asp.net-mvc 允许用户在 ASP.NET MVC 中输入 HTML - ValidateInput 或 AllowHtml
声明:本页面是StackOverFlow热门问题的中英对照翻译,遵循CC BY-SA 4.0协议,如果您需要使用它,必须同样遵循CC BY-SA许可,注明原文地址和作者信息,同时你必须将它归于原作者(不是我):StackOverFlow
原文地址: http://stackoverflow.com/questions/3621272/
Warning: these are provided under cc-by-sa 4.0 license. You are free to use/share it, But you must attribute it to the original authors (not me):
StackOverFlow
Allow User to input HTML in ASP.NET MVC - ValidateInput or AllowHtml
提问by Rabbi
How can I allow a user to input HTML into a particular field using ASP.net MVC.
如何允许用户使用 ASP.net MVC 将 HTML 输入到特定字段中。
I have a long form with many fields that get mapped to this complex object in the controller.
我有一个很长的表单,其中包含许多映射到控制器中这个复杂对象的字段。
I would like to make one field (the description) allow HTML which I will preform my own sanitation on at a later point.
我想让一个字段(描述)允许 HTML,我将在稍后执行我自己的卫生。
回答by Kelsey
Add the following attribute the action (post) in the controller that you want to allow HTML for:
在您希望允许 HTML 的控制器中添加以下属性 action (post):
[ValidateInput(false)]
Edit:As per Charlinocomments:
编辑:根据Charlino 的评论:
In your web.config set the validation mode used. See MSDN:
在您的 web.config 中设置使用的验证模式。见MSDN:
<httpRuntime requestValidationMode="2.0" />
Edit Sept 2014:As per sprinter252comments:
2014 年 9 月编辑:根据sprinter252评论:
You should now use the [AllowHtml]attribute. See below from MSDN:
您现在应该使用该[AllowHtml]属性。请参阅下面的MSDN:
For ASP.NET MVC 3 applications, when you need to post HTML back to your model, don't use ValidateInput(false) to turn off Request Validation. Simply add [AllowHtml] to your model property, like so:
public class BlogEntry { public int UserId {get;set;} [AllowHtml] public string BlogText {get;set;} }
对于 ASP.NET MVC 3 应用程序,当您需要将 HTML 发送回模型时,不要使用 ValidateInput(false) 关闭请求验证。只需将 [AllowHtml] 添加到您的模型属性中,如下所示:
public class BlogEntry { public int UserId {get;set;} [AllowHtml] public string BlogText {get;set;} }
回答by cryss
What about [AllowHtml]attribute above property?
什么[AllowHtml]上述财产属性?
回答by Eugene Bosikov
Add to model:
添加到模型:
using System.Web.Mvc;
And to your property
和你的财产
[AllowHtml]
[Display(Name = "Body")]
public String Body { get; set; }
This code from my point the best way avoid this error. If you are using HTML editor you will not have security issues because it already restricted.
从我的角度来看,这段代码是避免此错误的最佳方法。如果您使用的是 HTML 编辑器,您将不会遇到安全问题,因为它已经受到限制。
回答by diegosasw
Adding [AllowHtml]on the specific property is the recommended solution as there are plenty of blogs and comments suggesting to decrease the security level, which should be unacceptable.
添加[AllowHtml]特定属性是推荐的解决方案,因为有大量博客和评论建议降低安全级别,这应该是不可接受的。
By adding that, the MVC framework will allow the Controller to be hit and the code in that controller to be executed.
通过添加它,MVC 框架将允许命中控制器并执行该控制器中的代码。
However, it depends on your code, filters, etc. how the response is generated and whether there is any further validation that might trigger another similar error.
但是,这取决于您的代码、过滤器等。响应是如何生成的,以及是否有任何进一步的验证可能会触发另一个类似的错误。
In any case, adding [AllowHtml]attribute is the right answer, as it allows html to be deserialized in the controller. Example in your viewmodel:
在任何情况下,添加[AllowHtml]属性都是正确的答案,因为它允许在控制器中反序列化 html。您的视图模型中的示例:
[AllowHtml]
public string MessageWithHtml {get; set;}
回答by ViRuSTriNiTy
I faced the same issue although i added [System.Web.Mvc.AllowHtml]to the concerning property as described in some answers.
尽管我添加[System.Web.Mvc.AllowHtml]了一些答案中描述的相关属性,但我遇到了同样的问题。
In my case, i have an UnhandledExceptionFilterclass that accesses the Request object beforeMVC validation takes place (and therefore AllowHtml has not effect) and this access raises a [HttpRequestValidationException] A potentially dangerous Request.Form value was detected from the client.
