我将 MVC 3 模型绑定与 JQuery serializer() 结合使用来编辑表单中的一些数据。一切正常,除非我的数据中有一些“url 编码”(不知道更好的术语)文本。这些数据之所以存在,是因为我使用富文本编辑器,就像我现在使用的那样。
$.post("/controller/submit", $("form").serialize(), function (r) {....}
我的控制器就像
[HttpPost]
public ActionResult Confirm(MyViewModel model)
{
return PartialView(model);
}
一些会导致问题的数据看起来像这样
地点=dasd&StartDate=5-sep-2011&startTime=0%3A00&endTime=0%3A00&EndDate=6-sep-2011&Title=Hello&Descriptio n=%3Cstrong%3Ebold+mother%3C%2Fstrong%3E&Pricing=&BuyTicketsUrl=&CategoryId=1&Url=&Bid=0&MaximumExpense=0
您可以看到描述中有类似 %3Cstrong%3E 的内容,因为它是一个带有一些 html 编码文本的序列化文本框。我可以使用默认模型绑定器来获取 html,还是可以更改 JQuery 序列化表单的方式?或者我应该使用 JSON 来代替?
I am using MVC 3 model binding in combination with JQuery serializer() to edit some data in a form. All is working well except when I have some 'url-encoded' (don't know a better term) text in my data. This data is there because I use a rich text editor just like the one I use now.
$.post("/controller/submit", $("form").serialize(), function (r) {....}
And my controller is like
[HttpPost]
public ActionResult Confirm(MyViewModel model)
{
return PartialView(model);
}
Some data that will cause problems looks like this
Venue=dasd&StartDate=5-sep-2011&startTime=0%3A00&endTime=0%3A00&EndDate=6-sep-2011&Title=Hello&Description=%3Cstrong%3Ebold+mother%3C%2Fstrong%3E&Pricing=&BuyTicketsUrl=&CategoryId=1&Url=&Bid=0&MaximumExpense=0
You can see that the description has stuff like %3Cstrong%3E because it is a serialized textbox with some html encoded text. Can I get the default model binder to just get the html or can I change the way JQuery serializes the form? Or should I use JSON instead?
发布评论
评论(1)
.serialize()方法执行其应该执行的操作。您无需在客户端执行任何其他操作。问题是服务器将拒绝此输入。您可以使用 Description 属性rel="nofollow">[AllowHtml]属性:现在默认模型绑定器将很乐意分配此值。现在,因为一些恶意用户可能决定对您的网站做一些令人讨厌的事情,如果您打算显示此 HTML 未编码,请确保通过 反Xss。如果您总是要显示 HTML 编码的值,那么您就非常安全 =>只需将其按原样存储在数据库中并通过 HTML 编码显示即可。
The
.serialize()method does what it is supposed to do. There is nothing else you need to do on the client side. The problem is the server that will reject this input. You could decorate yourDescriptionproperty on the view model with the[AllowHtml]attribute:Now the default model binder will be happy to assign this value. Now because some malicious user can decide to do nasty things to your site if you ever intend to show this HTML unencode make sure you pass it through AntiXss. If you are always going to display this value HTML encoded then you are pretty safe => simply store it as is in the database and display by HTML encoding.