使用 ASP.net MVC 和 JQuery 将 HTML 标记(代码)作为字符串发布
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/4759681/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Post HTML tag (codes) as string with ASP.net MVC & JQuery
提问by E-A
I'm trying to post a Form through a MVC Model into a Save function in a controller. I'm also using tinymce on the client side which results a HTML code based string such like <p> Content text blah blah ...</p>.
我正在尝试通过 MVC 模型将表单发布到控制器中的 Save 函数中。我还在客户端使用 tinymce,它会产生一个基于 HTML 代码的字符串,例如<p> Content text blah blah ...</p>.
The problem is that I cannot post a string that includes <p> something </p>But surprisingly, < p > something < / p >this string (with spaces after "<") has NO problem. But, I cannot handle this html code and make these spaces before posting every time. There must be a better way.
问题是我不能发布一个包含<p> something </p>但令人惊讶的是,< p > something < / p >这个字符串(“<”后有空格)没有问题。但是,我无法处理此 html 代码并在每次发布之前制作这些空格。一定会有更好的办法。
So, How can I post a string that includes HTML code through $.post method? (If you must know, this project is a Content Management System. So, I have to save the HTML based content text into a SQL table.) I saw by debugging, the post action does not evenreach to the Controller and I think this is a only javascript problem, am I right?
那么,如何通过 $.post 方法发布包含 HTML 代码的字符串?(如果你必须知道,这个项目是一个内容管理系统。所以,我必须将基于 HTML 的内容文本保存到一个 SQL 表中。)我通过调试看到,post 操作甚至没有到达控制器,我认为这是唯一的 javascript 问题,对吗?
Here is the code I am using:
Javascript
这是我正在使用的代码:
Javascript
function JqueryFromPost(formId) {
var form = $(formId);
var action = form.attr("action");
var serializedForm = form.serializeArray();
$.post(action, serializedForm, function (data) {
//Getting the data Result here...
});
}
CS Code
客户服务代码
[HttpPost]
public JsonResult SaveArticle(ArticleModel model)
{
JsonResult JResult = new JsonResult();
if (ModelState.IsValid)
//I do the saving here ending with "JResult.Data = "Success";" (this could also be Failed. So, its just to explain)
return JResult;
}
回答by Darin Dimitrov
ASP.NET has built-in request validation that automatically helps protect against XSS and HTML injection attacks. If you want to explicitly disable this validation you could decorate the action you are posting to with the [ValidateInput(false)]attribute:
ASP.NET 具有内置的请求验证,可自动帮助防止 XSS 和 HTML 注入攻击。如果您想显式禁用此验证,您可以使用以下[ValidateInput(false)]属性装饰您要发布的操作:
[HttpPost]
[ValidateInput(false)]
public ActionResult SaveArticle(ArticleModel model)
{
var JResult = new JsonResult();
if (ModelState.IsValid)
{
...
}
return JResult;
}
Also if you are running this on ASP.NET 4.0 for this attribute to take effect you need to add the following to your web.config:
此外,如果您在 ASP.NET 4.0 上运行它以使该属性生效,您需要将以下内容添加到您的 web.config 中:
<httpRuntime requestValidationMode="2.0" />
And if you are using ASP.NET MVC 3.0 you could decorate only the property on your model that requires HTML with the [AllowHtml]attribute:
如果您使用的是 ASP.NET MVC 3.0,则可以仅使用以下属性装饰模型上需要 HTML 的[AllowHtml]属性:
public class ArticleModel
{
[AllowHtml]
public string SomeProperty { get; set; }
public string SomeOtherProperty { get; set; }
}
Also in your javascript function you probably want serialize()instead of serializeArray():
同样在您的 javascript 函数中,您可能想要serialize()而不是serializeArray():
function JqueryFromPost(formId) {
var form = $(formId);
$.post(form.action, form.serialize(), function (data) {
//Getting the data Result here...
});
}
回答by QMaster
You shouldn't use ValidateInput(false) as MSN said here: http://msdn.microsoft.com/en-us/magazine/hh708755.aspxJust use [AllowHtml]on your model property you want take html.
您不应该使用 ValidateInput(false) 作为 MSN 在这里说:http: //msdn.microsoft.com/en-us/magazine/hh708755.aspx只需[AllowHtml]在您想要获取 html 的模型属性上使用。
[AllowHtml]
public String htmlContainer { get; set; }
Additionally I think that is better if you encode html and then post it to server.
另外,我认为如果您对 html 进行编码然后将其发布到服务器会更好。
回答by Satwik Vemula
Using [ValidateInput(false)]is a very bad practice which leads to many security breaches, [AllowHtml]on a model property is more secured and reliable way of doing this. But there is a much cleaner solution if you can't use a model property.
使用[ValidateInput(false)]是一种非常糟糕的做法,它会导致许多安全漏洞, 模型属性上的[AllowHtml]是一种更安全可靠的方法。但是,如果您不能使用模型属性,则有一个更简洁的解决方案。
Simply Encodethe text on Client Side(mycase javascript), Decodeit on the serve side(Controllerfunction). I used the below for my vb.net project.
只需在客户端对文本进行编码(mycase javascript),在服务端对其进行解码(控制器功能)。我在我的 vb.net 项目中使用了以下内容。
var SearchStringValue = <p> some blah...blah data </p>
var SearchStringValue = <p> some blah...blah data </p>
Now encodingthe above variable.
现在编码上述变量。
var encodedSearchStringValue = window.escape(document.getElementById('SearchStringValue').value)
var encodedSearchStringValue = window.escape(document.getElementById('SearchStringValue').value)
now pass encodeSearchStringValue to controller using ajax.
现在使用 ajax 将 encodeSearchStringValue 传递给控制器。
In the controller just decodethe variable to get <p> some blah...blah data </p>.
在控制器中只需解码变量即可获得<p> some blah...blah data </p>.
Dim SearchStringValue = HttpUtility.UrlDecode(encodeSearchStringValue)
Hope this helps......... :)
希望这可以帮助......... :)
