huahaofeng
/
aspnetcore
1
0
Fork 0
Code Issues Pull Requests Projects Releases Wiki Activity

[Fixes #3868] Exclude Antiforgery token in form with method Get

This commit is contained in:
Ajay Bhargav Baaskaran 2016-01-14 16:21:16 -08:00
parent dd952d8d70
commit f0777b95a8
12 changed files with 442 additions and 116 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

20
src/Microsoft.AspNet.Mvc.TagHelpers/FormTagHelper.cs
View File

@ -3,6 +3,7 @@
using System;
using System.Collections.Generic;
using System.ComponentModel;
using Microsoft.AspNet.Mvc.Rendering;
using Microsoft.AspNet.Mvc.ViewFeatures;
using Microsoft.AspNet.Razor.TagHelpers;
@ -68,7 +69,8 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
/// <summary>
/// Whether the antiforgery token should be generated.
/// </summary>
/// <value>Defaults to <c>false</c> if user provides an <c>action</c> attribute; <c>true</c> otherwise.</value>
/// <value>Defaults to <c>false</c> if user provides an <c>action</c> attribute
/// or if the <c>method</c> is <see cref="FormMethod.Get"/>; <c>true</c> otherwise.</value>
[HtmlAttributeName(AntiforgeryAttributeName)]
public bool? Antiforgery { get; set; }
@ -81,6 +83,13 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
[HtmlAttributeName(RouteAttributeName)]
public string Route { get; set; }
/// <summary>
/// The HTTP method to use.
/// </summary>
/// <remarks>Passed through to the generated HTML in all cases.</remarks>
[EditorBrowsable(EditorBrowsableState.Never)]
public string Method { get; set; }
/// <summary>
/// Additional parameters for the route.
/// </summary>
@ -122,6 +131,10 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
{
throw new ArgumentNullException(nameof(output));
}
if (Method != null)
{
output.CopyHtmlAttribute(nameof(Method), context);
}
var antiforgeryDefault = true;
@ -195,6 +208,11 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
output.MergeAttributes(tagBuilder);
output.PostContent.AppendHtml(tagBuilder.InnerHtml);
}
if (string.Equals(Method, FormMethod.Get.ToString(), StringComparison.OrdinalIgnoreCase))
{
antiforgeryDefault = false;
}
}
if (Antiforgery ?? antiforgeryDefault)

78
src/Microsoft.AspNet.Mvc.ViewFeatures/Rendering/HtmlHelperFormExtensions.cs
View File

