开发者

ASP.NET MVC3 RC2 <AllowHtml()> not working

开发者 https://www.devze.com 2023-01-29 19:48 出处:网络
I\'ve got my input decorated as follows. <AllowHtml()> <UIHint(\"MarkDown\")> <DisplayName(\"about\")>

I've got my input decorated as follows.

<AllowHtml()>
<UIHint("MarkDown")>
<DisplayName("about")>
<Required(ErrorMessage:="Description is required")>
<StringLength(2048, ErrorMessage:="Description is too long")>
Public Property Description As String

My editor template looks like this

@ModelType String

<noscript><h3>Please use @Html.ActionLink("Markdown", "Markdown", "About") to style your input.</h3></noscript>
<div id="wmd-button-bar" class="wmd-panel"&g开发者_如何学Got;</div>
@Html.TextArea("", Model, 5, 10, New With {.id = "wmd-input", .class = "wmd-panel"})
<div id="wmd-preview" class="wmd-panel"></div>
<div class="clear"></div>

and when I try and intentionally submit a <script> tag, I get the YSOD

A potentially dangerous Request.Form value was detected from the client (Description="... here. <script>

var a = b;...").

My question: how do I make this work?

EDIT

Here's the controller Action Method

''# fix stack overflow code coloring
''# <AcceptVerbs(HttpVerbs.Post)>
Function Edit(ByVal user As Domain.User, ByVal id As Integer) As ActionResult
    If AuthenticationHelper.RetrieveAuthUser.ID = id Then
        If Not user.RegionID.HasValue Then ModelState.AddModelError("UserRegion", "Invalid region selected")

        ''# We only want to process the View Data if the state of theB
        ''# Model is valid.  If it's not valid, we send the user back to
        ''# the View with some validation instructions.  This really only
        ''# happens if the user has JavaScript disabled because we're also
        ''# using Client Side validation for a friendlier user experience.
        If ModelState.IsValid Then

            ''# We want to update the user record before we expire and
            ''# re-issue the authentication cookie so that the new data
            ''# will be issued to the new authcookie.
            UserService.UpdateUser(user)
            UserService.SubmitChanges()

            ''#Expire the cookie and recreate it


            ''# when all is said and done, send the user
            ''# back to their profile page.
            Return RedirectToAction("Details", "Users", New With {.id = id, .slug = user.UserName.ToUrlFriendlyString})
        Else
            Return View(user)
        End If
    Else
        Throw New ResourceNotFoundException()
    End If
End Function

Here's the stack trace

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (Description="... here.
<script>
var a = b;...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +322
   Microsoft.Web.Infrastructure.DynamicValidationHelper.<>c__DisplayClass12.<ReplaceCollection>b__d(String value, String key) +77
   Microsoft.Web.Infrastructure.DynamicValidationHelper.LazilyEvaluatedNameObjectEntry.ValidateObject() +89
   Microsoft.Web.Infrastructure.DynamicValidationHelper.LazilyValidatingHashtable.get_Item(Object key) +55
   System.Collections.Specialized.NameObjectCollectionBase.FindEntry(String key) +20
   System.Collections.Specialized.NameValueCollection.GetValues(String name) +8
   System.Web.Mvc.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) +20
   System.Web.Mvc.<>c__DisplayClass4.<.ctor>b__0() +17
   System.Lazy`1.CreateValue() +361
   System.Lazy`1.LazyInitValue() +9591042
   System.Lazy`1.get_Value() +89
   System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) +64
   System.Web.Mvc.ValueProviderCollection.GetValueFromProvider(IValueProvider provider, String key, Boolean skipValidation) +55
   System.Web.Mvc.<>c__DisplayClass9.<GetValue>b__4(IValueProvider provider) +34
   System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +151
   System.Linq.WhereSelectEnumerableIterator`2.MoveNext() +177
   System.Linq.Enumerable.FirstOrDefault(IEnumerable`1 source) +4187840
   System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) +265
   System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +386
   System.Web.Mvc.DefaultModelBinder.GetPropertyValue(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor, IModelBinder propertyBinder) +17
   System.Web.Mvc.DefaultModelBinder.BindProperty(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor) +400
   System.Web.Mvc.DefaultModelBinder.BindProperties(ControllerContext controllerContext, ModelBindingContext bindingContext) +94
   System.Web.Mvc.DefaultModelBinder.BindComplexElementalModel(ControllerContext controllerContext, ModelBindingContext bindingContext, Object model) +55
   System.Web.Mvc.DefaultModelBinder.BindComplexModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +1357
   System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +452
   System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +320
   System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +116
   System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +345
   System.Web.Mvc.Controller.ExecuteCore() +115
   System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +94
   System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +10
   System.Web.Mvc.<>c__DisplayClassb.<BeginProcessRequest>b__5() +37
   System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +21
   System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +12
   System.Web.Mvc.Async.WrappedAsyncResult`1.End() +55
   System.Web.Mvc.<>c__DisplayClasse.<EndProcessRequest>b__d() +47
   System.Web.Mvc.SecurityUtil.<GetCallInAppTrustThunk>b__0(Action f) +7
   System.Web.Mvc.SecurityUtil.ProcessInApplicationTrust(Action action) +23
   System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +59
   System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
   System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +310
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +163


Thanks for the report. This is another manifestation of a caching bug described at http://forums.asp.net/p/1632006/4206895.aspx. The workaround steps are the same; from within Global.asax Application_Start, put this line of code:

ModelMetadataProviders.Current = new DataAnnotationsModelMetadataProvider();

This will disable the errant cache.

0

精彩评论

暂无评论...
验证码 换一张
取 消