Skip Navigation LinksHome / Community & Support / Developer Productivity Tools Forums / Telerik MVC Extensions (superseded) > General Discussions > GridRouteValues, AllowHtml

Not answered GridRouteValues, AllowHtml

Feed from this thread
  • Stefan avatar

    Posted on Aug 17, 2011 (permalink)

    GridRouteValues doesn't play nice with AllowHtml, reason for this seems to be that it directly accesses Request.Params which detonates in your face, because AllowHtml appearently only works during ModelBinding.

    This totally gets hidden from view if you use this.GridRouteValues() with RedirectToAction, i.e. return RedirectToAction("Index", this.GridRouteValues()), you will only end up with a blank page (unless you are in debug mode).

    After digging around for about an hour, I finally found something interesting on StackOverflow:  http://stackoverflow.com/questions/6800739/actionmethodselectorattribute-allowhtml

    Armed with that knowledge I went and fixed GridRouteValues() (yeah, I'm not good at naming things...) and created a few overloads which I'm using all the time now so I don't have to merge RouteValues by hand if I want to preserve Grid-state in ActionLinks etc.

    public static RouteValueDictionary FixedGridRouteValues(this ControllerBase controller)
            {
                return FixedGridRouteValues(controller, new RouteValueDictionary());
            }
      
            public static RouteValueDictionary FixedGridRouteValues(this ControllerBase controller, object routeValues)
            {
                return FixedGridRouteValues(controller, new RouteValueDictionary(routeValues));
            }
      
            public static RouteValueDictionary FixedGridRouteValues(this ControllerBase controller, RouteValueDictionary routeValues)
            {
                Func<NameValueCollection> formGetter;
                Func<NameValueCollection> queryStringGetter;
      
                ValidationUtility.GetUnvalidatedCollections(HttpContext.Current, out formGetter, out queryStringGetter);
      
                var queryString = queryStringGetter();
      
                foreach (string key in queryString)
                {
                    if (key.EndsWith(GridUrlParameters.CurrentPage, StringComparison.OrdinalIgnoreCase) ||
                        key.EndsWith(GridUrlParameters.Filter, StringComparison.OrdinalIgnoreCase) ||
                        key.EndsWith(GridUrlParameters.OrderBy, StringComparison.OrdinalIgnoreCase) ||
                        key.EndsWith(GridUrlParameters.GroupBy, StringComparison.OrdinalIgnoreCase))
                    {
                        routeValues[key] = queryString[key];
                    }
                }
      
                return routeValues;
            }

    What do you think? Anything I'm overlooking that could blow in my face?

Edit: 
    var request = controller.ControllerContext.HttpContext.Request.Unvalidated();

Works too and isn't as noisy. Lives in System.Web.WebPages.

    Reply

  • Atanas Korchev Atanas Korchev admin's avatar

    Posted on Aug 18, 2011 (permalink)

    Hello Stefan,

     We are not sure what the exact problem is. Could you please provide more details or send a sample project?

    Regards,
    Atanas Korchev
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

    Reply

  • Stefan avatar

    Posted on Aug 18, 2011 (permalink)

    The problem is a your GridRouteValues function when request validation enabled. In MVC3 you can decorate properties which are allowed to contain HTML with AllowHtml, if you do so those (and only those) properties will not be inspected for malicious html etc during ModelBinding. I don't know how exactly this is accomplished but probably something akin to what I did above.

    In GridRouteValues you access the Request.Params directly, thus triggering request validation, which of course throws, since it doesn't honor AllowHtml.

    The above is a workaround for the problem, should you deem it unsafe to completely disable request validation on anything else then the a property.

    Reply

  • Rosen Rosen admin's avatar

    Posted on Aug 18, 2011 (permalink)

    Hello Stefan,

    We managed to recreate the issue you have described and I have attached an internal build which should address it. Please give it a try. I have updated your telerik points too.

    All the best,
    Rosen
    the Telerik team

    Do you want to have your say when we set our development plans? Do you want to know when a feature you care about is added or when a bug fixed? Explore the Telerik Public Issue Tracking system and vote to affect the priority of the items

    Reply

Back to Top

Skip Navigation LinksHome / Community & Support / Developer Productivity Tools Forums / Telerik MVC Extensions (superseded) > General Discussions > GridRouteValues, AllowHtml