@ -34,7 +34,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -43,9 +43,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// match the current request.
/// </summary>
/// <param name="htmlHelper">The <see cref="IHtmlHelper"/> instance this method extends.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <returns>
/// An <see cref="MvcForm"/> instance which renders the &lt;/form&gt; end tag when disposed.
@ -53,7 +55,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <remarks>
/// In this context, "renders" means the method writes its output using <see cref="ViewContext.Writer"/>.
/// </remarks>
public static MvcForm BeginForm(this IHtmlHelper htmlHelper, bool suppressAntiforgery)
public static MvcForm BeginForm(this IHtmlHelper htmlHelper, bool? antiforgery)
{
if (htmlHelper == null)
{
@ -66,7 +68,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: suppressAntiforgery,
antiforgery: antiforgery,
htmlAttributes: null);
}
@ -94,7 +96,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -130,7 +132,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: htmlAttributes);
}
@ -140,9 +142,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// </summary>
/// <param name="htmlHelper">The <see cref="IHtmlHelper"/> instance this method extends.</param>
/// <param name="method">The HTTP method for processing the form, either GET or POST.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <param name="htmlAttributes">
/// An <see cref="object"/> that contains the HTML attributes for the element. Alternatively, an
@ -158,7 +162,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
public static MvcForm BeginForm(
this IHtmlHelper htmlHelper,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes)
{
if (htmlHelper == null)
@ -171,7 +175,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: method,
suppressAntiforgery: suppressAntiforgery,
antiforgery: antiforgery,
htmlAttributes: htmlAttributes);
}
@ -205,7 +209,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: routeValues,
method: FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -237,7 +241,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -277,7 +281,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues,
FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -311,7 +315,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -353,7 +357,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues,
method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -393,7 +397,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: htmlAttributes);
}
@ -426,7 +430,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName: null,
routeValues: routeValues,
method: FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -442,9 +446,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <see cref="System.Collections.Generic.IDictionary{string, object}"/> instance containing the route
/// parameters.
/// </param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <returns>
/// An <see cref="MvcForm"/> instance which renders the &lt;/form&gt; end tag when disposed.
@ -452,7 +458,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <remarks>
/// In this context, "renders" means the method writes its output using <see cref="ViewContext.Writer"/>.
/// </remarks>
public static MvcForm BeginRouteForm(this IHtmlHelper htmlHelper, object routeValues, bool suppressAntiforgery)
public static MvcForm BeginRouteForm(this IHtmlHelper htmlHelper, object routeValues, bool? antiforgery)
{
if (htmlHelper == null)
{
@ -463,7 +469,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName: null,
routeValues: routeValues,
method: FormMethod.Post,
suppressAntiforgery: suppressAntiforgery,
antiforgery: antiforgery,
htmlAttributes: null);
}
@ -490,7 +496,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -500,9 +506,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// </summary>
/// <param name="htmlHelper">The <see cref="IHtmlHelper"/> instance this method extends.</param>
/// <param name="routeName">The name of the route.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <returns>
/// An <see cref="MvcForm"/> instance which renders the &lt;/form&gt; end tag when disposed.
@ -510,7 +518,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <remarks>
/// In this context, "renders" means the method writes its output using <see cref="ViewContext.Writer"/>.
/// </remarks>
public static MvcForm BeginRouteForm(this IHtmlHelper htmlHelper, string routeName, bool suppressAntiforgery)
public static MvcForm BeginRouteForm(this IHtmlHelper htmlHelper, string routeName, bool? antiforgery)
{
if (htmlHelper == null)
{
@ -521,7 +529,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: suppressAntiforgery,
antiforgery: antiforgery,
htmlAttributes: null);
}
@ -558,7 +566,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues,
FormMethod.Post,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -589,7 +597,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -628,7 +636,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues,
method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: null);
}
@ -665,7 +673,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: null,
htmlAttributes: htmlAttributes);
}
}

19
src/Microsoft.AspNet.Mvc.ViewFeatures/Rendering/IHtmlHelper.cs
View File

@ -114,9 +114,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <see cref="IDictionary{string, object}"/> instance containing the route parameters.
/// </param>
/// <param name="method">The HTTP method for processing the form, either GET or POST.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <param name="htmlAttributes">
/// An <see cref="object"/> that contains the HTML attributes for the element. Alternatively, an
@ -133,7 +135,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
string controllerName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes);
/// <summary>
@ -148,8 +150,11 @@ namespace Microsoft.AspNet.Mvc.Rendering
/// <see cref="IDictionary{string, object}"/> instance containing the route parameters.
/// </param>
/// <param name="method">The HTTP method for processing the form, either GET or POST.</param>
/// <param name="suppressAntiforgery">
/// Determines whether or not to include an &lt;input&gt; of type "hidden" with an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <param name="htmlAttributes">
/// An <see cref="object"/> that contains the HTML attributes for the element. Alternatively, an
@ -165,7 +170,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
string routeName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes);
/// <summary>

