I can't get the AllowHtml
attribute (used in the DirtySearch
class) to work with the following actions:
public ActionResult NewEntry(string开发者_如何学C searchIndex, string searchString)
{
var model = new SearchResultsModel(loserID, searchIndex, searchString);
return View(model);
}
[HttpPost]
public ActionResult GetSearchResults(DirtySearch dirtySearch)
{
return RedirectToAction("NewEntry", new { searchIndex = dirtySearch.SearchIndex, searchString = dirtySearch.SearchString });
}
I'm receiving the A potentially dangerous Request.Path value was detected from the client (%) error.
I've included the <httpRuntime requestValidationMode="2.0" />
in my Web.config, and put ModelMetadataProviders.Current = new DataAnnotationsModelMetadataProvider();
in the Application_Start
method.
I feel as though I'm overlooking something obvious here.
Do not suppress this error. It seems you have a security problem because of the PATH still having a problem. What is the path (check fiddler so you can see all the request details) taken from: http://blogs.msdn.com/b/marcinon/archive/2010/11/09/mvc3-granular-request-validation-update.aspx
"the granular request validation in MVC 3 only supports turning off validation for Form (and sometimes QueryString). Path will still be validated, as well as the remaining Request collections.
Your module should access the Request values via the System.Web.Helpers.Validation.Unvalidated() method (available in System.Web.WebPages.dll) to get around the default request validation (that's what's being used by the mechanism that allows AllowHtml to work)."
You can probably suppress this error if you put an additional attribute on the httpRuntime
node in your web.config
:
<system.web>
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
</system.web>
But you better read the documentation to understand what security features will be turned off by these settings.
精彩评论