Hi, I installed MVCToolkit and played with tutorials. I tried to create some Product object (Linq To Sql) in an action method: But encoding for string values in Request.Form didn't happen and I successfully saved javascript code as product name :(
[ControllerAction]
public void CreateNew()
{
Product prod = new Product();
prod.UpdateFrom(Request.Form);
northwind.AddProduct(prod);
northwind.SubmitChanges();
.....
}
If you need to apply custom logic to the data that's assigned, the current UpdateFrom() method might not be a good approach to you. There isn't a way to control programmatically any encoding or access restrictions (besides passing an array of property names).
If would be nice if, in future, there was an extended version of UpdateFrom() that would take a delegate to call back some custom logic to handle each member. It could look like this:
// Defined by the framework public class UpdateMemberData { public object Value { get; set; } public bool AllowUpdate { get; set; } } public delegate void UpdateMemberDelegate(Object targetObject, MemberInfo targetMember, UpdateMemberData data); public static void UpdateFrom(this T obj, NameValueCollection values, UpdateMemberDelegate callback) { ... }
// Called by the user myObject.UpdateFrom(Request.Form, delegate(Object targetObject, MemberInfo targetMember, UpdateMemberData data) { switch (targetMember.Name) { case "SomeProperty": case "SomeOtherProperty": data.Value = HttpUtility.HtmlEncode((string)data.Value); break; case "UnprotectedProperty": break; // Allow unescaped data default: data.AllowUpdate = false; // Block access to any other members break; } data.AllowUpdate = false; });
Not really sure how advantageous this is anyway, as some type-safety is lost.
quick question, I'm a little confused, but why would want to by default HtmlEncode an input and stuff that into your DomainObject and ultimately into the database? shouldn't it be the other way around, you HtmlEncode it for displaying purpose, and store
it as is?
It can be either way - but the safest bet is "protect inbound" since you never know where that info will turn up again. For instance if you're object is a ProductReview and you forget to encode the output. It happens.
Also - it's not a very expensive operation, but it is string manipulation and therefore has a cost to it. If you encode on every output it can add up and hurts scaling.
dmtr
0 Points
4 Posts
UpdateFrom and Encoding
Dec 14, 2007 01:36 PM|LINK
Hi, I installed MVCToolkit and played with tutorials. I tried to create some Product object (Linq To Sql) in an action method: But encoding for string values in Request.Form didn't happen and I successfully saved javascript code as product name :(
[ControllerAction] public void CreateNew() { Product prod = new Product(); prod.UpdateFrom(Request.Form); northwind.AddProduct(prod); northwind.SubmitChanges(); ..... }What do I need to do to have encodingUpdateFrom
SteveSanders...
Member
432 Points
119 Posts
Microsoft
Re: UpdateFrom and Encoding
Dec 14, 2007 02:20 PM|LINK
If you need to apply custom logic to the data that's assigned, the current UpdateFrom() method might not be a good approach to you. There isn't a way to control programmatically any encoding or access restrictions (besides passing an array of property names).
If would be nice if, in future, there was an extended version of UpdateFrom() that would take a delegate to call back some custom logic to handle each member. It could look like this:
Not really sure how advantageous this is anyway, as some type-safety is lost.
http://blog.codeville.net/
slynch
Member
349 Points
71 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 02:52 PM|LINK
How the javascript getting into the form fields?
dmtr
0 Points
4 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 02:56 PM|LINK
I found an acceptable solution (for me :) ):
In BindingHelpers.cs file of MVCToolkit solution I added some code to UpdateForm method (at line number 100)...
dmtr
0 Points
4 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 02:58 PM|LINK
I just entered <script>alert('possible xss');</script> into input field
slynch
Member
349 Points
71 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 03:50 PM|LINK
Sorry, what you ment was pretty obvious now that I think of it.
You might want to consider adding something like this so it wont be replace if you update to the next drop of the MVCToolkit
namespace
System.Web.Mvc.BindingHelpers{public static class CustomBindingHelperExtentions{
public static void UpdateFrom(this object obj, NameValueCollection values, Expression<Func<string, string>> encoder, params string[] keys)
{
NameValueCollection encodedValues = new NameValueCollection();
Func<string, string> encodeFunc = encoder.Compile();
foreach (string key in values.Keys)
encodedValues.Add(key, encodeFunc(values[key]));
if (keys.Length > 0)
obj.UpdateFrom(encodedValues, keys);
else
obj.UpdateFrom(encodedValues);
}
}
}
And then call it like:
prod.UpdateFrom(Request.Form,c=>HttpUtility.HtmlEndoce(c));
robconery
Participant
852 Points
195 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 05:11 PM|LINK
Thanks for the feedback - we're going to make two changes to the helpers in the next drop:
1) Encoding will be ON by default
2) There will be an override to turn it off (if you use an RTE for instance)
The other alternative (as you've seen above) is to override what we're doing with your own method for now.
I should have done it this way in the first place :).
shinakuma
Member
378 Points
92 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 05:25 PM|LINK
quick question, I'm a little confused, but why would want to by default HtmlEncode an input and stuff that into your DomainObject and ultimately into the database? shouldn't it be the other way around, you HtmlEncode it for displaying purpose, and store it as is?
robconery
Participant
852 Points
195 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 05:27 PM|LINK
It can be either way - but the safest bet is "protect inbound" since you never know where that info will turn up again. For instance if you're object is a ProductReview and you forget to encode the output. It happens.
Also - it's not a very expensive operation, but it is string manipulation and therefore has a cost to it. If you encode on every output it can add up and hurts scaling.
dmtr
0 Points
4 Posts
Re: UpdateFrom and Encoding
Dec 14, 2007 06:08 PM|LINK
Thank you, it's the best solution for now