ASP.NET MVC3, Html.TextAreaFor without encoding? - asp.net-mvc

How can I use the Html.TextAreaForwithout encoding it?
I know it's a security risk but I have a separate class that sanitizes any text.
Example:
#Html.TextAreaFor(model =>model.PostBodyText, 10, 100, 1)
I'm planning to use it with TinyMCE.
Regards
RaVen
UPDATE
I'm using the new Razor View Engine.

You will need to roll your own:
<textarea cols="100" id="PostBodyText" name="PostBodyText" rows="10">
#MvcHtmlString.Create(Model.PostBodyText)
</textarea>
Of course in terms of security this could be very dangerous as your site is now vulnerable to XSS attacks. So the question is why having a separate class that sanitizes all the text when you can simply rely on the HTML helpers to do the job for you?

As an alternative option you might wanna use ValidateInput as described here. An example in MVC style would be:
[ValidateInput(false)]
public ActionResult Method(){
return View()
}
[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Method(){
// your stuff here
RedirectToAction("index"); // or something
}
I think that is more the MVC way to go. Now your controller tells you there is a security issue in that controller method. Your view can be any normal view using html helpers etc. Note that this enables all sorts of input, not filtered. It will work with TinyMCE though.
//edit
woops I see you need to add
<httpRuntime requestValidationMode="2.0"/>
to webconfig as well in new versions of MVC. Guess it might not be the way to go.

Use [AllowHtml] on the model property. As I learned in In ASP.NET MVC 3, how do I get at the model using Razor Syntax in a Create() View?.

Related

No HTTP requests for certain controller methods

I'm currently reading a book about ASP.NET MVC3 to learn working with this framework. The concept of partial views is explained and altough it's an easy concept, I have a small question with it.
This razor code is added to the view:
#{ Html.RenderAction("Summary", "Cart"); }
This calls the Summary()-method on the CartController. The problem is: as a user, I can call this method via a HTTP request (GET/POST,...) what shouldn't be possible.
I know there are attributes like [HttpPost] and [HttpGet] to permit only certain sorts of HTTP requests, but is there also an attribute to prevent these? Also, where can I find a list of available attributes?
Thanks
If you have a partial view, you are right that it has to be a public method but it should not be addressable on its own. to achive this you can decorate the action method with the [ChildActionOnly]
See this for details
http://msdn.microsoft.com/en-us/library/system.web.mvc.childactiononlyattribute.aspx
And for a list of similar attributes:
http://msdn.microsoft.com/en-us/library/system.web.mvc.filterattribute.aspx

Html encoding in MVC input

I'm working through NerdDinner and I'm a bit confused about the following section...
First they've added a form for creating a new dinner, with a bunch of textboxes delcared like:
<%= Html.TextArea("Description") %>
They then show two ways of binding form input to the model:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create() {
Dinner dinner = new Dinner();
UpdateModel(dinner);
...
}
or:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Create(Dinner dinner) { ... }
Ok, great, that all looks really easy so far.
Then a bit later on they say:
It is important to always be paranoid
about security when accepting any user
input, and this is also true when
binding objects to form input. You
should be careful to always HTML
encode any user-entered values to
avoid HTML and JavaScript injection
attacks
Huh? MVC is managing the data binding for us. Where/how are you supposed to do the HTML encoding?
You generally (but not always) want to HTML encode the values before writing them out, typically in your views, but possibly from the controller as well.
Some info here: http://weblogs.asp.net/scottgu/archive/2010/04/06/new-lt-gt-syntax-for-html-encoding-output-in-asp-net-4-and-asp-net-mvc-2.aspx

