无法在$ .post()的参数中传递html标记
[英]can't pass html tags in parameters in $.post()
问题描述
I am using a userControl in MVC 4 that has a telerik radeditor. 
我在具有telerik radeditor的MVC 4中使用userControl。 I want to submit the content of the radeditor the the action method but if I user editor.get_html() the code doesn't execute. 我想通过操作方法提交radeditor的内容,但是如果我使用editor.get_html(),则代码不会执行。
the javascript call to the action method is the following: 对action方法的javascript调用如下:
function Save() {
var editor = $find("<%=radEdit.ClientID%>");
var editorHtmlContent = editor.get_html();
var entityId = document.getElementById('hdEntityId').value;
var url = '<%=Url.Action("SaveNote", "staticController")%>';
$.post(url, { EntityId: entityId, Desc: editorHtmlContent }, function (result) { });
}
any clue? 有什么线索吗?
1 个解决方案
解决方案1
1 已采纳 2013-07-05 09:22:42
Posting HTML tags is being considered a security threat (HTML Injection and Cross-site Scripting (XSS)), so it is blocked by default. 发布HTML标签被认为是安全威胁(HTML注入和跨站点脚本(XSS)),因此默认情况下将其阻止。 You have three ways out of this: 您有三种解决方法:
- Encode your HTML on client side before sending to the server. 发送到服务器之前,请先在客户端对HTML进行编码。 You can find a lot of reading about that on SO, for example here: Fastest method to escape HTML tags as HTML entities? 您可以在SO上找到很多有关此方面的内容,例如,在这里: 最快的方法将HTML标记转义为HTML实体?
If you have strongly typed model class and want to get the actual HTML, you can use
AllowHtmlAttribute:如果您具有强类型化的模型类并想要获取实际的HTML,则可以使用AllowHtmlAttribute:public class XMLModel { public int EntityId { get; set; } [AllowHtml] public string Desc { get; set; } }Last option is to disable input validation for entire action, which can be done with
ValidateInputAttribute:最后一个选项是禁用整个操作的输入验证,这可以通过ValidateInputAttribute完成:[ValidateInput(false)] [HttpPost] public ActionResult SaveNote(...) { ... }
You should choose the option most suitable for you. 您应该选择最适合您的选项。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.