We need to put a captcha image on our ASP.NET MVC 2 based website. We chose reCaptcha and built it in using the way described by Derik Whittaker. The idea there is baiscally to build some abstractions and all you need to do is decorate your Controller with a [ValidateCaptcha] attribute. This works all fine.
However, we have a lot of form-widgets in different pages and I don't want to have the captcha floating around everywhere. So I'd like to implement it the way StackOverflow does: Submit a Form -> Challenge Captcha -> Submit Captcha -> Perform Action on original form data.
Now, how do I redirect the user to the captcha page while keeping the originally submitted information?
I thought of some very ugly hacks (hidden fields w/ base64 encoded form data, etc.) but I think I'm missing something obvious. On the other hand, this sounds as if I wanted to do something in a stateful manner, and I shouldn't?
Session or persisting model state on the client comes to mind.
Related
I need to create a multi-step wizard using ASP.NET MVC.
After thinking about this a while, I feel like the most efficient solution is to put the content for all my wizard steps in a single view, and just step through them by hiding and showing elements using jQuery.
But one area I'm not totally at ease with is MVC validation. How could I validate each step this way? Seems like I won't know for sure if the data is valid until the final step is completed and the entire page is posted back to the server.
Any suggestions?
You can validate individual controls using Validator.element(element) - see documentation here. An example of the approach I think you are taking is in this answer
I have a User model with some validations behind it.
What I'd like to do is have a signup form on every page of the app, even the mostly static ones.
I figured the best way to do this would be through helper methods in application_helpers.rb, which works fine, but validations don't seem to work.
I can also serve the form through an iframe, but that seems a bit hacky.
I'm using partials now, but my client side validation (github.com/bcardarella/client_side_validations) only works on the /new page, not the application page.
What's the best practice in this case?
I would recommend extracting the signup form into a shared partial, which you then explicitly could render wherever you want it.
One could render the signup form directly in the layout file (app/views/layout/application.html.erb) if the placement is static no matter of what page you're currently on.
One of the basic solutions is to use partial. The benefit is: it's built in, it's simple. The downside is: You'll be busy to feed it some session details for proper rendering.
Another solution is to use Cells for this kind of case.
Cells works like a lightweight controller which can do anything a controller can do, and it's independent on any controller. One good use case of Cells is shopping cart, and login form is also a good use case in my opinion.
This more of an out of interest question than an urgently need an answer one, but I have been trying to find a good example of how to deal with a full postback from a partial view in asp.net MVC. The obvious example is the case where you have a small login form on every page. You can easily accomplish this through an asynchronous post back using jquery, but I am wondering if there is a way to do it without the use of javascript. I know it may be pedantic, but I don't like the idea of assuming the client has javascript enabled, particularly in this day and age where responsive design/ progressive enhacements are the big buzzwords around, so having you log in tied to javascript means that anyone on a simple mobile device won't be able to use it since their device probably won't support it.
Anyone have any ideas / examples of how to accomplish this? It's such a simple thing to implement in web forms I can't believe it's as tricky as I've heard it made out to be in MVC.
You just need a form within the view, that's all. The form will POST to its controller action method and generate a full page refresh (if that's what you mean by a full postback - I guess it is) irrespective of whether its a partial or not.
You can have multiple forms on a MVC view, and each one of them will give you a full page refresh, whereas with WebForms the pattern was one main form per page.
I'm after some design advice.
I'm working on an application with a fellow developer. I'm from the Webforms world and he's done a lot with jQuery and AJAX stuff. We're collaborating on a new ASP.MVC 1.0 app.
He's done some pretty amazing stuff that I'm just getting my head around, and used some 3rd party tools etc. for datagrids etc.
but...
He rarely uses Submit buttons whereas I use them most of the time. He uses a button but then attaches Javascript to it that calls an MVC action which returns a JSON object. He then parses the object to update the datagrid. I'm not sure how he deals with server-side validation - I think he adds a message property to the JSON object. A sample scenario would be to "Save" a new record that then gets added to the gridview.
The user doesn't see a postback as such, so he uses jQuery to disable the UI whilst the controller action is running.
TBH, it looks pretty cool.
However, the way I'd do it would be to use a Submit button to postback, let the ModelBinder populate a typed model class, parse that in my controller Action method, update the model (and apply any validation against the model), update it with the new record, then send it back to be rendered by the View. Unlike him, I don't return a JSON object, I let the View (and datagrid) bind to the new model data.
Both solutions "work" but we're obviously taking the application down different paths so one of us has to re-work our code... and we don't mind whose has to be done.
What I'd prefer though is that we adopt the "industry-standard" way of doing this. I'm unsure as to whether my WebForms background is influencing the fact that his way just "doesn't feel right", in that a "submit" is meant to submit data to the server.
Any advice at all please - many thanks.
The thing you need to take into consideration is how the application will work if javascript is not available. You should strive to ensure that the basic functionality works without it. This is called progressive enhancement or unobtrusive javascript and is considered a best practice.
http://en.wikipedia.org/wiki/Progressive_enhancement
The way you should do it is to use a form with a real submit button and then hijack that form to use ajax if the User Agent supports it. This is usually pretty trivial to do using the jquery forms plugin. In your action method, you can check to see if the incoming request is an ajax request by checking the Request.IsAjaxRequest property. This is set by MVC automatically on requests that have the X-Requested-With header set to XMLHttpRequest. Then you would return a full view or just some json based on that.
Here's a short screencast demonstrating this: http://www.youtube.com/watch?v=YQsFR1rkgMU&feature=player_embedded
Both solutions are viable, though using submit buttons will make your application more accessible (i.e. JavaScript will not be required in order to use it).
You could also do the both - start with a page that has all the necessary logic using postbacks, and "upgrade" it with nice AJAX-y requests and animations. This way, users with JavaScript will get the eye candy, and the page will gracefully degrade when when a user without JavaScript visits the page, falling back to the postback mechanism.
If I have a search box on my page I clearly do not want the user to input any code that may be dangerous.
However, I have a lot of data entry pages and each one needs to have ValidateInput(false) on the controllers.
I don't want to allow dangerous input, but I also don't want to handle this in each and every controller.
Is there a way that the default, and ugly, error .Net error message can be overwritten, or is there a uniform way of handling this across controllers.
EDIT
I think maybe I didn't ask the question correctly.
For every data entry page I have I have to turn of Input Validation. This becomes somewhat boring and cumbersome. Each time I accept input I need to HTMLEncode and then HTMLDecode later.
Is there a way to do this in one central place and automatically?
About output:
Here's an interesting post.
And another one from Steve Sanderson.
I just read that post some time ago - haven't tried myself.
Give some feedback how it turns out.
About input:
you could try to mess around with model binder and HtmlEncode values it takes.
ASP.NET and MVC don't allow HTML submissions by default. You have to actively enable this. See the ValidateInputAttribute for more information.
Also, even more important than not allowing HTML input is not displaying user submitted HTML when you create output. That's why all of the default generated views use Html.Encode, and why you should, too.
Update in response to edited question
Yes, it's possible (though probably not advisable) to turn off ValidateInput globally. Make a parent controller type, and put
[ValidateInput(false)]
...on the class.
Also, I don't recommend encoding input. If you allow users to input HTML, I'd store that as-is. Your web app might not be the only thing which queries your DB! In terms of filtering out "dangerous" HTML, that's extraordinarily difficult. I'd use a tested, third-party sanitization library.