForm())
{%>
<fieldset>
<legend>Results</legend>
<% int i = 0; foreach (var result in Model)
{ %>
<input type="hidden" name='results[<%= i %>].TestID' value='<%= result.TestID %>' />
<input type="hidden" name='results[<%= i %>].AssetID' value='<%= result.AssetID %>' />
<p>
<%= result.Task.TaskName%>
</p>
<p>
<label for="Result">
Result:</label>
<input type="text" name='results[<%= i %>].Result' value='<%= result.Result %>' />
<%= Html.ValidationMessage("Result", "*")%>
</p>
<% i++; } %>
<p>
<input type="submit" value="Save" />
</p>
</fieldset>
<% } %>
And my Edit POST method:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult EditSurveyResults(Guid id, IList<SurveyTestResult> results)
{
var oldValues = surveyRepository.GetSurveyResults(id);
if (ModelState.IsValid)
{
UpdateModel(oldValues);
surveyRepository.Save();
return Content("Done");
}
else
return PartialView("EditSurveyResults");
}
It's not complete of course, but it doesn't update anything in its current state. Am I missing a trick here? results is populated with the the updated entities so I'm not sure why its not updating...
UPDATE 2:
So, Im starting to think that the model binder cant do stuff like this. So, I've resorted to doing things in a more hacky way. If anyone can spot a problem with this then please let me know. FYI - this form will be grabbed with AJAX so I dont return a view, rather a simple message.
Here's the new code:
IList<SurveyTestResult> oldValues = surveyRepository.GetSurveyResults(id).ToList();
foreach (var result in SurveyTestResult)
{
//SurveyTestResult is the IList that comes down from the form.
SurveyTestResult thisone = oldValues.Single(p => p.AssetID == result.AssetID &&
p.TestID == result.TestID);
//update the old entity with the result from the new one
thisone.Result = result.Result;
}
And then I call Save on my repository.
Thanks in advance
One thing i noticed is that your not rendering <input type="hidden" name='results.Index' value='<%= i %>' /> as phil Haacks article mentions is mandatory.
Switching to a different Modelbinder might do the trick too. I use the DataAnnotations model binder and with that i dont have to generate .Index fields when binding to List's.
I have a form rendered via Html.BeginForm(), it exists as a component in the Master page so that it appears on every page in the application. I have done this using Html.RenderAction() from Mvc Futures assembly. It's a simple search form that updates some items in the same component underneigh the search form itself, and performs a GET so that the search term appears in the querystring.
<div class="sideBarContent">
<h2>Search Products</h2>
<% using (Html.BeginForm(ViewContext.RouteData.Values["action"].ToString(),
ViewContext.RouteData.Values["controller"].ToString(), FormMethod.Get)) { %>
<fieldset>
<legend>Search Products</legend>
<div class="formRow">
<label for="ProductsSearch">Search</label>
<%= Html.TextBox("ProductsSearch") %>
</div>
<input type="submit" value="Search" class="button" />
</fieldset>
<% } %>
<ul>
// Products will eventually be listed here
</ul>
</div>
I need this form to do the following:
1) It should perform a GET to whatever current page it is on appending 'ProductsSearch' as a querystring parameter (eg. example.com/?ProductsSearch=test or example.com/books/fiction?ProductsSearch=test)
2) It should remember any exising querystring parameters that are already in the querystring, maintaining them after you click Search button eg. example.com/myOrders?page=2 after Search click it should go to example.com/myOrders?page=2&ProductsSearch=test)
I can get it to do 1) but can't work out 2).
I relise that normally for a from to GET and appending querystring params it needs to have hidden form fields, so I could write a utility function that automatically adds a bunch of hidden form fields for any querystring values, but I wanted to check that there's wasn't an easier approach, or maybe I'm going about it the wrong way.
Cheers!
You'll need to do the hidden form field method.
Even if you could attach the entire querystring to the end of the URL in the action attribute of the <form> tag, browsers don't pay attention to this when doing GET form submissions.
Your method isn't too difficult; you'd want to do something like this:
public static string QueryStringAsHidden(this HtmlHelper helper)
{
var sb = new StringBuilder();
foreach (var key in HttpContext.Current.Request.QueryString.AllKeys)
{
if (! key.StartsWith("ProductSearch"))
sb.Append(helper.Hidden(key, HttpContext.Current.Request.QueryString[key]));
}
return sb.ToString();
}
I put the .StartsWith() in there because you don't want to be on a search page and submit the search string twice (and now you can prepend paging and other search-specific variables with ProductSearch.
Edit: PS: To get the form to post to the current page, you don't have to explicitly provide action and controller -- you can also send nulls.
Edit2: Why even bother with a helper method? :)
<% HttpContext.Current.Request.QueryString.AllKeys.Where(k => !k.StartsWith("ProductSearch")).ToList().ForEach(k => Response.Write(Html.Hidden(k, HttpContext.Current.Request.QueryString[k]))); %>
James
A direct to call BeginForm() does keep your query string values. Any other overload tends to fail. I love the ease of using BeginForm() from my forms, but needed a way to class all my styled forms a certain way an not lose the query string values in the action.
Here is what I came up with:
public static MvcForm BeginNormalForm<T>(this HtmlHelper<T> htmlHelper)
{
var dictionary = new Dictionary<string, object> {{"class", "normal"}};
var rvd = new RouteValueDictionary();
if (htmlHelper.ViewContext.HttpContext != null && htmlHelper.ViewContext.HttpContext.Request != null)
{
foreach (var key in htmlHelper.ViewContext.HttpContext.Request.QueryString.AllKeys)
{
rvd[key] = htmlHelper.ViewContext.HttpContext.Request.QueryString[key];
}
}
var form = htmlHelper.BeginForm(null, null, rvd, FormMethod.Post, dictionary);
return form;
}
Seems to work well and keeps my class attribute.
Use one of the overloads of BeginForm that takes a routeValues object or dictionary.
Additional properties not in the route will be added as query parameters.