Is there a utility function for escaping JavaScript in ASP.NET MVC views? I often need to init a little snippet of JavaScript using some values from the view; for instance I may have something like:
<script type="text/javascript">
var page = new Page({ currentUser: "<%= Model.UserName %>" });
page.init();
</script>
I would expect something like:
<script type="text/javascript">
var page = new Page({ currentUser: "<%= Html.JavaScriptEscape(Model.UserName) %>" });
page.init();
</script>
I could, of course, write the function myself. But since there are already built-in utilities form HTML encoding, and since one of the selling points of ASP.NET MVC is that the <% %> is the default rendering mode, and since what I'm trying to achieve is quite common, it makes me wonder why I cannot find anything like that already built-in. Is there, for instance, an easy and elegant way to serialize an object to JSON in views?
Or am doing something against ASP.NET MVC principles? When I hit a problem like this, it usually makes it think that either I’m doing something wrong since I assume that the framework designers spent some time thinking about real world scenarios.
In .NET 4, The HttpUtility class has a variety of static encoding methods for various contexts, including a JavaScriptStringEncode method for this particular purpose.
It's often simpler to just use JSON deserialization, though.
In MVC 5 using Razor templates, the following is possible:
<script type="text/javascript">
var page = new Page({ currentUser: #Html.Raw(Json.Encode(Model.UserName)) });
page.init();
</script>
After some time working in ASP.NET MVC, I concluded that (most likely) there is no build-in helper for it. Of course, it's trivial to write your own. Here is it for the sake of completeness:
using System.Web.Mvc;
using System.Web.Script.Serialization;
namespace MyProject.Helpers
{
public static class JsonExtensions
{
public static string Json(this HtmlHelper html, object obj)
{
JavaScriptSerializer jsonSerializer = new JavaScriptSerializer();
return jsonSerializer.Serialize(obj);
}
}
}
In a view, it can be used as follows:
<script type="text/javascript">
var page = new Page(<%= Html.Json(new { currentUser: Model.UserName } ) %>);
page.init();
</script>
In my case I needed a string not a json object and this is for Asp.Net Core:
#functions{
public Microsoft.AspNetCore.Html.IHtmlContent ToJS(string value)
{
return Html.Raw("'" + value.Replace("'", "\\'").Replace("\r", "\\r").Replace("\n", "\\n") + "'");
}
public Microsoft.AspNetCore.Html.IHtmlContent ToJS(int value)
{
return Html.Raw("" + value);
}
}
This will escape the ' and end of line characters. Also it leaves numbers (int) as a number. This could be overloaded to include float, decimal, etc. as needed.
So, I don't have to think about it or do anything different for each type:
var serverName = #ToJS(m.ServerName);
var appSiteUrl = #ToJS(m.SiteUrl);
var facebookId = #ToJS(m.FacebookAppId);
Related
What is equivalent of MVC5's #Json.Encode method in MVC6? In MVC5 we can access those methods in views. But I can't find any methods which I can access from MVC 6 views.
I don't want to write a helper method if there is already a built in feature in MVC6.
After some search, found it:
#inject IJsonHelper Json;
#Json.Serialize(...)
I've had success with the following:
#Html.Raw(Newtonsoft.Json.JsonConvert.SerializeObject(myObj) as String)
I'm not sure if Json.Encode has made it in yet because it was a part of System.Web which is gone now.
One of the features of #Json.Encode() was automatic HTML encoding of entities within JSON strings, which is helpful to avoid XSS vulnerabilities. The JsonHelper class is based on Json.NET serialization now, which does support at least some (or all) of this same functionality if configured properly. The other solutions here can be vulnerable to XSS attacks if untrusted data is serialized.
Quick example of a vulnerability:
<script>
window.something = #Json.Serialize(new { someprop = "Hello</script><script>alert('xss')</script><script>" });
</script>
Will be rendered as
<script>
window.something = {"someprop":"Hello
</script>
<script>alert('xss')</script>
<script>"};</script>
To properly configure Json.NET to escape HTML entities would be to use the #Json.Serialize(object, serializerSettings) overload and override StringEscapeHandling to EscapeHTML. The settings could be defined in a helper class or injected.
#using Newtonsoft.Json
<script>
#{
var settings = new JsonSerializerSettings {StringEscapeHandling = StringEscapeHandling.EscapeHtml};
}
window.something = #Json.Serialize(new { someprop = "Hello</script><script>alert('xss')</script><script>" }, settings);
</script>
Which is rendered instead as:
<script>
window.something = {"someprop":"Hello\u003c/script\u003e\u003cscript\u003ealert(\u0027xss\u0027)\u003c/script\u003e\u003cscript\u003e"};
</script>
Some other methods of safely serializing data to the page in ASP.NET Core can be found here: https://github.com/aspnet/Docs/blob/master/aspnetcore/security/cross-site-scripting.md
Imagine some javascript codes will be add razor pages.
