While using
return Json(educationModel, JsonRequestBehavior.AllowGet);
Where educationModel is the object of the controller which iam using.
But I am getting an security issue shown below.
"The method sends unvalidated data to a web browser ,which can result in the browser executing malicious code".
I understand it is because of "Cross-site scripting (XSS) vulnerabilities".
I am using MVC 3.0 with Framework 4.0.
Can any one give me the solution for this?How to fix this?
Thanks in advance
Related
Can anyone save some of my hair? :)
I'm trying to create an asp.net WEB API interface for an older CSLA (1.x/2.x era) project. I am testing by hard coding the login on every request in various ways (once in the startup code, as an authorization request filter, inside the individual route request etc etc). All the ways I tried work exactly once perfectly and then I get the infamous:
'Default principal object cannot be set twice.'
exception in BusinessPrincipal.vb (yeah I know it's very old, but it's released software, I can't upgrade CSLA)
I know that there is an issue where you need to set HttpContext.Current.User = Thread.CurrentPrincipal; due to some internal workings of the web API and I do that already, that has not resolved the issue.
I'd like to know if anyone has implemented a web api front end and how they handled this issue or any pointers as to what could be the solution.
Worst case scenario if I could at least just login once and keep that same principal without losing it I could implement a second layer of security, that woudld be acceptable, barring anything else is there some way to just login once and not lose that principal?
That BusinessPrincipal class would be in your code base, not in CSLA itself. The Csla.Security namespace does include a BusinessPrincipalBase that is probably the base class for your BusinessPrincipal.
Classes in that namespace are here in GitHub
It is true that you can only call AppDomain.SetPrincipalPolicy one time, but you should be able to set the Thread.CurrentPrincipal and HttpContext.Current.User multiple times.
This article suggests it was possible, or in the works, with some code that suggests it can be done, but I can't figure out what code needs to happen or the WcfTestClient's uri needs to be.
Here's the code from the article that makes me think I can do it:
// Metadata routes to support $metadata and code generation in the WCF Data Service client.
configuration.Routes.MapHttpRoute(
ODataRouteNames.Metadata,
"$metadata",
new { Controller = "ODataMetadata", Action = "GetMetadata" }
);
Is this feature implemented?
No, it does not work as you intend. WCF Test Client supports talking to SOAP-based services. OData is not supported in the current version.
Granted, as #Snixtor mentioned, you could create a SOAP service using ASP.NET Web API, including support for metadata (WSDL). But I really don't know of any good reason why anyone would want to do that.
I am not using any of asp.net Authentication in my code. It is handled by an outside library. I get back a success or failure from the function. So all the work is done for me.sCould I get some examples of how I would implement this in MVC3. I know a little, I have had 2 weeks experience.
Thanks.
AuthFunction("UserName", "password");
You need to implement your own MembershipProvider. The ValidateUser method will use AuthFunction method from your library.
This tutorial should be good. Just skip the repository things because those are already implemented by your library. Carefully check the configuration section at the bottom of the tutorial.
I am trying to access a text file in asp.net mvc3 test project, the common way I know to access it is through HttpContext class like this
HttpContext.Current.Server.MapPath("Temp.txt");
But it returns "Current" as null!
After a little search I found few reasons of Current being null, in my case it is I guess using a router handler to route requests.
But not getting the way to do it for my case.
Can anyone help me on that?
HttpContext is not available on test context, only on web enviroment. You need an HttpContext stub. Avoid this direct dependence.
http://vkreynin.wordpress.com/2009/03/23/stub-htttpcontext/
I've read David Hayden's great post on MVC 3 Remote validation.
However there is presented what you should do to enable remote (javascript) validation. If the user has javascript disabled the post would still be made even if data is not valid. Therefore a server-side validation should occur.
How could we make this check as DRY (Don't Repeat Yourself) as possible? Of course, including the same check code in the post action as in the remote validation action (or just the same call) can work but I am wondering if a one-liner or something more elegant is available.
Perfectly acceptable answers include "no, it can't be done". :)
See my MSDN article How to: Implement Remote Validation in ASP.NET MVC
I use the remote client validation code in the HttpPost Create method to test server side when JavaScript is disabled.
[HttpPost]
public ActionResult Create(CreateUserModel model) {
// Verify user name for clients who have JavaScript disabled
if (_repository.UserExists(model.UserName)) {
ModelState.AddModelError("UserName", ValidationController.GetAltName(model.UserName, _repository));
return View("Create", model);
}
It 'can' be done.. but you would need to write your own custom attribute that basically emits for client side and is validated server side. For me I just extract the validation code into a method and check on the server.
Something similar came up recently as well:
Prevent form from submitting when using unobtrusive validation in ASP.NET MVC 3
I wonder if one couldnt inherit from the remote attribute and add their own server side code them. hmm.. maybe I'll have to try this.
I would be happy though if someone here said they already did this : )
I have done this, it's a bit of a long solution, so it's all available on my blog here:
http://www.metaltheater.com/tech/technical/fixing-the-remote-validation-attribute/
I had to create a new subclass of the RemoteAttribute class, create my own custom model binder by inheriting from DefaultModelBinder, and then use reflection to call the validator on the controller.