stackoom
  简体   繁体   中英

Are ASP.NET MVC 4 Beta editor templates safe against CSRF?

 原文  2012-04-01 15:03:48       c#/ asp.net-mvc/ csrf/ asp.net-mvc-4

Question

Are pages generated by ASP.NET MVC 4 Beta templates safe against Cross-Site Request Forgery?

Specifically, are the "Edit" view and controller action generated by the "Controller with read/write actions and views, using EntityFramework" protected against CSRF?

Examining the HTML code generated by the Edit form, I can't see a hidden field or another way to implement an anti-forgery token.

Am I missing something or is the default example unsafe?

1 answers

solution1
 16 ACCPTED  2012-04-01 18:19:13

You need to explicitly implement the anti forgery token.

In the view: 

@using (Html.BeginForm(...
{
    @Html.AntiForgeryToken()
    ...
}

In the controller 

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MyAction(MyViewModel model)
{
    ...

You can always create custom T4 templates to generate this for you, but no, the out-of-the-box templates do not do this by default.

暂无
暂无

The technical post webpages of this site follow the CC BY-SA 4.0 protocol. If you need to reprint, please indicate the site URL or the original address.Any question please contact:yoyou2525@163.com.

Related Question ASP.NET MVC 3: Editor templates for fields How to protect against CSRF by default in ASP.NET MVC 4? Best way to cascade editor templates in asp.net mvc ASP.NET MVC3 Editor Templates for interface or inherited classes ASP.NET MVC - CSRF on a GET request Asp.Net MVC 2 Beta ModelBinder Change How to protect against CSRF by default in ASP.NET Core Correct, idiomatic way to use custom editor templates with IEnumerable models in ASP.NET MVC Asp.Net MVC Razor View Editor Templates - passing variables between each iteration Authentication ASP.NET MVC 5 against Database
Related Tags
 
粤ICP备18138465号  © 2020-2024 STACKOOM.COM