ASP. net mvc 3 advanced programming-Reading Notes

 

Chapter 4 getting started

Conventions are better than configurations:

• The name of each controller class ends with a controller, such as homecontroller. These classes are in the controllers directory.
• The view used by the Controller is in a sub-directory of the Views home directory. This sub-directory is named based on the Controller name (followed by the Controller suffix.
• In the View folder of each controller, each operation method has a view file with the same name.

   

Chapter 4 Controller

The URL is not directly related to the files stored on the hard disk of the web server, but to a method of the controller class.

A good way to understand how the MVC mode works in Web scenarios is to remember that MVC provides the results of method calls rather than dynamically generated (also known as scripts) pages.

 

Use httputility. htmlencode to pre-process user input. This prevents users from injecting Javascript into the view using links.CodeOr HTML Tag.

 

Chapter 3 View

In some cases, you even need to specify a view that is completely in a different directory structure. In this way, you can use ~ Symbol syntax to provide the complete path of the view.In this case, the file extension of the view must be provided.

 

In the Controller method, you can specify a model by passing model instances to the overloaded view method.

 

 
Public actionresult list () {var albums = new list <album> (); For (INT I = 0; I <10; I ++) {albums. add (new album {Title = "album" + I});} return view (albums );}
 

 

 

In the background, the value of the view method is assigned to the viewdata. model attribute. Next, we will tell the view which type of model is being declared using @ model.

 

 
@ Model ienumerable <mvcapplication1.models. album> <ul> @ foreach (album P in Model) {<li> @ P. Title </Li >}</ul>
 

 

 

To eliminate the potential ambiguity brought about by razor, You can enclose the expression in parentheses.

You can use two @ symbols to escape one @ symbol.

 

When assigning user-supplied values to variables in Javascript, it is important to use javascript string encoding instead of HTML encoding. That is to say, the @ Ajax. javascriptstringencode method should be used to encode user input, effectively avoiding XSS attacks.

 

Section 3.6.5 is a razor syntax example with nine details, P52.

 

Chapter 4 Model

One of the core features of ASP. net mvc isModel bindingSo that we do not need to extract the value in the request from the entire form set.

Generally, model binding works implicitly. However, you can also useUpdatemodelAndTryupdatemodelThe method explicitly calls model binding.

 

Chapter 2 forms and HTML auxiliary methods

Because class is a reserved keyword in C # language and cannot be used as an attribute name or identifier, you must add a @ symbol before the class as the prefix.

 

The C # attribute name with a hyphen is invalid, but all HTML auxiliary methods convert the underline in the attribute name to a hyphen when rendering HTML.

 

The name of a strongly typed auxiliary method has the suffix "for". You only need to pass a Lambda expression for it to specify the model attribute to be rendered.

 

Chapter 4 ApplicationProgramSecurity

Remember these tips:

• Never trust any data provided by users. This includes all form values, URLs, cookies, or personal information from third-party sources. In addition, the database or service accessed by the website may not encode the data, so do not trust any data of the input application and try to encode the data as much as possible.
• When rendering data imported as user input, encode it in HTML (if the data is displayed as a feature value, HTML feature encoding HTML-Attribute-encode should be performed ).
• Consider which parts of the website Allow Anonymous Access and which parts require authenticated access.
• Do not try to purify the user's HTML input (using a whitelist or other methods) -- otherwise, an error will occur.
• HTTP-only cookies are used when you do not need to use client scripts to access cookies.
• We strongly recommend that you use the antixss Library (www.codeplex.com/antixss ).

 

Block XSS attacks

There are two solutions to the XSS JavaScript encoding attack: 1. The strict method is to use the Ajax. javascriptstringencode helper function to encode the strings used in JavaScript. 2. relatively thorough use of the antixss library.

 

Block csrf attacks

1. Token verification. The simplest way is to insert a hidden input element containing a unique value in each form request.

Add @ html. antiforgerytoken () to the page ()

Method plus attribute [validateantiforgerytoken]

2. idempotent GET requests.

3. httpreferrer verification. That is, the authorizationcontext instance. httpcontext. Request. urlreferrer. Host is verified.

 

Use HTTPOnly to prevent Cookie Theft

In fact, you can stop the script from accessing cookies on the site. You only need to set:HTTPOnly. In web. config or individual cookie settings. This flag tells the browser that, except for modifying or setting cookies on the server, some other operations on cookies are invalid. Although simple, it can block most XSS-based cookie problems.

 

Use the BIND feature to defend against over-posting attacks

DefenseRepeated submission attacksThe simplest way is to use the [bind] feature to explicitly control the attributes to be bound by the model binder. The BIND feature can be either placed in the model class or in the Controller operation parameters. You can use a whitelist or blacklist.

 

The redirection attack defense can be called under the System. Web. MVC. url helper class namedIslocalurl() To verify the returnurl parameter.

 

Use retail to deploy configurations

Setting web. config-> system. Web-> deployment/retail to true affects the following settings:

• The customerrors mode is set to on, that is, the most secure setting.
• Disable trace output.
• Disable debugging.

 

Summary

Threats	Solution
Complacent	Self-Training Assume that the application will be hacked. Remember: protecting your data is the most important thing.
XSS)	Use HTML to encode all content Encoding features Remember JavaScript Encoding If possible, use the antixss class
Cross-Site Request Forgery (csrf)	Token Verification Idempotent GET request Httpreferrer Verification
Submit again	Use the BIND feature to explicitly bind a whitelist or reject a blacklist

 

Chapter 2 Ajax

A notable characteristic of non-intrusive Javascript is that HTML does not contain any JavaScript code. However, we can add the data-Prefix feature to HTML elements.Data-Features. The Web browser will not try to explain the content of the data-feature, including IE 6.

 

Improve Ajax Performance, Available:

1. Firebug's yslow (see http://developer.yahoo.com/yslow)
2. Developer Tools for IE (see http://msdn.microsoft.com/zh-cn/library/dd565629%28v=vs.85%29.aspx)
3. Use Content Delivery Network (CDN ). CDN has Edge-cached servers all over the world, so clients are likely to experience faster downloads. Microsoft provides CDN to log on to the http://www.asp.net/ajaxlibrary/CDN.ashx to view the latest version.
4. All script labels are placed at the bottom of the page, which will produce a good user experience.
5. Microsoft provides powerful JavaScript slimming tools: http://ajaxmin.codeplex.com/
6. Another script optimization technique is to reduce the number of script labels sent to the client. For any page, the optimal number of SCRIPT tags displayed by the browser is one. You can use the script combiner to bundle multiple JavaScript files into one resource file. Recommended one: http://combres.codeplex.com/
   

 

Chapter 1 Routing Mechanism

UseStoproutinghandlerIs a method to ensure that the routing mechanism ignores a request.

In addition, there is a simpler method to make the routing mechanism ignore a route, that isIgnoreroute.

 

One thing to remember is that the routing mechanism does not match exactly when selecting a matched route. It only selects a suitable route. In other words, as long as the specified parameters meet the routing requirements, it does not matter whether to specify additional parameters.

 

Chapter 4 unit test

In a test, do not test multiple behaviors at the same time. A good unit test program usually only tests a very small function, that is, a single behavior.

Some developers call this rule a single assertion rule ). Do not mistakenly think that our test program can only call one asserted at a time. In fact, we only need to remember to test only one behavior at a time, and it is often necessary to verify that a logical action is called multiple times for assert.

 

Chapter 2 advanced topics

This chapter has many interesting topics:

• Templated razor Delegation
• Routes editable during running
• Use an asynchronous Controller

 

 

The book has been read.