Skip to content

Instantly share code, notes, and snippets.

Embed
What would you like to do?
Is this safe?

PageData will contact the contents of a div, so there will be HTML within it. I've disabled validateinput to allow for 'potentially dangerous' data.

  public class PDFController:SurfaceController
    {
        [System.Web.Http.HttpPost, ValidateInput(false)]
        public ActionResult GeneratePDF(string fileName)
        {

            var PDFMeContent = Request.Form["PageData"];
            var xpath = Umbraco.ContentSingleAtXPath("//pDFTemplate");

            // Added Umbraco.Core reference to allow to use IsNullOrWhiteSpace helper.
            if(fileName.IsNullOrWhiteSpace())
            {
                fileName = "OwainCodes.PDF";
            }
            

            return new Rotativa.UrlAsPdf("https://www.owain.codes")
            {
                FileName = fileName
            };

        }
    }
 
@NikRimington

This comment has been minimized.

Copy link

@NikRimington NikRimington commented May 22, 2020

IIRC correctly, it would be better to change your action to recieve the full model, and then on the model allow "allow html" on only that single property rather than on the whole method. Anything that can receive HTML is a potential risk, so you need to be careful IIRC.

https://www.dotnettricks.com/learn/mvc/html-submission-by-validateinput-and-allowhtml-attribute-in-mvc4 << this is a reasonable explanation.

And another one https://www.jitbit.com/alexblog/273-aspnet-mvc-allowing-html-for-particular-action-parameters/

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment