MVC project, been around a long time, massive monolith. I hope I'm missing something here.
I've a form which gets submitted over ajax. It gets to the server, gets stored away, and I go to return an object to the client (basically status & a destination URL).
If there's anything in the form inputs containing illegal characters (html-ish) then it gives me the error about fearful data.
- I've tried putting
[AllowHtml]on every single text field of the view model (won't be long-term). - I've added
[ValidateInput(false)]on the controller method - Removed all of the alerts (since it is saving the data).
The stupid thing is that it saves the data. The "dangerous" data makes it to the server and database and back out to the controller method. I can't seem to catch this, - I've debugged it to where I ship it from the controller, and then in-browser I get the error.
var form = $(this).parents('form:first').serializeObject();
$.ajax({
type: "POST",
url: '@Url.Action("EditAjax", "Item", new {area = "ProjectSupport"})',
dataType: "json",
data: form,
ignoreErrors: true,
success: function(result) {
var formData = new FormData($('#editItem')[0]);
if (result.Errors) {
//alert(result.Errors);
$('form').find('a.submit,#saveFormButton1,#saveFormButton2').removeClass('btn-inverse').addClass('btn-primary');
submitted = false;
} else {
formData.append("supportObjectTypeName", result.SupportObjectTypeName);
formData.append("supportObjectLocalizedID", result.SupportObjectLocalizedID);
url = result.Url;
$.ajax({
type: "POST",
url: '@Url.Action("UploadAttachments", "Item", new {area = "ProjectSupport"})',
dataType: "json",
mimeType: "multipart/form-data",
contentType: false,
cache: false,
processData: false,
data: formData,
ignoreErrors: true,
success: function() {
window.location.href = url;
},
error: function (xhr, ajaxOptions, thrownError) {
//alert(thrownError);
//$('form').find('a.submit,#saveFormButton1,#saveFormButton2').removeClass('btn-inverse').addClass('btn-primary');
//submitted = false;
window.location.href = url;
}
});
}
},
error: function(xhr, ajaxOptions, thrownError) {
alert(thrownError);
alert(xhr.responseText);
var fullErrorText = [];
$.each(xhr.responseJSON, function() {
fullErrorText.push(this.errors.join());
});
alert(fullErrorText.join());
$('form').find('a.submit,#saveFormButton1,#saveFormButton2').removeClass('btn-inverse').addClass('btn-primary');
submitted = false;
}
});
I've used AllowHtml previously and it worked just fine - slap it onto the model and you're good. I've just spent a few hours on this issue, though, and I hope somebody out there's brighter than me on this (I'm certain).
Any thoughts, please?
TLDR:
- I've tried putting
[AllowHtml]on every single text field of the view model. - I've added
[ValidateInput(false)]on the controller method - Removed all of the alerts (since it is saving the data).
I still get an Ajax error about dangerous values.
from Server returns Internal Server Error / Dangerous Request.Form value
No comments:
Post a Comment