asp.net MVC model meta data and its customization: an important interface Imetadataaware

In introducing the Additionalmetadataattribute attribute used to customize the model metadata attribute, we mentioned the interface that it implements Imedataaware, which we say is a very important and useful interface, By customizing the features that implement this interface, we can freely customize the resulting model metadata. As the following code fragment shows, the Imedataaware interface has a unique method member onmetadatacreated. When the model metadata is created, it is initialized with this series of annotation attributes, and then gets the attributes that apply to the Imedataaware interface on the target element. and calls the Onmetadatacreated method with the initialized Modelmetadata object as a parameter. So we can create a feature that implements this interface not only to add additional metadata attributes, but also to modify related properties that have been initialized by the corresponding annotation attribute.

   1:public Interface Imetadataaware
   2: {
   3:     void onmetadatacreated (Modelmetadata metadata);
   4:}

asp.net MVC defines two features that implement the Imedataaware interface, one that we've already covered, and the other is Allowhtmlattribute.

First, Allowhtmlattribute

To prevent the eventual use of an attack on our web application by injecting some HTML into the input for a particular data, ASP.net MVC validates the corresponding request data before making the model binding, ensuring that no HTML tags are included. This validation of HTML markup is controlled by Modelmetadata requestvalidationenabled, as shown in the following code snippet, which is a Boolean type of writable property. This property is true by default, which means that request validation for HTML markup is turned on by default.

   1:public class Modelmetadata
   2: {
   3:     //other Members
   4: Public     virtual bool requestvalidationenabled {get; set;}
   5:}

The Allowhtmlattribute feature, as the name suggests, is to run the content containing the HTML tag as the target element. As shown in the following code snippet, Allowhtmlattribute implements the Imetadataaware interface, In the Onmetadatacreated method it sets the Requestvalidationenabled property of the Modelmetadata object that is the parameter directly to false so that the request validation for the target object is ignored.

   1: [AttributeUsage (Attributetargets.property, Allowmultiple=false, Inherited=true)]
   2:public sealed class Allowhtmlattribute:attribute, Imetadataaware
   3: {
   4: Public     void onmetadatacreated (Modelmetadata metadata)
   5:     {
   6:         //Other operations
   7:         metadata. requestvalidationenabled = false;
   8:     }
   9:}

To validate ASP.net MVC's request validation and Allowhtmlattribute for HTML tags, let's do a simple demo of the example. In an empty Web application created from the ASP.net MVC project template provided by Visual Studio, we have defined one of the following data type Foo, where the Allowhtmlattribute attribute is applied to the property Baz.

   1:public class Foo
   2: {
   3: Public     string Bar {get; set;}
   4:
   5:     [allowhtml]
   6: Public     string Baz {get; set;}
   7:}

We then create the following default HomeController, which has a parameter of type Foo in the default Index action method, which is rendered directly as model in the default view.

   1:public class Homecontroller:controller
   2: {
   3: Public     actionresult Index (foo foo)
   4:     {
   5: Return         View (foo);
   6:     }
   7:}

The view definition for the index operation shown below, which is a strongly typed view with Foo as model. In this view, we directly call the Htmlhelper<model> Editorformodel method to render the Foo object in edit mode.

   1: @model Foo
   2: @{
   3:     viewbag.title = "Index";
   4:}
   5: @Html. Editorformodel ()

Now we run the Web application directly. According to the rules of the model bindings we know that if we access the HomeController index operation through the browser, we can initialize the parameters of the action method by querying the string. Specifically, we can specify that the query string named Bar and Baz initialize two properties of the Foo object that is the parameter. To validate validation of input containing HTML tags, we set the query string that is ultimately bound to model to <script/>.

As the following illustration shows, because the Allowhtmlattribute attribute on Foo's property Baz is supported with data that contains HTML tags, we specify the contents of the HTML tag as a query string (<script/> is displayed directly in the appropriate text box. However, the Bar property, by default, does not run with any HTML tags on the bound data, so it treats the input data as maliciously injected HTML and throws an exception directly.