asp.net mvc 自定义模型绑定 有潜在的Requset.Form
自定义了一个模型绑定器。前端会传过来一些敏感字符。调用bindContext. valueProvider.GetValue(key) 则会报错 说 有潜在的从客户端中检测到有潜在危险的 Request.QueryString 值
百度谷歌都没有找到相关答案
MVC自带的默认绑定器(DefaultModelBinder)在action方法打上[ValidateInput(false)]或则在跳过验证的字段上打上[AllowHtml] 特性则可以跳过敏感字符验证
下载MVC4源码发现 他在获取的其中一个绑定方法
public virtual object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) { EnsureStackHelper.EnsureStack(); if (bindingContext == null) { throw new ArgumentNullException("bindingContext"); } bool performedFallback = false; if (!String.IsNullOrEmpty(bindingContext.ModelName) && !bindingContext.ValueProvider.ContainsPrefix(bindingContext.ModelName)) { // We couldn't find any entry that began with the prefix. If this is the top-level element, fall back // to the empty prefix. if (bindingContext.FallbackToEmptyPrefix) { bindingContext = new ModelBindingContext() { ModelMetadata = bindingContext.ModelMetadata, ModelState = bindingContext.ModelState, PropertyFilter = bindingContext.PropertyFilter, ValueProvider = bindingContext.ValueProvider }; performedFallback = true; } else { return null; } } // Simple model = int, string, etc.; determined by calling TypeConverter.CanConvertFrom(typeof(string)) // or by seeing if a value in the request exactly matches the name of the model we're binding. // Complex type = everything else. if (!performedFallback) { bool performRequestValidation = ShouldPerformRequestValidation(controllerContext, bindingContext); ValueProviderResult valueProviderResult = bindingContext.UnvalidatedValueProvider.GetValue(bindingContext.ModelName, skipValidation: !performRequestValidation); if (valueProviderResult != null) { return BindSimpleModel(controllerContext, bindingContext, valueProviderResult); } } if (!bindingContext.ModelMetadata.IsComplexType) { return null; } return BindComplexModel(controllerContext, bindingContext); }
红色处发现他在获取参数之前获得一个bool值,
点开看看这个方法
private static bool ShouldPerformRequestValidation(ControllerContext controllerContext, ModelBindingContext bindingContext) { if (controllerContext == null || controllerContext.Controller == null || bindingContext == null || bindingContext.ModelMetadata == null) { // To make unit testing easier, if the caller hasn't specified enough contextual information we just default // to always pulling the data from a collection that goes through request validation. return true; } // We should perform request validation only if both the controller and the model ask for it. This is the // default behavior for both. If either the controller (via [ValidateInput(false)]) or the model (via [AllowHtml]) // opts out, we don't validate. return (controllerContext.Controller.ValidateRequest && bindingContext.ModelMetadata.RequestValidationEnabled); }
//看注释好像发现了什么 让我们通过打特性 来跳过验证
.发现他的getValue 有个重载 如果传入true则可以跳过验证
高兴的回去改自己的代码 发现bindContext.valueProvider的值提取器是接口类型System.Web.Mvc.ModelBindingContext.ValueProvider 他是没有重载方法的
看看这个东东ValueProviderResult valueProviderResult = bindingContext.UnvalidatedValueProvider.GetValue(bindingContext.ModelName, skipValidation: !performRequestValidation); 的UnvalidatedValueProvider到底是什么
public IValueProvider ValueProvider { get; set; } internal IUnvalidatedValueProvider UnvalidatedValueProvider { get { return (ValueProvider as IUnvalidatedValueProvider) ?? new UnvalidatedValueProviderWrapper(ValueProvider); } }
看到这里 回头修改自己的代码吧
//如果是基本类型 直接在值提供器中拿值绑定 if (property.PropertyType.IsValueType || property.PropertyType == typeof (string)) { var newkey = property.Name; if (Regex.IsMatch(key, @"\[\w*\]")) { newkey = key + "[" + newkey + "]"; } var value = bindingContext.ValueProvider.GetValue(newkey); if (value == null) { //再尝试获取一次 var valueProvider = (bindingContext.ValueProvider as IUnvalidatedValueProvider); newkey = key + "[" + newkey + "]"; value = valueProvider.GetValue(newkey,true); }
当然这么做还是不严谨的 我们需要也像defualtModelBind一样 通过特性来标示是否跳过验证。而不是所有使用模型绑定的action请求都跳过验证
1062
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