就我而言,我有一个在MVC 验证发生之前UnhandledExceptionFilter访问 Request 对象的类(因此 AllowHtml 无效)并且此访问引发.[HttpRequestValidationException] A potentially dangerous Request.Form value was detected from the client
This means, accessing certain properties of a Request object implicitly fires validation (in my case its the Paramsproperty).
这意味着,访问 Request 对象的某些属性会隐式触发验证(在我的例子中是它的Params属性)。
A solution to prevent validation is documented on MSDN
MSDN上记录了防止验证的解决方案
To disable request validation for a specific field in a request (for example, for an input element or query string value), call the Request.Unvalidated method when you get the item, as shown in the following example
要禁用请求中特定字段的请求验证(例如,对于输入元素或查询字符串值),请在获取项目时调用 Request.Unvalidated 方法,如下例所示
Therefore, if you have code like this
因此,如果你有这样的代码
var lParams = aRequestContext.HttpContext.Request.Params;
if (lParams.Count > 0)
{
...
change it to
将其更改为
var lUnvalidatedRequest = aRequestContext.HttpContext.Request.Unvalidated;
var lForm = lUnvalidatedRequest.Form;
if (lForm.Count > 0)
{
...
or just use the Formproperty which does not seem to fire validation
或者只是使用Form似乎不会触发验证的属性
var lForm = aRequestContext.HttpContext.Request.Form;
if (lForm.Count > 0)
{
...
回答by Alex
If you need to allow html input for action-method parameter(opposed to "model property") there's no built-in way to do that but you can easily achieve this using a custom model binder:
如果您需要允许动作方法参数的html 输入(与“模型属性”相反),则没有内置方法可以做到这一点,但您可以使用自定义模型绑定器轻松实现这一点:
public ActionResult AddBlogPost(int userId,
[ModelBinder(typeof(AllowHtmlBinder))] string htmlBody)
{
//...
}
The AllowHtmlBinder code:
AllowHtmlBinder 代码:
public class AllowHtmlBinder : IModelBinder
{
public object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
var request = controllerContext.HttpContext.Request;
var name = bindingContext.ModelName;
return request.Unvalidated[name]; //magic happens here
}
}
Find the complete source code and the explanation in my blog post: https://www.jitbit.com/alexblog/273-aspnet-mvc-allowing-html-for-particular-action-parameters/
在我的博文中找到完整的源代码和解释:https: //www.jitbit.com/alexblog/273-aspnet-mvc-allowing-html-for-particular-action-parameters/
回答by smjhunt
URL Encoding the data works as well for me
URL 编码数据也适用于我
For example
例如
var data = '<b>Hello</b>'
var data = '<b>你好</b>'
In Browser call encodeURIComponent(data) before posting
发布前在浏览器中调用 encodeURIComponent(data)
On Server call HttpUtility.UrlDecode(received_data) to decode
在服务器上调用 HttpUtility.UrlDecode(received_data) 进行解码
That way you can control exactly which fields area allowed to have html
这样你就可以准确控制哪些字段区域允许有 html
回答by Diako Hasani
You Can Use [AllowHtml]To Your Project For Example
例如,您可以将其用于[AllowHtml]您的项目
[AllowHtml]
public string Description { get; set; }
For Use This Code To Class Library You Instal This Package
要使用此代码对库进行类,请安装此包
Install-Package Microsoft.AspNet.Mvc
After Use This using
使用后 using
using System.Web.Mvc;
回答by gdmanandamohon
I have faced this problem during development of a E-Commerce site using NopCommerce, I got this solution by 3 different ways as like the previous answers. But according to the NopCommerce structure I didn't found those three at a time. I have just seen that there they are using just [AllowHtml]and it's working fine except any problem. As previously asked question
我在使用 NopCommerce 开发电子商务网站的过程中遇到过这个问题,我通过 3 种不同的方式获得了这个解决方案,就像之前的答案一样。但是根据 NopCommerce 结构,我没有一次找到这三个。我刚刚看到他们在那里使用 just[AllowHtml]并且它工作正常,除了任何问题。正如之前提出的问题
Personally I don't prefer [ValidateInput(false)]because i's skipping total model entity checking, which is insecure. But if anyone just write have a look here
我个人不喜欢,[ValidateInput(false)]因为我跳过了不安全的总模型实体检查。但如果有人只是写看看这里
[AllowHtml]
public string BlogText {get;set;}
then it just skip only single property, and just allow only particular property and check hardly all other entities. Therefore it seems preferable towards mine.
然后它只跳过单个属性,只允许特定的属性并且几乎不检查所有其他实体。因此,它似乎更适合我的。
回答by jd4w9
In my case, the AllowHtml attribute was not working when combined with the OutputCache action filter. This answersolved the problem for me. Hope this helps someone.
就我而言,当与 OutputCache 操作过滤器结合使用时,AllowHtml 属性不起作用。这个答案为我解决了这个问题。希望这可以帮助某人。
