public ActionResult Create(FormViewModel viewModel)
{
//TODO: With the complexity of what we're sending back in the viewModel, the ModelState.IsValid breaks down ... need to re-evaluate
//if (ModelState.IsValid)
//{
var user = Membership.GetUser(User.Identity.Name);
var newForm = _mvcForms.Forms.CreateObject();
newForm.Uid = Guid.NewGuid();
newForm.UserId = (Guid)user.ProviderUserKey;
newForm.ShortPath = RandomString(5);
newForm.FormName = viewModel.Form.FormName;
newForm.Timestamp = DateTime.Now;
_mvcForms.AddToForms(newForm);
var sortOrder = 1;
foreach (var formField in viewModel.FormFields)
{
var thisField = formField;
var thisFormFieldUid = new Guid(formField.SelectedFormFieldType);
var newFormField = _mvcForms.FormFields.CreateObject();
newFormField.FormUid = newForm.Uid;
newFormField.Uid = Guid.NewGuid();
newFormField.FormFieldTypeUid = thisFormFieldUid;
newFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.IsHidden = 0;
newFormField.IsRequired = Convert.ToByte(thisField.IsRequired);
newFormField.SortOrder = sortOrder++;
newFormField.Timestamp = DateTime.Now;
//TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter
newFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.Orientation = thisField.Orientation;
newFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect);
newFormField.ListSize = thisField.ListSize;
newFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption);
newFormField.EmptyOption = thisField.EmptyOption;
newFormField.Rows = thisField.Rows;
newFormField.Cols = thisField.Cols;
newFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.MaxSizeBytes = thisField.MaxSizeBytes;
newFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText);
_mvcForms.AddToFormFields(newFormField);
}
_mvcForms.SaveChanges();
return(RedirectToAction("List", new { Message = "created" }));
//}
//Rebuild the select lists then return on invalid model state
foreach (var formField in viewModel.FormFields)
{
formField.FormFieldTypes = GetFormFieldTypes();
}
return(View(viewModel));
}
public static string Sanitize(this HtmlHelper helper, string input)
{
return(AntiXss.GetSafeHtml(input));
}
/// <summary>
/// Sanitizes HTML by removing reserved characters.
/// </summary>
/// <param name="input">The HTML to be sanitized.</param>
/// <returns></returns>
public static string GetSafeHtml(this object input)
{
return(input != null?AntiXss.GetSafeHtml(input.ToString()) : string.Empty);
}
[ValidateInput(false)] //This allows HTML posts to be accepted; we use AntiXss to avoid issues
public ActionResult Edit(FormViewModel viewModel)
{
//TODO: With the complexity of what we're sending back in the viewModel, the ModelState.IsValid breaks down ... need to re-evaluate
//if (ModelState.IsValid)
//{
var thisFormUid = new Guid(Request["Form.Uid"]);
var editForm = _mvcForms.Forms.Single(form => form.Uid == thisFormUid);
ViewData["FormName"] = editForm.FormName;
editForm.FormName = viewModel.Form.FormName;
if (!string.IsNullOrEmpty(Request["ListFields"]))
{
var listFields = Request["ListFields"].Split(',');
foreach (var listField in listFields)
{
var listFieldUid = new Guid(listField);
if (viewModel.FormFields.Where(fields => fields.Uid == listFieldUid).Count() == 0)
{
_mvcForms.FormFields.Single(field => field.Uid == listFieldUid).IsHidden = 1;
}
}
}
var sortOrder = 1;
foreach (var formField in viewModel.FormFields)
{
var thisField = formField;
//Determine if this is an existing form item or not
var oldFormField = _mvcForms.FormFields.FirstOrDefault(item => item.Uid == thisField.Uid);
if (oldFormField != null)
{
//For fields where AntiXss is helpful but we still need to preserve linebreaks and not include HTML/BODY tags, use this hack
oldFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks();
oldFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks();
oldFormField.IsRequired = Convert.ToByte(thisField.IsRequired);
oldFormField.SortOrder = sortOrder++;
//TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter
oldFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks();
oldFormField.Orientation = thisField.Orientation;
oldFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect);
oldFormField.ListSize = thisField.ListSize;
oldFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption);
oldFormField.EmptyOption = thisField.EmptyOption;
oldFormField.Rows = thisField.Rows;
oldFormField.Cols = thisField.Cols;
oldFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
oldFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
oldFormField.MaxSizeBytes = thisField.MaxSizeBytes;
oldFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText);
}
else
{
var thisFormFieldUid = new Guid(formField.SelectedFormFieldType);
var newFormField = _mvcForms.FormFields.CreateObject();
newFormField.FormUid = thisFormUid;
newFormField.Uid = Guid.NewGuid();
newFormField.FormFieldTypeUid = thisFormFieldUid;
newFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.IsHidden = 0;
newFormField.IsRequired = Convert.ToByte(thisField.IsRequired);
newFormField.SortOrder = sortOrder++;
newFormField.Timestamp = DateTime.Now;
//TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter
newFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.Orientation = thisField.Orientation;
newFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect);
newFormField.ListSize = thisField.ListSize;
newFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption);
newFormField.EmptyOption = thisField.EmptyOption;
newFormField.Rows = thisField.Rows;
newFormField.Cols = thisField.Cols;
newFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks();
newFormField.MaxSizeBytes = thisField.MaxSizeBytes;
newFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText);
_mvcForms.AddToFormFields(newFormField);
}
}
_mvcForms.SaveChanges();
return(RedirectToAction("List", new { Message = "updated" }));
//}
//Rebuild the drop-down lists since they're not in the postback
foreach (var formField in viewModel.FormFields)
{
formField.FormFieldTypes = GetFormFieldTypes();
}
return(View(viewModel));
}
/// <summary>
/// Sanitizes HTML by removing reserved characters.
/// </summary>
/// <param name="input">The HTML to be sanitized.</param>
/// <returns></returns>
public static string GetSafeHtml(this string input)
{
return(AntiXss.GetSafeHtml(input));
}