34
src/Microsoft.AspNet.Mvc.ViewFeatures/ViewFeatures/HtmlHelper.cs
View File

@ -288,7 +288,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
string controllerName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes)
{
// Push the new FormContext; MvcForm.GenerateEndForm() does the corresponding pop.
@ -297,7 +297,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
CanRenderAtEndOfForm = true
};
return GenerateForm(actionName, controllerName, routeValues, method, suppressAntiforgery, htmlAttributes);
return GenerateForm(actionName, controllerName, routeValues, method, antiforgery, htmlAttributes);
}
/// <inheritdoc />
@ -305,7 +305,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
string routeName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes)
{
// Push the new FormContext; MvcForm.GenerateEndForm() does the corresponding pop.
@ -314,7 +314,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
CanRenderAtEndOfForm = true
};
return GenerateRouteForm(routeName, routeValues, method, suppressAntiforgery, htmlAttributes);
return GenerateRouteForm(routeName, routeValues, method, antiforgery, htmlAttributes);
}
/// <inheritdoc />
@ -871,9 +871,11 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
/// <see cref="IDictionary{string, object}"/> instance containing the route parameters.
/// </param>
/// <param name="method">The HTTP method for processing the form, either GET or POST.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <param name="htmlAttributes">
/// An <see cref="object"/> that contains the HTML attributes for the element. Alternatively, an
@ -890,7 +892,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
string controllerName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes)
{
var tagBuilder = _htmlGenerator.GenerateForm(
@ -906,7 +908,8 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
tagBuilder.WriteTo(ViewContext.Writer, _htmlEncoder);
}
if (!suppressAntiforgery)
var shouldGenerateAntiforgery = antiforgery.HasValue ? antiforgery.Value : method != FormMethod.Get;
if (shouldGenerateAntiforgery)
{
ViewContext.FormContext.EndOfFormContent.Add(_htmlGenerator.GenerateAntiforgery(ViewContext));
ViewContext.FormContext.HasAntiforgeryToken = true;
@ -927,9 +930,11 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
/// <see cref="IDictionary{string, object}"/> instance containing the route parameters.
/// </param>
/// <param name="method">The HTTP method for processing the form, either GET or POST.</param>
/// <param name="suppressAntiforgery">
/// If <c>true</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token. By
/// default &lt;form&gt; elements will automatically include an antiforgery token.
/// <param name="antiforgery">
/// If <c>true</c>, &lt;form&gt; elements will include an antiforgery token.
/// If <c>false</c>, suppresses the generation an &lt;input&gt; of type "hidden" with an antiforgery token.
/// If <c>null</c>, &lt;form&gt; elements will include an antiforgery token only if
/// <paramref name="method"/> is not <see cref="FormMethod.Get"/>.
/// </param>
/// <param name="htmlAttributes">
/// An <see cref="object"/> that contains the HTML attributes for the element. Alternatively, an
@ -945,7 +950,7 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
string routeName,
object routeValues,
FormMethod method,
bool suppressAntiforgery,
bool? antiforgery,
object htmlAttributes)
{
var tagBuilder = _htmlGenerator.GenerateRouteForm(
@ -960,7 +965,8 @@ namespace Microsoft.AspNet.Mvc.ViewFeatures
tagBuilder.WriteTo(ViewContext.Writer, _htmlEncoder);
}
if (!suppressAntiforgery)
var shouldGenerateAntiforgery = antiforgery.HasValue ? antiforgery.Value : method != FormMethod.Get;
if (shouldGenerateAntiforgery)
{
ViewContext.FormContext.EndOfFormContent.Add(_htmlGenerator.GenerateAntiforgery(ViewContext));
ViewContext.FormContext.HasAntiforgeryToken = true;

2
test/Microsoft.AspNet.Mvc.FunctionalTests/compiler/resources/HtmlGenerationWebSite.HtmlGeneration_Home.Product.Encoded.html
View File

@ -4,7 +4,7 @@
<title></title>
</head>
<body>
<form method="get" action="HtmlEncode[[/UrlEncode[[HtmlGeneration_Home]]/UrlEncode[[ProductSubmit]]]]">
<form method="HtmlEncode[[get]]" action="HtmlEncode[[/UrlEncode[[HtmlGeneration_Home]]/UrlEncode[[ProductSubmit]]]]">
<div>
<label class="product" for="HtmlEncode[[HomePage]]">HtmlEncode[[HomePage]]</label>
<input type="HtmlEncode[[url]]" size="50" id="HtmlEncode[[HomePage]]" name="HtmlEncode[[HomePage]]" value="HtmlEncode[[http://www.contoso.com/]]" />

