public ActionResult <IEnumerable <BlogPost> > GetBlogPosts(string tagName)
{
IEnumerable <BlogPost> blogPosts;
if (tagName != null && tagName != "")
{
blogPosts = _repository.GetBlogPosts(tagName);
return(Ok(blogPosts));
}
blogPosts = _repository.GetBlogPosts();
BlogPostResponse blogPostResponse = new BlogPostResponse
{
BlogPosts = blogPosts,
CountBP = blogPosts.Count()
};
return(Ok(blogPostResponse));
}
public async Task <IActionResult> Post([FromBody] BlogPostRequest blogPostRequest)
{
var authorId = new Guid(HttpContext.User.FindFirst("authorId").Value);
blogPostRequest.Title = _sanitizer.Sanitize(blogPostRequest.Title); // Post value: <div onload=alert('xss')>Title</div>
blogPostRequest.Text = _sanitizer.Sanitize(blogPostRequest.Text); // Post value: <script type="text/javascript">alert('text')</script>
var blogPost = blogPostRequest.CreateBlogPost(authorId);
await _ctx.BlogPosts.AddAsync(blogPost);
await _ctx.SaveChangesAsync();
var blogPostResponse = BlogPostResponse.FromBlogPost(
_blogPostProtector.Protect(blogPost.Id.ToString()),
blogPost,
true
);
return(CreatedAtAction(nameof(Get), new { id = _blogPostProtector.Protect(blogPost.Id.ToString()) }, blogPostResponse));
}
public IActionResult Get([FromRoute] string id)
{
Guid blogPostId = new Guid(_blogPostProtector.Unprotect(id));
var currentUserId = HttpContext.User.FindFirst("authorId")?.Value;
BlogPost blogPost = _ctx.BlogPosts.Include(bp => bp.Author).SingleOrDefault(bp => bp.Id == blogPostId);
if (blogPost == null)
{
return(NotFound());
}
bool isCurrentUserAuthor = string.IsNullOrEmpty(currentUserId) ? false : new Guid(currentUserId).Equals(blogPost.AuthorId);
return(Ok(BlogPostResponse.FromBlogPost(
_blogPostProtector.Protect(blogPostId.ToString()),
blogPost,
new AuthorViewModel(
_authorProtector.Protect(blogPost.Author.Id.ToString()),
blogPost.Author.Name),
isCurrentUserAuthor)));
}
