目的: V120602 - 具有潛在危險的Request.Form的值
- 傳至後端欄位值含特殊符號(HTML,
)
- .NET4.0 會出現錯誤訊息(避免駭客執行 javascript/..)
處理說明: 1>因為原本的欄位值含有 HTML 字元/ javascript(
)
.NET 4.0 避免駭客,所以出現錯誤訊息 (讀取 nvc["DESCPT"] 時)
2>前端資料送至後端前先編碼 , 再送至後端
- S_DB.add_np = {
'DFDCPTN': encodeURIComponent(Ext.getCmp("DFDCPTN").getValue()),
}
3>後端資料先解碼,再 assign 給欄位
nvc1["DFDCPTN"] = HttpUtility.UrlDecode(nvc["DFDCPTN"]);
nvc1["DFDCPTN"] = HttpUtility.UrlDecode(nvc["DFDCPTN"]);
1>*.js
//修改的存檔
Ext.getCmp('btn_save').beforeEdit = function () {
//因[缺失說明][進度說明]欄位值含有 
, ..等HTML字元, 必需先編號再送至後端
S_DB.add_np = {
'DFDCPTN': encodeURIComponent(Ext.getCmp("DFDCPTN").getValue()),
'STATDCPTN': encodeURIComponent(Ext.getCmp("STATDCPTN").getValue()),
}
isCheck = S_DB.doSave('Update');
return isCheck;
};
2>*.cs
[HttpPost]
public void Update()
{
var c = System.Web.HttpContext.Current;
NameValueCollection nvc = c.Request.Form;
string[] arrCondition = getPK();
NameValueCollection nvc1 = new NameValueCollection();
foreach (string k in nvc.Keys)
{
nvc1[k] = nvc[k];
}
//2023/09/26 因欄位值含 HTML字元, 必需先編碼再傳送, 後端接收後,必需先解碼
nvc1["DFDCPTN"] = HttpUtility.UrlDecode(nvc["DFDCPTN"]);
nvc1["STATDCPTN"] = HttpUtility.UrlDecode(nvc["STATDCPTN"]);
//nvc1["ITM"] = GET_NEXT_ITMNO();
nvc1["UPPER"] = LoginUserModel.LoginUserId;
nvc1["UPDT"] = DateTime.Now.ToString("yyyy/MM/dd");
excuteUpdate(nvc1, DBTable, arrCondition);
}
--> 刪除時, 依 PK 刪除, 所以後端讀欄位值時, 只讀 PK欄位, 不讀其他欄位
[HttpPost]
public void Delete()
{
var c = System.Web.HttpContext.Current;
NameValueCollection nvc = c.Request.Form;
string[] arrCondition = getPK();
NameValueCollection nvc1 = new NameValueCollection();
//因為 Delete 只用到 PK 去刪除 ,所以只需傳入 PK 欄位值即可
nvc1["ITM"] = nvc["ITM"];
excuteDelete(nvc1, DBTable, arrCondition);
}
public void Delete()
{
var c = System.Web.HttpContext.Current;
NameValueCollection nvc = c.Request.Form;
string[] arrCondition = getPK();
NameValueCollection nvc1 = new NameValueCollection();
//因為 Delete 只用到 PK 去刪除 ,所以只需傳入 PK 欄位值即可
nvc1["ITM"] = nvc["ITM"];
excuteDelete(nvc1, DBTable, arrCondition);
}
沒有留言:
張貼留言