17
test/Microsoft.AspNet.Mvc.TagHelpers.Test/FormTagHelperTest.cs
View File

@ -99,18 +99,23 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
}
[Theory]
[InlineData(null, "<input />")]
[InlineData(true, "<input />")]
[InlineData(false, "")]
[InlineData(null, FormMethod.Post, "<input />")]
[InlineData(true, FormMethod.Post, "<input />")]
[InlineData(false, FormMethod.Post, "")]
[InlineData(null, FormMethod.Get, "")]
[InlineData(true, FormMethod.Get, "<input />")]
[InlineData(false, FormMethod.Get, "")]
public async Task ProcessAsync_GeneratesAntiforgeryCorrectly(
bool? antiforgery,
FormMethod method,
string expectedPostContent)
{
// Arrange
var viewContext = CreateViewContext();
var expectedAttribute = new TagHelperAttribute("method", method.ToString().ToLowerInvariant());
var context = new TagHelperContext(
allAttributes: new ReadOnlyTagHelperAttributeList<IReadOnlyTagHelperAttribute>(
Enumerable.Empty<IReadOnlyTagHelperAttribute>()),
new ReadOnlyTagHelperAttributeList<IReadOnlyTagHelperAttribute>(new List<IReadOnlyTagHelperAttribute> { expectedAttribute })),
items: new Dictionary<object, object>(),
uniqueId: "test");
var output = new TagHelperOutput(
@ -140,6 +145,7 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
Action = "Index",
Antiforgery = antiforgery,
ViewContext = viewContext,
Method = method.ToString().ToLowerInvariant()
};
// Act
@ -148,7 +154,8 @@ namespace Microsoft.AspNet.Mvc.TagHelpers
// Assert
Assert.Equal("form", output.TagName);
Assert.Equal(TagMode.StartTagAndEndTag, output.TagMode);
Assert.Empty(output.Attributes);
var attribute = Assert.Single(output.Attributes);
Assert.Equal(expectedAttribute, attribute);
Assert.Empty(output.PreContent.GetContent());
Assert.True(output.Content.IsEmpty);
Assert.Equal(expectedPostContent, output.PostContent.GetContent());

114
test/Microsoft.AspNet.Mvc.ViewFeatures.Test/Rendering/HtmlHelperFormExtensionsTest.cs
View File

@ -338,7 +338,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginForm(suppressAntiforgery: false);
var mvcForm = htmlHelper.BeginForm(antiforgery: true);
// Assert
Assert.NotNull(mvcForm);
@ -371,7 +371,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginForm(suppressAntiforgery: true);
var mvcForm = htmlHelper.BeginForm(antiforgery: false);
// Assert
Assert.NotNull(mvcForm);
@ -397,10 +397,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
null)) // htmlAttributes
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -437,10 +441,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
htmlAttributes))
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -489,7 +497,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginForm(method, suppressAntiforgery: false, htmlAttributes: htmlAttributes);
var mvcForm = htmlHelper.BeginForm(method, antiforgery: true, htmlAttributes: htmlAttributes);
// Assert
Assert.NotNull(mvcForm);
@ -525,7 +533,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginForm(method, suppressAntiforgery: true, htmlAttributes: htmlAttributes);
var mvcForm = htmlHelper.BeginForm(method, antiforgery: false, htmlAttributes: htmlAttributes);
// Assert
Assert.NotNull(mvcForm);
@ -673,10 +681,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
null)) // htmlAttributes
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -715,10 +727,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
null)) // htmlAttributes
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -757,10 +773,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
htmlAttributes))
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -816,7 +836,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: true,
htmlAttributes: htmlAttributes);
// Assert
@ -860,7 +880,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues: null,
method: method,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: htmlAttributes);
// Assert
@ -936,7 +956,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginRouteForm(routeValues, suppressAntiforgery: false);
var mvcForm = htmlHelper.BeginRouteForm(routeValues, antiforgery: true);
// Assert
Assert.NotNull(mvcForm);
@ -970,7 +990,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginRouteForm(routeValues, suppressAntiforgery: true);
var mvcForm = htmlHelper.BeginRouteForm(routeValues, antiforgery: false);
// Assert
Assert.NotNull(mvcForm);
@ -1045,7 +1065,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginRouteForm(routeName, suppressAntiforgery: false);
var mvcForm = htmlHelper.BeginRouteForm(routeName, antiforgery: true);
// Assert
Assert.NotNull(mvcForm);
@ -1079,7 +1099,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(builder);
// Act
var mvcForm = htmlHelper.BeginRouteForm(routeName, suppressAntiforgery: true);
var mvcForm = htmlHelper.BeginRouteForm(routeName, antiforgery: false);
// Assert
Assert.NotNull(mvcForm);
@ -1145,10 +1165,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
null)) // htmlAttributes
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -1185,10 +1209,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
null)) // htmlAttributes
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -1225,10 +1253,14 @@ namespace Microsoft.AspNet.Mvc.Rendering
htmlAttributes))
.Returns(tagBuilder)
.Verifiable();
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
if (method != FormMethod.Get)
{
htmlGenerator
.Setup(g => g.GenerateAntiforgery(htmlHelper.ViewContext))
.Returns(HtmlString.Empty)
.Verifiable();
}
// Guards
Assert.NotNull(htmlHelper.ViewContext);
@ -1281,7 +1313,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: method,
suppressAntiforgery: false,
antiforgery: true,
htmlAttributes: htmlAttributes);
// Assert
@ -1322,7 +1354,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues: null,
method: method,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: htmlAttributes);
// Assert

264
test/Microsoft.AspNet.Mvc.ViewFeatures.Test/Rendering/HtmlHelperFormTest.cs
View File

@ -151,7 +151,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: null);
// Assert
@ -201,7 +201,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName: null,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: htmlAttributes);
// Assert
@ -254,7 +254,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
controllerName,
routeValues,
method,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: htmlAttributes);
// Assert
@ -302,7 +302,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName,
routeValues,
method,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: htmlAttributes);
// Assert
@ -404,6 +404,45 @@ namespace Microsoft.AspNet.Mvc.Rendering
writer.GetStringBuilder().ToString());
}
[Fact]
public void BeginForm_EndForm_RendersAntiforgeryTokenWhenMethodIsPost()
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginForm(FormMethod.Post, antiforgery: null, htmlAttributes: null))
{
Assert.True(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form><antiforgery></antiforgery></form>",
writer.GetStringBuilder().ToString());
}
// This is an integration for the implicit antiforgery token added by BeginForm.
[Fact]
public void BeginForm_EndForm_RendersAntiforgeryToken_WithExplicitCallToAntiforgery()
@ -477,7 +516,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginForm(FormMethod.Post, suppressAntiforgery: true, htmlAttributes: null))
using (var form = htmlHelper.BeginForm(FormMethod.Post, antiforgery: false, htmlAttributes: null))
{
Assert.False(viewContext.FormContext.HasAntiforgeryToken);
}
@ -487,6 +526,86 @@ namespace Microsoft.AspNet.Mvc.Rendering
writer.GetStringBuilder().ToString());
}
[Fact]
public void BeginForm_EndForm_SuppressAntiforgeryTokenWhenMethodIsGet()
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginForm(FormMethod.Get, antiforgery: null, htmlAttributes: null))
{
Assert.False(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form></form>",
writer.GetStringBuilder().ToString());
}
[Theory]
[InlineData(FormMethod.Get)]
[InlineData(FormMethod.Post)]
public void BeginForm_EndForm_DoesNotSuppressAntiforgeryTokenWhenAntiforgeryIsTrue(FormMethod method)
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginForm(method, antiforgery: true, htmlAttributes: null))
{
Assert.True(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form><antiforgery></antiforgery></form>",
writer.GetStringBuilder().ToString());
}
// This is an integration for suppressing implicit antiforgery token added by BeginForm.
[Fact]
public void BeginForm_EndForm_SuppressAntiforgeryToken_WithExplicitCallToAntiforgery()
@ -517,7 +636,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginForm(FormMethod.Post, suppressAntiforgery: true, htmlAttributes: null))
using (var form = htmlHelper.BeginForm(FormMethod.Post, antiforgery: false, htmlAttributes: null))
{
Assert.False(viewContext.FormContext.HasAntiforgeryToken);
@ -569,6 +688,49 @@ namespace Microsoft.AspNet.Mvc.Rendering
writer.GetStringBuilder().ToString());
}
[Fact]
public void BeginRouteForm_EndForm_RendersAntiforgeryTokenWhenMethodIsPost()
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateRouteForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginRouteForm(
routeName: null,
routeValues: null,
method: FormMethod.Post,
antiforgery: null,
htmlAttributes: null))
{
Assert.True(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form><antiforgery></antiforgery></form>",
writer.GetStringBuilder().ToString());
}
// This is an integration for suppressing implicit antiforgery token added by BeginRouteForm.
[Fact]
public void BeginRouteForm_EndForm_SuppressAntiforgeryToken()
@ -602,7 +764,7 @@ namespace Microsoft.AspNet.Mvc.Rendering
routeName: null,
routeValues: null,
method: FormMethod.Post,
suppressAntiforgery: true,
antiforgery: false,
htmlAttributes: null))
{
Assert.False(viewContext.FormContext.HasAntiforgeryToken);
@ -613,6 +775,94 @@ namespace Microsoft.AspNet.Mvc.Rendering
writer.GetStringBuilder().ToString());
}
[Fact]
public void BeginRouteForm_EndForm_SuppressAntiforgeryTokenWhenMethodIsGet()
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateRouteForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginRouteForm(
routeName: null,
routeValues: null,
method: FormMethod.Get,
antiforgery: null,
htmlAttributes: null))
{
Assert.False(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form></form>",
writer.GetStringBuilder().ToString());
}
[Theory]
[InlineData(FormMethod.Get)]
[InlineData(FormMethod.Post)]
public void BeginRouteForm_EndForm_DoesNotSuppressAntiforgeryTokenWhenAntiforgeryIsTrue(FormMethod method)
{
// Arrange
var htmlGenerator = new Mock<IHtmlGenerator>(MockBehavior.Strict);
htmlGenerator
.Setup(g => g.GenerateRouteForm(
It.IsAny<ViewContext>(),
It.IsAny<string>(),
It.IsAny<object>(),
It.IsAny<string>(),
It.IsAny<object>()))
.Returns(new TagBuilder("form"));
htmlGenerator
.Setup(g => g.GenerateAntiforgery(It.IsAny<ViewContext>()))
.Returns(new TagBuilder("antiforgery"));
var htmlHelper = DefaultTemplatesUtilities.GetHtmlHelper(htmlGenerator.Object);
var serviceProvider = new Mock<IServiceProvider>();
serviceProvider.Setup(s => s.GetService(typeof(HtmlEncoder))).Returns(new HtmlTestEncoder());
var viewContext = htmlHelper.ViewContext;
viewContext.HttpContext.RequestServices = serviceProvider.Object;
var writer = viewContext.Writer as StringWriter;
Assert.NotNull(writer);
// Act & Assert
using (var form = htmlHelper.BeginRouteForm(
routeName: null,
routeValues: null,
method: method,
antiforgery: true,
htmlAttributes: null))
{
Assert.True(viewContext.FormContext.HasAntiforgeryToken);
}
Assert.Equal(
"<form><antiforgery></antiforgery></form>",
writer.GetStringBuilder().ToString());
}
private string GetHtmlAttributesAsString(object htmlAttributes)
{
var dictionary = HtmlHelper.AnonymousObjectToHtmlAttributes(htmlAttributes);

