public ActionResult Create(FormViewModel viewModel) { //TODO: With the complexity of what we're sending back in the viewModel, the ModelState.IsValid breaks down ... need to re-evaluate //if (ModelState.IsValid) //{ var user = Membership.GetUser(User.Identity.Name); var newForm = _mvcForms.Forms.CreateObject(); newForm.Uid = Guid.NewGuid(); newForm.UserId = (Guid)user.ProviderUserKey; newForm.ShortPath = RandomString(5); newForm.FormName = viewModel.Form.FormName; newForm.Timestamp = DateTime.Now; _mvcForms.AddToForms(newForm); var sortOrder = 1; foreach (var formField in viewModel.FormFields) { var thisField = formField; var thisFormFieldUid = new Guid(formField.SelectedFormFieldType); var newFormField = _mvcForms.FormFields.CreateObject(); newFormField.FormUid = newForm.Uid; newFormField.Uid = Guid.NewGuid(); newFormField.FormFieldTypeUid = thisFormFieldUid; newFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.IsHidden = 0; newFormField.IsRequired = Convert.ToByte(thisField.IsRequired); newFormField.SortOrder = sortOrder++; newFormField.Timestamp = DateTime.Now; //TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter newFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.Orientation = thisField.Orientation; newFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect); newFormField.ListSize = thisField.ListSize; newFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption); newFormField.EmptyOption = thisField.EmptyOption; newFormField.Rows = thisField.Rows; newFormField.Cols = thisField.Cols; newFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.MaxSizeBytes = thisField.MaxSizeBytes; newFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText); _mvcForms.AddToFormFields(newFormField); } _mvcForms.SaveChanges(); return(RedirectToAction("List", new { Message = "created" })); //} //Rebuild the select lists then return on invalid model state foreach (var formField in viewModel.FormFields) { formField.FormFieldTypes = GetFormFieldTypes(); } return(View(viewModel)); }
public static string Sanitize(this HtmlHelper helper, string input) { return(AntiXss.GetSafeHtml(input)); }
/// <summary> /// Sanitizes HTML by removing reserved characters. /// </summary> /// <param name="input">The HTML to be sanitized.</param> /// <returns></returns> public static string GetSafeHtml(this object input) { return(input != null?AntiXss.GetSafeHtml(input.ToString()) : string.Empty); }
[ValidateInput(false)] //This allows HTML posts to be accepted; we use AntiXss to avoid issues public ActionResult Edit(FormViewModel viewModel) { //TODO: With the complexity of what we're sending back in the viewModel, the ModelState.IsValid breaks down ... need to re-evaluate //if (ModelState.IsValid) //{ var thisFormUid = new Guid(Request["Form.Uid"]); var editForm = _mvcForms.Forms.Single(form => form.Uid == thisFormUid); ViewData["FormName"] = editForm.FormName; editForm.FormName = viewModel.Form.FormName; if (!string.IsNullOrEmpty(Request["ListFields"])) { var listFields = Request["ListFields"].Split(','); foreach (var listField in listFields) { var listFieldUid = new Guid(listField); if (viewModel.FormFields.Where(fields => fields.Uid == listFieldUid).Count() == 0) { _mvcForms.FormFields.Single(field => field.Uid == listFieldUid).IsHidden = 1; } } } var sortOrder = 1; foreach (var formField in viewModel.FormFields) { var thisField = formField; //Determine if this is an existing form item or not var oldFormField = _mvcForms.FormFields.FirstOrDefault(item => item.Uid == thisField.Uid); if (oldFormField != null) { //For fields where AntiXss is helpful but we still need to preserve linebreaks and not include HTML/BODY tags, use this hack oldFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks(); oldFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks(); oldFormField.IsRequired = Convert.ToByte(thisField.IsRequired); oldFormField.SortOrder = sortOrder++; //TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter oldFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks(); oldFormField.Orientation = thisField.Orientation; oldFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect); oldFormField.ListSize = thisField.ListSize; oldFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption); oldFormField.EmptyOption = thisField.EmptyOption; oldFormField.Rows = thisField.Rows; oldFormField.Cols = thisField.Cols; oldFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); oldFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); oldFormField.MaxSizeBytes = thisField.MaxSizeBytes; oldFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText); } else { var thisFormFieldUid = new Guid(formField.SelectedFormFieldType); var newFormField = _mvcForms.FormFields.CreateObject(); newFormField.FormUid = thisFormUid; newFormField.Uid = Guid.NewGuid(); newFormField.FormFieldTypeUid = thisFormFieldUid; newFormField.FormFieldName = AntiXss.GetSafeHtmlFragment(thisField.FormFieldName.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.FormFieldPrompt = AntiXss.GetSafeHtmlFragment(thisField.FormFieldPrompt.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.IsHidden = 0; newFormField.IsRequired = Convert.ToByte(thisField.IsRequired); newFormField.SortOrder = sortOrder++; newFormField.Timestamp = DateTime.Now; //TODO: Not sure if this is per field type, but it shouldn't matter if validation works and nulls don't matter newFormField.Options = AntiXss.GetSafeHtmlFragment(thisField.Options.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.Orientation = thisField.Orientation; newFormField.IsMultipleSelect = Convert.ToByte(thisField.IsMultipleSelect); newFormField.ListSize = thisField.ListSize; newFormField.IsEmptyOption = Convert.ToByte(thisField.IsEmptyOption); newFormField.EmptyOption = thisField.EmptyOption; newFormField.Rows = thisField.Rows; newFormField.Cols = thisField.Cols; newFormField.ValidExtensions = AntiXss.GetSafeHtmlFragment(thisField.ValidExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.ErrorExtensions = AntiXss.GetSafeHtmlFragment(thisField.ErrorExtensions.PreserveBreaks()).KillHtml().RestoreBreaks(); newFormField.MaxSizeBytes = thisField.MaxSizeBytes; newFormField.LiteralText = AntiXss.GetSafeHtml(thisField.LiteralText); _mvcForms.AddToFormFields(newFormField); } } _mvcForms.SaveChanges(); return(RedirectToAction("List", new { Message = "updated" })); //} //Rebuild the drop-down lists since they're not in the postback foreach (var formField in viewModel.FormFields) { formField.FormFieldTypes = GetFormFieldTypes(); } return(View(viewModel)); }
/// <summary> /// Sanitizes HTML by removing reserved characters. /// </summary> /// <param name="input">The HTML to be sanitized.</param> /// <returns></returns> public static string GetSafeHtml(this string input) { return(AntiXss.GetSafeHtml(input)); }