I need to allow users to submit a form value containing html in their text inputs. This is an internally-facing application so it's reasonably safe to do so. I have succesfully used the
[ValidateInput(false)]
attribute on the method in question, but this inhibits all model validation for the method/view model in question, but I only want to allow html in one of the TextBoxes and do not necessarily wish to write my own guard clauses for every other piece of model validation in the same method/view model, when I could would prefer to continue using Data Annotations for all of the other properties in the view model.
It's too bad I cannot apply the [ValidateInput(false)] to only a single property of my viewmodel. I would assume that I need to override mvc's default model validation, but I cannot find any documentation on how to do so. Every search yields results describing only how to write my own custom validation attributes, which isn't correct for the problem I'm trying to solve.
Thanks!
You would have to upgrade your aplication to ASP.NET MVC 3. There you have AllowHtmlAttribute, which you can use to disable input validation on property level. ASP.NET MVC 3 is backward compactible with ASP.NET MVC 2 so the upgrade should be easy.
Related
I was browsing the typo3 core Forms framework documentation but with no relevant answer to my requirements which are:
The form has to be displayed in a frontend overlay.
The filling process involves multiple steps where the user would be able to go back and forth.
The form fields must still be editable by a redactor.
I'm not sure about how the form framework behaves, so far I remember I think that multiple steps are configurable from the backend module but I don't know if it sends request to the controller after each step or if it sends everything only on submit.
I have an idea about how to implement it though, it's based on this question how to get a typo3 form framework html via ajax. Which would just let me provide the whole html content to the frontender and let him split the whole form into steps. The separation would be based on the addition of some special tags via the editor that would surround the fields you want in each step.
What do you think about that approach?
The form framework proceeds each form step seperately. So without developing your own form runtime, you have to keep proceeding every step seperate.
I see two possibilities:
1. Send each form step from frontend to the form controller and replace the response (html form) in the frontend.
That is the fast and easy way, as you use the existing form runtime.
Prepare a page which returns the rendered form as html
Fetch this page by JavaScript
Send the form data back to the given form action
The form controller proceeds the form with all its validators, rules and finishers and returns the next step, previous step, the current step with existing errors or the finishers response on success
Replace your form in the frontend with the already rendered html response of the form framework
The advantage of this way: Less effort and you can rely on the already existing validators, as you get an already validated response.
The disadvantage of this way --> it is more difficult to implement frontend validation, as you have a mix between frontend and server side validation.
2. Make the form framework kind of headless and work json based
In my opinion the better approach, but with a lot more effort to take.
You have to extend / overwrite the controller and the form runtime. This allows you more flexibility in handling the form by JavaScript and e.g. return the errors in a json object. It makes life easier when you want the form render and handle with a JS framework like react or vue.
To your question:
What do you think about that approach?
If I got it right, you want to keep ONE form step in the backend, but let the editor divide this form step into multiple steps by adding tags? You can try, but I don't see any real advantage in keeping the original form steps and proceed every step by sending the step to the controller and handle the response (like mentioned in 1.)
Summary:
In the past, I was thinking a lot about handling forms by JavaScript and came to the conclusion:
Keep the form framework's behaviour completely untouched with server side processing or make it frontend driven, with an own runtime. All mixtures between client and server side rendering will sooner or later run into bigger problems or at least a high effort. The form framework is pretty complex with a lot of possibilities, hook driven behaviour, etc. From my experience, you have to know it pretty good to develop without loosing control. In smaller projects with just one or two basic forms, I would try to avoid special cases with lots of JS. In bigger projects (with more budget), I would definitely go with my second mentioned approach (currently, I'm developing vue.js based rendering and handling of the form frontend). But these are just my five cents...
Is there a way (using JQuery or Java Script) to force an MVC2 form to perform validation on it's fields with Data Annotation validation without posting back to the server?
I have a MVC2 form that is quite complex. Many of the fields are hidden or displayed depending on other selections. Given this, some of the fields are validated using Data Annotations and some are validated using custom JQuery.
In the case that one of the fields with custom validation fails it's validation I wish to prevent the form from posting back however this stops any of the fields with Data Annotation Validation from working.
Thanks.
IMHO mixing jquery validate with MSAjax is a bad thing. For complex forms with many custom validation rules I would recommend using only jquery validate and on the server a more powerful validation framework than DataAnnotations such as FluentValidation.NET which works nicely with ASP.NET MVC.
Overview
I have a payment page where I allow the user to select a payment method, either credit card or check. I have a form for each of these payment methods. I did not want to create a separate page for each of these methods for UI purposes, so I use a [div] for each form and toggle their display with jQuery.
Problem
Each of the payment methods has its own set of validation rules. I want to be able to apply model validation to only the payment method that was selected and submitted by the user. In order to do validation, I am required to POST to the same controller action, so submitting to different actions is not an option.
Approaches
I have considered the following approaches:
Partial Validation based on incoming values, as described here: http://blog.stevensanderson.com/2010/02/19/partial-validation-in-aspnet-mvc-2/. My issue with this approach is the security implication, and as this is a relatively small app, I don't have a separate domain layer as the author of the article suggests.
Create separate models for each payment method, and then overload the controller [HttpPost] action with a different model parameter. I tried this but the compiler complains that the action is ambiguous, even though I have something like this
[HttpPost]
public ActionResult Pay(CreditCardPaymentModel model) {...}
[HttpPost]
public ActionResult Pay(CheckPaymentModel model) {...}
Use separate controller actions to handle the individual form posts and use TempData to set the validation messages and redirect back to the form page to display the messages. I really don't like this option as it feels clunky, and I don't like using TempData for anything other than simple messages.
I would welcome any suggestions on the best way to handle such a situation cleanly and efficiently.
I would go with option 2, as it gives you a nice, clean separation between payment models and concrete model classes (I always go for strongly typed solutions).
Option 2 will also be easy to unit test...
I'd go for the strategy 3.
When you toggle form views with jQuery you can also replace the post url of the form. This way it can easily be handled by different controller methods each with their own validation logic.
One other option (not the one I like) is to create a merged model for both payment option. Upon instantiation of that model you can probably easily distinguish what form was active. Or you can also set some hidden value with jQuery to indicate the active form view.
P.S. With #2 it is difficult to tell which model instantiation will work out until the framework attempts to instantiate one and if it fails another. This is not quite straightforward and the framework was not built to be that intelligent and bring some initiative into the process.
I'd like to use the new client side validation features in MVC 2 but I have a particular view that just has a couple textboxes on it and I don't want to create a strongly typed model for it. Can someone describe how to leverage the validation goodness in MVC 2 w/o a strongly typed model?
I don’t think it can be done as client side validation uses Data Annotations in the System.ComponentModel.DataAnnotations namespace. To my knowledge you have to bind this to an object. I would suggest looking at a jquery solution.
I'm finding it hard to find out helpful information about ASP.NET MVC's validation HTML helpers - Html.Validate and Html.ValidateFor.
Has anyone worked with these methods? what are they for?
see this post for an answer
If there are situations where you
don't actually want a validation
message to visually appear for each
field (i.e. by using
Html.ValidationMessage), but would
rather allow a summary to be the sole
source of validation error messages
(i.e. by using
Html.ValidationSummary), you still
need some way to "trigger" the
validation to occur for the specific
fields you want it to.
This can be achieved by using the
Html.Validate/Html.ValidateFor<>
methods within your view. Those
helpers won't render anything, but
will simply register the specified
field for client-side validation.