4
test/Microsoft.AspNet.Mvc.ViewFeatures.Test/ViewFeatures/DefaultEditorTemplatesTest.cs
View File

@ -1002,7 +1002,7 @@ Environment.NewLine;
string controllerName,
object routeValues,
FormMethod method,
bool antiforgery,
bool? antiforgery,
object htmlAttributes)
{
throw new NotImplementedException();
@ -1012,7 +1012,7 @@ Environment.NewLine;
string routeName,
object routeValues,
FormMethod method,
bool antiforgery,
bool? antiforgery,
object htmlAttributes)
{
throw new NotImplementedException();

2
test/WebSites/BasicWebSite/Areas/Area1/Views/RemoteAttribute_Home/Create.cshtml
View File

@ -8,7 +8,7 @@
}
<h2>@ViewBag.Title</h2>
@using (Html.BeginForm(FormMethod.Post, htmlAttributes: null, suppressAntiforgery: true))
@using (Html.BeginForm(FormMethod.Post, htmlAttributes: null, antiforgery: false))
{
<div class="form-horizontal">
<h4>Person</h4>

2
test/WebSites/BasicWebSite/Views/RemoteAttribute_Home/Create.cshtml
View File

@ -8,7 +8,7 @@
}
<h2>@ViewBag.Title</h2>
@using (Html.BeginForm(FormMethod.Post, htmlAttributes: null, suppressAntiforgery: true))
@using (Html.BeginForm(FormMethod.Post, htmlAttributes: null, antiforgery: false))
{
<div class="form-horizontal">
<h4>Person</h4>

2
test/WebSites/RazorWebSite/Views/FlushPoint/PageWithoutLayout.cshtml
View File

@ -5,7 +5,7 @@ Secondary content
@{
await Html.RenderPartialAsync("_PartialWithFlush");
}
@using (Html.BeginForm(method: FormMethod.Post, suppressAntiforgery: true, htmlAttributes: null))
@using (Html.BeginForm(method: FormMethod.Post, antiforgery: false, htmlAttributes: null))
{
@Html.TextBox("Name1")
@await FlushAsync()