I have a Character model which has some defaults and have created a simple form for it (or rather a subclass of the Character model) all tied together by a controller.
The problem is that the form does not get the default values when called by simple_form_for Character.new.
Have I missed some configuration flag I need to set or do I have to edit the simple_form templates?
there is an open pull request for this issue: https://github.com/jnunemaker/mongomapper/pull/393
so you should wait a bit before it will be merged :)
BTW, it's not a SimpleForm issue but rails form_for.
Related
I have the following two form_for() that I am confused about.
# form for users
form_for(#user) do |f|
# form for sessions
form_for(:sessions, url: login_path) do |f|
I understand that the first one is simply go through all the users and input the form. I am not sure why when you create a new session, the parameters for form_for is listed as such. Why is there a login path?
Michael Hartl explained it as "in the case of sessions we need to indicate the name of the resource and the corresponding URL", but that doesnt' really explain anything to me.
any enlightenment would be nice!
Passing :url to form_for method is optional when dealing with a model object. when using it to create a new object:
# long-style:
form_for(#user, url: users_path)
# same thing, short-style (record identification gets used)
form_for(#user)
In the short-style version a concept called Record Indentification is used, basically rails figures out if the record is new by asking record.new_record? It also selects the correct path to submit to based on the class of the object, in this case #user.class
Same principle applies when using form_for when updating an existing object. In this case the record.new_record? returns false, and rails figures out it must submit the form to the update action of the controller.
In cases when the path that the form must submit to cannot be figured out by rails using the above mechanism, then the url must be provided explicitly. This also applies when defining Singular Resources such as resource :geocoder. when creating forms for singular routes, the URL must be specified:
form_for #geocoder, url: geocoder_path do |f|
In the first case, the form_for helper inspects the #user variable to see its state. The User might be a new record (in which case the form points to /users with POST*) or an existing record (users/:id with PATCH). It can also provide pre-filled inputs based on the variable's state.
The second form is used when there's no need for an instance of a model (or maybe the model doesn't even exists) and the form_for helper is used just for convenience. The url parameter is explicitly set because by default the action would point to the current URL and you want it to point to login_path.
*Technically they are both POST on the browser side, Rails will distinguish between them later.
I have a model and a form in the view. I have a simple field of string which is called description. I'm able to insert scripts like: <script>alert('xss')</script> to that field.
I can see that in other actions on my site with other models I can't
I do not have an AllowHtml or anything like that.
the only difference is that for this model I use a post with a json object and content-type of application/json
the ModelState.IsValid is returning true. even though there is a description property with an xss script on it...
and for the other actions I make a simple ajax post.
why isn't the validation input work on this kind of JSON ajax posts?
how can I prevent xss across the entire site for this kind of ajax requests?
thanks
It is because ValidateInput is only for FormValueProvider. As for JsonValueProvider, you need to roll out your own mechanism.
Steps
1) Create a marker attribute CustomAntiXssAttribute
2) Create a custom model binder by sub-classing DefaultModelBinder
3) Overrides BindProperty method -> get the attempted value for the underlying property, sanitize it and assign it to the view model property.
Check this out.
Edited:
Replace the line var valueResult = bindingContext.ValueProvider.GetValue(propertyDescriptor.Name); with var valueResult = bindingContext.ValueProvider.GetValue((string.IsNullOrWhiteSpace(bindingContext.ModelName) ? string.Empty : bindingContext.ModelName + ".") + propertyDescriptor.Name); in order to support nested ViewModel.
try using AntiXssLibrary from Nuget, and by using getSafeHtmlContent. you can get the safe content while you're saving your records to db.
Another approach is to use a Sanitizer library like this one, you can choose which HTML tags you want to be filtered out.
I hope someone can help me out to disable the default validation that MVC 3 runs when I post a string value in an integer field. Currently the application will add the error “the value ‘abc’ is not valid for IntergerProperty” to the ModelState before our validators are executed.
We don’t use client side validation and have our own validators that are loaded in the Global.asax. We only want to use these validators to check the input and would like to disable this check.
Is it possible to disable this behavior?
Thanks in advanced,
André
I think the best solution for your issue is to implement a custom model binder to override the default behavior if you really want/need to be able to take alpha chars in a numeric field.
My form (Html.BeginForm) was submitting well, i added some records over the period of one month using this form.
Then i did some cleanup (i don't remember those cleanups :( ) and tested the form after some time and now it is not submitting with a date value.
I mean, there are some date fields associated with master and child models, if child's date fields are filled (no matter parent's date is filled or not), the form does not get submitted and if these are empty then it does provided this is the first attempt i.e. if i attempt first with filled dates and then with empty dates, submitting does not work. I have two validation summaries with excludePropertyErrors true and false, no error is shown.
I had custom date format, dd-MMM-yyyy, and respective unobtrusive validator as jQuery.validator.methods["date"]. The behavior is same after removing these on both IE and Chrome.
However, a sample form submitting to the same controller's action on the same view with a sample model depicting the same structure works fine !!!
How to troubleshooting this??
Seems to me that the model binder is working correctly for your expected params, but that specific form is not passing in the values correctly (while your test form does).
These are the things your should try:
Use the browser's built in network logger and see what your POST looks like
Check the cAsE and spellnig of your variable names on the form (they should match your params/POCO on the action signature)
Hope this helps some.
Thanks BiffBaffBoff for compare the two. I figured out the problem by enhancing the sample model, controller and view, adding fields and validations one by one and finally got the issue. It was my authorization action attribute which was missing on one of the Remote validation action for date, my controller requires authorization.
Thank you all who tried to help me out, without even looking at single line of code.
I need pass through all values of model to the next controller. I could create hidden fields for all properties of the model, but this is always a bit error prone when the model gets new fields.
I tried this:
#Html.HiddenFor(x => x)
but that just leads to the error
CS1660: Cannot convert lambda expression to type 'string' because it is not a delegate type
(I don't like using Tempdata because its so short lived, and unplaned page reloads)
Is there a simple way to accomplish this?
Why not just pull it from the database? If the user can't change the values then why do you need to send it back and forth? A malicious user can modify the hidden field value and try to post it back to the server. Pulling from the database would be faster and more secure.
You have to add the property you are using in the lambda experssion
#Html.HiddenFor(x => x.Username)