<script type="text/javascript">
$(function () {
$('#photogallery a.lightbox').lightBox();
$('#photogallery').infiniteCarousel({ imagePath: '/Content/Images/Components/InfiniteCarousel/', autoStart: false });
$(".flows").collapsiblePanel();
$(".tab#Model.id").tabs();
});
</script>
This code need some html element defined css class by .tab and .flows.
There is no sense for flows but .tab#model.id build in run time -because it need model-.
I would like define an attribute for controller method and I would like to add automaticaly with code.
How
[JavaScript("menu.js")]
public ActionResult Menu(object param)
{
return PartialView(this.categoryService.GetAllCategories()[0]);
}
and razor view will have automaticaly produced code with
...
$(".tab#Model.id").tabs();
...
Is it phantasy or could be implemented in real life.
Thanks
Your Javascript block will work fine as-is.
Just put it in the view.
I have a model that contains a collection, such as this:
class MyModel
{
public List<MySubModel> SubModels { get; set; }
}
In the view, I want to dynamically add/remove from this list using Javascript before submitting. Right now I have this:
$("#new-submodel").click(function () {
var i = $("#submodels").children().size();
var html = '<div>\
<label for="SubModels[' + i + '].SomeProperty">SomeProperty</label>\
<input name="SubModels[' + i + '].SomeProperty" type="textbox" />\
</div>'
$("#submodels").append(html);
});
This works, but it's ugly. And, if I want to show those labels/textboxes for the existing items, there's no clean way to do that either (without duplicating).
I feel like I should be able to use Razor helpers or something to do this. Any ideas? Help me stay DRY.
You approach may lead to unexpected errors if you when you are removing or adding the divs. For example you have 4 items, you remove the first item, then $('#submodels').children().size() will return 3, but your last inserted div has the name attribute value set SubModels[3].SomeProperty which results in a conflict. And if your posted values contain SubModels[1] but not SubModels[0] the default model binder will fail to bind the list (it will bind it as null). I had to learn this the hard way...
To eliminate the aforementioned problem (and your's) I suggest you do something like this:
$("#addBtn").click(function() {
var html = '<div class="submodel">\
<label>SomeProperty</label>\
<input type="textbox" />\
</div>'; // you can convert this to a html helper!
$("#submodels").append(html);
refreshNames(); // trigger after html is inserted
});
$(refreshNames); // trigger on document ready, so the submodels generated by the server get inserted!
function refreshNames() {
$("#submodels").find(".submodel").each(function(i) {
$(this).find("label").attr('for', 'SubModels[' + i + '].SomeProperty');
$(this).find("label").attr('input', 'SubModels[' + i + '].SomeProperty');
});
}
Then your view (or even better an EditorTemplate for the SubModel type) can also generate code like:
<div class="submodel">
#Html.LabelFor(x => x.SomeProperty);
#Html.EditorFor(x => x.SomeProperty);
</div>
It would also be possible to convert the code generation to a html helper class, and use it in the EditorTemplate and in the JavaScript code
I would recommend you going through the following blog post.
What is the equivalent to Page.ResolveUrl in ASP.NET MVC available in the Controller?
It is Url.Content:
ASPX:
<link rel="stylesheet" href="<%= Url.Content("~/Content/style.css") %>" type="text/css" />
Razor:
<link rel="stylesheet" href="#Url.Content("~/Content/style.css")" type="text/css" />
This should do what you're looking for...
System.Web.VirtualPathUtility.ToAbsolute("~/")
Here are a whole bunch of ways to resolve a path that uses that application root operator (~)
UrlHelper.Content
HttpServerUtility.MapPath
WebPageExecutingBase.Href
VirtualPathUtility.ToAbsolute
Control.ResolveUrl
To call any method with inline code on an asp.net page, the method either needs to be exposed as an instance variable on the current object, or available as a static/shared method.
A typical MVC page gives us access to quite a few of these as properties via the WebViewPage. Ever wonder when you type #ViewData, you get magically wired up to the ViewData? That's because you have hit a property exposed by the MVC page you're on.
So to call these methods, we don't necessarily refer to the type they represent, but the instance property that exposes them.
We can call the above instance methods like this (respectively):
href="#Url.Content("~/index.html")"
href="#Server.MapPath("~/index.html")"
href="#Href("~/index.html")"
We can do this to call a shared method that doesn't need an instance:
href="#VirtualPathUtility.ToAbsolute("~/index.html")"
AFAIK, an MVC page doesn't automatically create an instance of anything from the System.Web.UI namespace, from which ResolveUrl inherits. If, for some reason, you really wanted to use that particular method, you could just new up a control and use the methods it exposes, but I would highly recommend against it.
