开发者

ASP.NET MVC: WHY ValidateInput(false) works only when the postback action and controller are explicit on the Form?

The whole weekend, I've been learning how to use TinyMCE with ASP.NET MVC. I was getting the XSS error ("A potentially dangerous Request.Form value was detected from the client(...)").

To deal with that, I was advised to use the [ValidateInput(false)] attribute to release the checking, but without success. Until, by accident, I did a postback to a different action method (i.e. not the one that displayed the view containning TextArea control). so I have to explicit both the Action and the controller. IT WORKED. So I tried to explicitly declare the BeginForm for the first case, then, IT WORKED AGAIN.

The question is WHY

<%Using(Html.BegiForm()){%>

or

<%Using(BeginForm("WriteArticle"))%>

both did not work.

<%Using(Html.BeginForm("WriteArticle", "ArticleManagement")){%>

This one worked.

So, Why the famous "Convention over configuration" didn't work?

EDIT

[ValidateInput(false)]
public class ArticleManagementController:Controller
{     
  protected override void OnActionExecuting(ActionExecutingContext filterContext)
  {
    //Here model is created and updated
  }
  public ActionResult WriteArticle()
  {
    //Here's the method that displays the View containing t开发者_开发知识库he TinyMCE editor
  }

  //There are more action methods
}

Thanks for helping.


Html.BeginForm() does one thing. IT generates HTML. So if one overload works and the other does not, then they are generating different HTML. View source of the rendered page. They will be different. This is most likely tied to your routing or your view execution path, but it's hard to be sure without seeing the HTML and your code. The important point is this: When your server reacts differently, you are almost certainly sending it a different request. View Source and Firebug's Net panel are the two tools you should start with.

0

上一篇:

下一篇:

精彩评论

暂无评论...
验证码 换一张
取 消

最新问答

问答排行榜