asp.net mvc 自定义模型绑定 有潜在的Requset.Form
自定义了一个模型绑定器。前端会传过来一些敏感字符。调用bindContext. valueProvider.GetValue(key) 则会报错 说 有潜在的从客户端中检测到有潜在危险的 Request.QueryString 值
百度谷歌都没有找到相关答案
MVC自带的默认绑定器(DefaultModelBinder)在action方法打上[ValidateInput(false)]或则在跳过验证的字段上打上[AllowHtml] 特性则可以跳过敏感字符验证
下载MVC4源码发现 他在获取的其中一个绑定方法
public virtual object BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
EnsureStackHelper.EnsureStack();
if (bindingContext == null)
{
throw new ArgumentNullException("bindingContext");
}
bool performedFallback = false;
if (!String.IsNullOrEmpty(bindingContext.ModelName) && !bindingContext.ValueProvider.ContainsPrefix(bindingContext.ModelName))
{
// We couldn't find any entry that began with the prefix. If this is the top-level element, fall back
// to the empty prefix.
if (bindingContext.FallbackToEmptyPrefix)
{
bindingContext = new ModelBindingContext()
{
ModelMetadata = bindingContext.ModelMetadata,
ModelState = bindingContext.ModelState,
PropertyFilter = bindingContext.PropertyFilter,
ValueProvider = bindingContext.ValueProvider
};
performedFallback = true;
}
else
{
return null;
}
}
// Simple model = int, string, etc.; determined by calling TypeConverter.CanConvertFrom(typeof(string))
// or by seeing if a value in the request exactly matches the name of the model we're binding.
// Complex type = everything else.
if (!performedFallback)
{
bool performRequestValidation = ShouldPerformRequestValidation(controllerContext, bindingContext);
ValueProviderResult valueProviderResult = bindingContext.UnvalidatedValueProvider.GetValue(bindingContext.ModelName, skipValidation: !performRequestValidation);
if (valueProviderResult != null)
{
return BindSimpleModel(controllerContext, bindingContext, valueProviderResult);
}
}
if (!bindingContext.ModelMetadata.IsComplexType)
{
return null;
}
return BindComplexModel(controllerContext, bindingContext);
}
红色处发现他在获取参数之前获得一个bool值,
点开看看这个方法
private static bool ShouldPerformRequestValidation(ControllerContext controllerContext, ModelBindingContext bindingContext)
{
if (controllerContext == null || controllerContext.Controller == null || bindingContext == null || bindingContext.ModelMetadata == null)
{
// To make unit testing easier, if the caller hasn't specified enough contextual information we just default
// to always pulling the data from a collection that goes through request validation.
return true;
}
// We should perform request validation only if both the controller and the model ask for it. This is the
// default behavior for both. If either the controller (via [ValidateInput(false)]) or the model (via [AllowHtml])
// opts out, we don't validate.
return (controllerContext.Controller.ValidateRequest && bindingContext.ModelMetadata.RequestValidationEnabled);
}
//看注释好像发现了什么 让我们通过打特性 来跳过验证
.发现他的getValue 有个重载 如果传入true则可以跳过验证
高兴的回去改自己的代码 发现bindContext.valueProvider的值提取器是接口类型System.Web.Mvc.ModelBindingContext.ValueProvider 他是没有重载方法的
看看这个东东ValueProviderResult valueProviderResult = bindingContext.UnvalidatedValueProvider.GetValue(bindingContext.ModelName, skipValidation: !performRequestValidation); 的UnvalidatedValueProvider到底是什么
public IValueProvider ValueProvider { get; set; }
internal IUnvalidatedValueProvider UnvalidatedValueProvider
{
get { return (ValueProvider as IUnvalidatedValueProvider) ?? new UnvalidatedValueProviderWrapper(ValueProvider); }
}
看到这里 回头修改自己的代码吧
//如果是基本类型 直接在值提供器中拿值绑定
if (property.PropertyType.IsValueType || property.PropertyType == typeof (string))
{
var newkey = property.Name;
if (Regex.IsMatch(key, @"\[\w*\]"))
{
newkey = key + "[" + newkey + "]";
}
var value = bindingContext.ValueProvider.GetValue(newkey);
if (value == null)
{
//再尝试获取一次
var valueProvider = (bindingContext.ValueProvider as IUnvalidatedValueProvider);
newkey = key + "[" + newkey + "]";
value = valueProvider.GetValue(newkey,true);
}
当然这么做还是不严谨的 我们需要也像defualtModelBind一样 通过特性来标示是否跳过验证。而不是所有使用模型绑定的action请求都跳过验证