I have two websites A and B both written in ASP.NET MVC 3. In website A there is a form which needs to be submitted to website B via POST method. The user has option to post it directly or after encrypting the values.
我有两个网站A和B都是用ASP.NET MVC 3编写的。在网站A中有一个表格需要通过POST方法提交给网站B.用户可以选择直接发布或在加密值之后发布。
When I submit form without encryption it is simple form.submit() and I am able to get the values in website B using FormCollection object. But when user selects submit after encryption, I redirect to another action on website A itself where encryption occurs and then this encrypted data is placed in a hidden textbox in the corresponding view and then auto submitted on page load using jQuery to website B. But now I am unable to get any values in FormCollection object on website B.
当我提交没有加密的表单时,它是简单的form.submit(),我可以使用FormCollection对象获取网站B中的值。但是当用户选择加密后提交时,我会重定向到网站A本身发生加密的另一个操作,然后将此加密数据放在相应视图中的隐藏文本框中,然后使用jQuery在页面加载时自动提交到网站B.但是现在我无法在网站B上的FormCollection对象中获取任何值。
What could the problem be? Is this happening because of any security feature to prevent XSS or something similar?
问题是什么?这是否因为任何安全功能而发生,以防止XSS或类似的东西?
2 个解决方案
#1
2
Its doubtful its from XSS protections - in that case you would see an exception. Load up fiddler and make sure you see this data in an element inside your form that is getting posted to website b. if its there in the form that is being submitted - it should be available.
它的XSS保护令人怀疑 - 在这种情况下你会看到一个例外。加载fiddler并确保在表单内的元素中看到此数据,该元素将发布到网站b。如果它在提交的形式 - 它应该是可用的。
#2
1
Any reason for not using HTTPS and submitting directly the form to site B?
有没有使用HTTPS并直接将表单提交到站点B的原因?
<form action="https://siteb/someaction" method="POST">
<input type="text" name="key1" value="value1" />
<input type="text" name="key2" value="value2" />
<input type="text" name="key3" value="value3" />
<input type="submit" value="Go ahead" />
</form>
If there is any reason in the case you are encrypting the values into a single hidden input and submitting the form containing this hidden field using javascript, only the value of the hidden field will be sent to site B. So for example if you had the following form:
如果您有任何理由将值加密为单个隐藏输入并使用javascript提交包含此隐藏字段的表单,则只有隐藏字段的值将发送到站点B.例如,如果您有以下表格:
<form action="http://siteb/someaction" method="POST">
<input type="hidden" name="encrypted" value="some encrypted value" />
</form>
on site B you would fetch the encrypted value like this (don't use FormCollection, it's kinda ugly compared to view models):
在网站B上,您将获取这样的加密值(不要使用FormCollection,与视图模型相比,它有点难看):
[HttpPost]
public ActionResult SomeAction(string encrypted)
{
// TODO: decrypt the encrypted value here to get the orginal string
...
}
And an even more elegant way would be to have a view model defined on site B and a custom model binder for this model that will do the decryption so that the action looks simply like this:
更优雅的方法是在站点B上定义一个视图模型,并为此模型定制一个模型绑定器,它将执行解密,以便操作看起来像这样:
[HttpPost]
public ActionResult SomeAction(SomeViewModel model)
{
// Directly use the model with all the fields in it.
// The custom model binder will take care of the creating it
// from the encrypted request string
...
}
#1
2
Its doubtful its from XSS protections - in that case you would see an exception. Load up fiddler and make sure you see this data in an element inside your form that is getting posted to website b. if its there in the form that is being submitted - it should be available.
它的XSS保护令人怀疑 - 在这种情况下你会看到一个例外。加载fiddler并确保在表单内的元素中看到此数据,该元素将发布到网站b。如果它在提交的形式 - 它应该是可用的。
#2
1
Any reason for not using HTTPS and submitting directly the form to site B?
有没有使用HTTPS并直接将表单提交到站点B的原因?
<form action="https://siteb/someaction" method="POST">
<input type="text" name="key1" value="value1" />
<input type="text" name="key2" value="value2" />
<input type="text" name="key3" value="value3" />
<input type="submit" value="Go ahead" />
</form>
If there is any reason in the case you are encrypting the values into a single hidden input and submitting the form containing this hidden field using javascript, only the value of the hidden field will be sent to site B. So for example if you had the following form:
如果您有任何理由将值加密为单个隐藏输入并使用javascript提交包含此隐藏字段的表单,则只有隐藏字段的值将发送到站点B.例如,如果您有以下表格:
<form action="http://siteb/someaction" method="POST">
<input type="hidden" name="encrypted" value="some encrypted value" />
</form>
on site B you would fetch the encrypted value like this (don't use FormCollection, it's kinda ugly compared to view models):
在网站B上,您将获取这样的加密值(不要使用FormCollection,与视图模型相比,它有点难看):
[HttpPost]
public ActionResult SomeAction(string encrypted)
{
// TODO: decrypt the encrypted value here to get the orginal string
...
}
And an even more elegant way would be to have a view model defined on site B and a custom model binder for this model that will do the decryption so that the action looks simply like this:
更优雅的方法是在站点B上定义一个视图模型,并为此模型定制一个模型绑定器,它将执行解密,以便操作看起来像这样:
[HttpPost]
public ActionResult SomeAction(SomeViewModel model)
{
// Directly use the model with all the fields in it.
// The custom model binder will take care of the creating it
// from the encrypted request string
...
}