#Code
Dim newControl As New System.Web.UI.Control
Dim resolvedUrl = newControl.ResolveUrl("~/index.html")
End Code
href="#resolvedUrl"
That all said, I would recommend using #Url.Content as it fits best with MVC paradigms
UrlHelper.Content() does the same thing as Control.ResolveUrl().
For Further References:
http://stephenwalther.com/archive/2009/02/18/asp-net-mvc-tip-47-ndash-using-resolveurl-in-an-html.aspx
You don't need to do this anymore in Razor v2.0/ASP.NET MVC 4.
Just use the "~" in a razor page and it will resolve it for you.
<link rel="stylesheet" href="~/Content/style.css" type="text/css" />
Source
In my case, I find #Href not being enough in the way it deals with query strings in a URL. I prefer to wrap it inside the Raw method:
<script>
var isKendoWindow = false;
var myTimeOut;
clearTimeout(myTimeOut);
var sessionTimeout = (#Session.Timeout * 60000) - 5;
function doRedirect() {
if (!isKendoWindow)
window.location.href = '#Html.Raw(Href("~/Logon.aspx?brandid=" + SessionController.LandingBrandId + "&errCode=5055"))';
}
myTimeOut = setTimeout('doRedirect()', sessionTimeout);
</script>
Or you can create your own version like this:
public static IHtmlString ResolveUrl(this HtmlHelper htmlHelper, string url)
{
var urlHelper = new UrlHelper(htmlHelper.ViewContext.RequestContext);
return htmlHelper.Raw(urlHelper.Content(url));
}
Another way to solve this issue:
Resolve the url in a code block at the top of the page or in code behind.
#page
#model IndexModel
#{
ViewData["Title"] = "Home page";
Layout = "~/Pages/Shared/_IndexLayout.cshtml";
String img1 = Url.Content("~/img/people11.jpg");
}
Then use the variable in the html.
<div class="col-12 col-lg-8" style="background-image: url('#img1');"> </div>
Server.MapPath() //returna full path
or
url.content()
try using Server.MapPath().
The premise:
Get a dropdownlist's content based on the value selected in the first one.
Literal data returns successfully.
LINQ queries on a LINQ2SQL Datacontext fail.
Being a total rookie at this MVC/LINQ/jQuery stuff, I battled for HOURS on end trying to figure out what was wrong w/ my understanding of the code. When i hard coded my values, everything worked fine, but as soon as i tried to query a LINQ2SQL datacontext, all sorts of wierd stuff started to happen and, finally, when i duplicated the query results into a new object everything worked again! Forgive my lack of linguistic prowess when it comes to LINQ, but, I think it has to do with the "connectedness" of LINQ2SQL's data. When I create another list representing the queried data, all is well, but if i try to use the queried data itself, jQuery's world falls apart (and without erroring too - which made it hard to figure out).
I would basically like a reference to or an explanation of LINQ2SQL's "connectedness" and how/why it's a problem, especially in these remote/asynchronous calling situations!
See the code below - hope it makes sense & thank you in advance :)
Basic Layout:
<script type="text/javascript">
$(document).ready(function() {
$("#CaseTypeCategoryId").change(function() {
$.getJSON("/Cases/CaseNatures", { caseTypeCategoryId: $("#CaseTypeCategoryId option:selected").val() }, function(data) {
$("#CaseNatureId option").remove();
$("#CaseNatureId").fillSelect(data);
});
});
});
</script>
<p>
<label for="CaseTypeCategoryId">Case Type:</label>
<%= Html.DropDownList("CaseTypeCategoryId") %>
</p>
<p>
<label for="CaseNatureId">Case Nature</label>
<select id="CaseNatureId" name="CaseNatureId></select>
</p>
Controller.aspx
Initially it was just a SelectList() { new ListItem() { Text = "--Select A Case Nature--", Value = "" }}
and it worked just fine! Then I tried
public JsonResult CaseNatures(int caseTypeCategoryId)
{
return this.Json(_caseService.GetCaseNatures(caseTypeCategoryId)
.ToList());
}
This failed - no javascript errors, no compilation issues, couldn't figure it out until i tried dumping the data into a new list manually and i finally settled on:
public JsonResult CaseNatures(int caseTypeCategoryId)
{
List returnList = new List();
returnList.Add(new ListItem() { Text = "--Select A Case Nature--", Value = "" });
_caseService.GetCaseNatures(caseTypeCategoryId)
.ToList()
.ForEach(p => returnList.Add(new ListItem() { Value = p.CaseNatureId.ToString(), Text = p.CaseNatureText }));
return this.Json(returnList);
}
Look here - similar problem.
Use JsonRequestBehavior.AllowGet in your sentence:
this.Json(_caseService.GetCaseNatures(caseTypeCategoryId)
.ToList(),JsonRequestBehavior.AllowGet);