.NET MVC3 HttpRequestValidation & JSON
我是 MVC3 框架的新手(以及 .NET 整体;Java 老手),所以请耐心等待,但这里是:
以 JSON 形式提交到控制器的输入似乎不受 HttpRequestValidation 的约束——这听起来对吗?
我意识到,如果您通过 JSON 接收数据输入,您可能已经对其进行了更多工作,但控制器操作似乎不一定知道此时它是否具有 JSON 数据;输入值映射到参数,就像它们是标准 POST 参数一样。
示例 - 我将 JSON 数据异步提交到我的控制器,如下所示:
var data = { "title": $titleField.val(), "content": $textArea.val(),
"location": $location.val()
};
$.ajax(submitUrl,
{
type: "POST",
contentType: "application/json; charset=utf-8",
complete: function (data) {
//blah blah
},
dataType: 'json',
data: JSON.stringify(data)
});
}
然后我在操作中接收输入:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult New(string title = "", string content = "", string location = "")
{
//yada yada
}
这样做,参数被映射,用户可以轻松发送标签等。我不会关闭 ValidateInput,并且如果我使用标准 POST 提交并删除 Stringify,它会按预期抛出错误。 JSON 化数据会跳过验证有什么好的理由吗?
编辑 - 更具体的问题:如果 JSONified 数据将通过 HttpRequestValidation,我们如何防止有人故意模拟发送 JSON 数据而不是发布参数的请求?我还没有找到一种方法来强制 Action 方法区分以 JSON 形式传递的参数和以非编码形式传递的参数。
I'm new to MVC3 framework (and .NET overall; Java veteran), so bear with me, but here goes:
Input submitted to a Controller as JSON doesn't seem to be subject to the HttpRequestValidation -- Does that sound right?
I realize if you're receiving data input via JSON you're possibly already doing more work with it, but the Controller Action doesn't seem to necessarily know whether it has JSON data at that point; input values are mapped to parameters just as they would be if they were standard POST params.
Example - I'm asynchronously submitting JSON data to my Controller like the following:
var data = { "title": $titleField.val(), "content": $textArea.val(),
"location": $location.val()
};
$.ajax(submitUrl,
{
type: "POST",
contentType: "application/json; charset=utf-8",
complete: function (data) {
//blah blah
},
dataType: 'json',
data: JSON.stringify(data)
});
}
I then receive the input in my Action:
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult New(string title = "", string content = "", string location = "")
{
//yada yada
}
Doing this, params are mapped and the user can easily send tags, etc. I'm not turning ValidateInput off, and if I submit with a standard POST and remove the Stringify, it throws the error as expected. Any good reason why JSONified data would skip validation?
Edit - More specific question: If JSONified data will pass HttpRequestValidation, how can we protect against the event where someone would intentionally mock a request to send JSON data instead of post params? I haven't found a way to force the Action method to differentiate between params passed as JSON vs. those passed non-encoded.
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
在 asp.net 上找到了我的问题的答案- 请参阅第二条回复。
解决方案涉及替换默认的 ModelBinder。
Got an answer for my question over on asp.net - See 2nd response.
Solution involves replacing the default ModelBinder.
JSON编码=>因此它可以确保通过线路传输的内容是安全的。当您使用 JSON.stringify 时,所有危险字符都会被编码。
JSON is encoded => so it ensures that what transits over the wire is safe. When you use
JSON.stringifyall dangerous characters are encoded.