public HttpResponseMessage Post(UploadModel data) { var cleanData = new UploadModel(); foreach (var propertyName in data.GetType().GetProperties()) { var element = data.GetType().GetProperty(propertyName.Name).GetValue(data, null); dynamic cleanValue = null; // validate any strings that may come in. // Any property value of the data object that doesn't match the property type of the UploadModel // will be "kicked out," meaning C# will ignore the value passed and will set it to some valid // default value in UploadModel. If a property like MonthlyUsers (int) is sent as a string // when C# converts the data into the UploadModel, the MonthlyUsers will default to the value 0. // Therefore, we really only need to check Strings, since those can be used to pass malicious values. if (element != null && propertyName.PropertyType.Name == "String") { cleanValue = AntiXssEncoder.HtmlEncode(element.ToString(), true); } else { // we are only worried about Strings, so any null or non-String value we can safely pass on. cleanValue = element; } // if element is null, obviously no validation needed. cleanData .GetType() .GetProperty(propertyName.Name) .SetValue(cleanData, cleanValue); } var result = new ResultObject(); try { var proxy = new RESTProxy(new ProxyConfiguration(_contentManager, _encryptionService, ProxySettingTypes.Default)); var newItemId = proxy.Send(new JsonDTO { Title = string.Concat(cleanData.Company, "_", DateTime.Now.ToString("yyyyMMdd")), PartnerFirstName = cleanData.FirstName, PartnerLastName = cleanData.LastName, PartnerEmail = cleanData.Email, PartnerPhone = cleanData.Phone, PartnerCompanyName = cleanData.Company, PartnerIndustry = cleanData.Industry, PartnerCompanyAddress = cleanData.CompanyAddress, PartnerCountry = cleanData.Country, PartnerStateProvince = cleanData.State, PartnerCity = cleanData.City, PartnerZip = cleanData.Zip, ProductUrl = new UrlDTO { Url = cleanData.ProductUrl, Description = "" }, IntegrationType = cleanData.IntegrationType, PartnershipScenarios = data.Scenarios, // not encoded PartnershipDescription = data.Description, // not encoded MonthlyUsers = cleanData.MonthlyUsers, DailyUsers = cleanData.DailyUsers, ViewSessions = cleanData.ViewSessions, EditSessions = cleanData.EditSessions, TotalWordDocuments = cleanData.MsWord, TotalPPTDocuments = cleanData.MsPpt, TotalExcelDocuments = cleanData.MsXl, NorthAmerica = cleanData.NorthAmerica, SouthAmerica = cleanData.SouthAmerica, Europe = cleanData.Europe, Asia = cleanData.Asia, Africa = cleanData.Africa, Australia = cleanData.Australia, DatacentreDistribution = data.Distribution // not encoded }); var newAttachmentIds = proxy.Attach(cleanData.EncodedImageData, newItemId); result.Success = true; try { //Nested try because an exception from sending mail could be anything //and we don't want to tell the user we failed if sending the email fails new MailHelper(_contentManager, _encryptionService).SendCloudStorageEmail(cleanData.Email, cleanData.FirstName); } catch (Exception exception) { Logger.Error(exception, string.Format("Error sending cloud storage email to {0}", cleanData.Email)); } } catch (Exception exception) { result.Error = exception.Message; } var response = Request.CreateResponse(HttpStatusCode.OK, result, new System.Net.Http.Headers.MediaTypeHeaderValue("application/json")); return response; }
public HttpResponseMessage Post(ActivityFeedAPIFormUploadModel data) { var cleanData = new ActivityFeedAPIFormUploadModel(); foreach (var propertyName in data.GetType().GetProperties()) { var element = data.GetType().GetProperty(propertyName.Name).GetValue(data, null); dynamic cleanValue = null; // validate any strings that may come in. // Any property value of the data object that doesn't match the property type of the APIRequestUploadModel // will be "kicked out," meaning C# will ignore the value passed and will set it to some valid // default value in APIRequestUploadModel. If a property like MonthlyUsers (int) is sent as a string // when C# converts the data into the UploadModel, the MonthlyUsers will default to the value 0. // Therefore, we really only need to check Strings, since those can be used to pass malicious values. if (element != null && propertyName.PropertyType.Name == "String") { cleanValue = AntiXssEncoder.HtmlEncode(element.ToString(), true); } else { // we are only worried about Strings, so any null or non-String value we can safely pass on. cleanValue = element; } // if element is null, obviously no validation needed. cleanData .GetType() .GetProperty(propertyName.Name) .SetValue(cleanData, cleanValue); } var result = new ActivityFeedAPIFormResultObject(); try { var config = new ProxyConfiguration(_contentManager, _encryptionService, ProxySettingTypes.APISubmission); var proxy = new RESTProxy(config); var newItemId = proxy.Send(new JsonDTOApiSubmission { Title = string.Concat(cleanData.CompanyName, "_", DateTime.Now.ToString("yyyyMMdd")), SubmissionFirstName = cleanData.FirstName, SubmissionLastName = cleanData.LastName, SubmissionEmail = cleanData.Email, SubmissionPhone = cleanData.Phone, SubmissionCompanyName = cleanData.CompanyName, SubmissionCompanyAddress = cleanData.CompanyAddress, SubmissionCountry = cleanData.Country, SubmissionState = cleanData.State, SubmissionCity = cleanData.City, SubmissionPostCode = cleanData.PostCode, ProductPageUrl = new UrlDTO { Url = cleanData.PageUrl, Description = "" }, PlatformIntegrationDescription = data.PlatformIntegrationDescription, SubmissionScenario = data.Scenarios, MonthlyUsers = cleanData.MonthlyUsers, DailyUsers = cleanData.DailyUsers, Current365Customers = cleanData.Current365Customers, Future365Customers = cleanData.Future365Customers, IsvPartner = cleanData.IsvPartner }); result.Success = true; try { //Nested try because an exception from sending mail could be anything //and we don't want to tell the user we failed if sending the email fails //NOTE Email will not be sent if no From address new MailHelper(_contentManager, _encryptionService).SendActivityFeedApiEmail(cleanData.Email, cleanData.FirstName); } catch(Exception exception) { Logger.Error(exception, string.Format("Error sending activity feed api email to {0}", cleanData.Email)); } } catch (Exception exception) { result.Error = exception.Message; } var response = Request.CreateResponse(HttpStatusCode.OK, result, new System.Net.Http.Headers.MediaTypeHeaderValue("application/json")); return response; }