ASP.NET MVC ViewManager equivalent

I'm looking into ASP.NET MVC, and whether or not to make the switch. One thing that I do a heck of a lot in ASP.NET, is to render HTML on AJAX callbacks and sent back to the client. I use a generic ViewManager for rendering User Controls.
I created a sample MVC App from the templates, and was looking for the RenderUserControl method inside a Controller. I found: System.Web.Mvc.Html.RenderPartialExtensions.RenderPartial but that doesn't seem to be what I'm looking for in this context.
Is there an equivalent to the ASP.NET ViewManager in MVC?
What you want to do is return a partial view:
public ActionResult IWillCallThisViaAjax()
{
return PartialView("MyUserControlName");
}

Alternatives to server controls in MVC

What is the replacement for a server control in ASP.NET MVC? What I want to do is to create a declarative and imperative binding so I can write
<cc1:MyControl Header="Some Header" Content="Some Content" />
which would mean that an instance of the MyControl class will be created and possibly rendered to
<h1>Some Header</h1>
<p>Content</p>
I don't want any viewstate or postback crap, just the modularity. I also want these modules to be contained in a separate class library, so ViewUserControls will not do for me. Using a server controls in the normal way works, but it generates a form tag and a viewstate field, which I do not want if I can avoid it.
I have seen this question and this one about how to use server controls in ASP.NET MVC, but they do not provide enough answer.
Edit: I found the answer. When I added the user control using the designer, it automatically created a <form> which I missed. If I simply remove that tag, everything works perfectly.
You can still use all controls in ASP.NET MVC if they don't require rendering in a server form.
ascx files and #Register directives still work pretty well. The great new thing is Html.RenderPartial method that lets you pass a model object to a partial view (ascx) and have it render accordingly.
Just adding one more possibility to Mehrdad answer, you can use extension methods to do a simple control like this:
<%= html.MyControl( "Some header", "Some content" ) %>
<Extension()> _
Public Function MyControl(ByVal htmlHelper As HtmlHelper, _
ByVal Header As String, _
ByVal Content As String) As String
Dim sb As New StringBuilder()
sb.AppendFormat("<h1>{0}</h1>", Header)
sb.AppendFormat("<p>{0}</p>", Content)
Return sb.ToString()
End Function
Or you can make a more complex control like this example: Create an ASP.NET MVC GridView Helper Method
Other than the controls which still work with ASP.Net MVC, you can use mvc controls.
Repeater example - dead link
Exploring ASP.Net MVC Futures - dead link
UPDATE: This answer was for ASP.Net MVC 1.0 in 2009. It is outdated and irrelevant at this point.

Any way to handle Put and Delete verbs in ASP.Net MVC?

just wondering if anyone knows of a truly restful Put/delete implementation asp.net mvc preview 5 preferably.
Check out the mvccontrib project at http://www.mvccontrib.org.
In the source code a restful implementation has been added and it is current up to Preview 5. Check out the source code here - http://mvccontrib.googlecode.com/svn/trunk/src/MVCContrib/SimplyRestful
Rails uses a "method" parameter in the form and then fakes it, but calls the appropriate method if you designate it.
I understand most clients won't support restful stack, but can asp.net mvc, auto-negotiate these verbs and place them in the appropriately deemed actions?
I've been covering this in my blog http://shouldersofgiants.co.uk/blog/ where I'm looking at an entire RESTful web service based on ASP.Net and MVC
I don't know of one off the top of my head, but you might look into the way that Rails handles it if you don't find anything else, and try porting it over. Rails utilizes POST, GET, PUT, and DELETE, but it apparently has to do some fakery for PUT. Could be worth looking into if you come up dry here.
I think that the new AcceptVerbsAttribute in preview 5 should be capable of directing any type of request to a designated action. Marking a method like below in theory allows handling of all verbs but I haven't explicitly tested put or delete.
[AcceptVerbs("delete")]
public object DoDeleteAction()
With MVC Beta, u can now use an HttpVerbs enumeration.
here's an example...
[AcceptVerbs(HttpVerbs.Get)]
public ActionResult Index()
{ ... }
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult Update()
{ ... }
[AcceptVerbs(HttpVerbs.Delete)]
public ActionResult Delete()
{ ... }
you get the idea.
hth :)

Resources