C# – Are ASP.NET MVC 4 Beta editor templates safe against CSRF

asp.net-mvcasp.net-mvc-4ccsrf

Are pages generated by ASP.NET MVC 4 Beta templates safe against Cross-Site Request Forgery?

Specifically, are the "Edit" view and controller action generated by the "Controller with read/write actions and views, using EntityFramework" protected against CSRF?

Examining the HTML code generated by the Edit form, I can't see a hidden field or another way to implement an anti-forgery token.

Am I missing something or is the default example unsafe?

Best Answer

You need to explicitly implement the anti forgery token.

In the view:

@using (Html.BeginForm(...
{
    @Html.AntiForgeryToken()
    ...
}

In the controller

[HttpPost]
[ValidateAntiForgeryToken]
public ActionResult MyAction(MyViewModel model)
{
    ...

You can always create custom T4 templates to generate this for you, but no, the out-of-the-box templates do not do this by default.

For MVC v5.1 use Html.EnumDropDownListFor

@Html.EnumDropDownListFor(
    x => x.YourEnumField,
    "Select My Type", 
    new { @class = "form-control" })

For MVC v5 use EnumHelper

@Html.DropDownList("MyType", 
   EnumHelper.GetSelectList(typeof(MyType)) , 
   "Select My Type", 
   new { @class = "form-control" })

For MVC 5 and lower

I rolled Rune's answer into an extension method:

namespace MyApp.Common
{
    public static class MyExtensions{
        public static SelectList ToSelectList<TEnum>(this TEnum enumObj)
            where TEnum : struct, IComparable, IFormattable, IConvertible
        {
            var values = from TEnum e in Enum.GetValues(typeof(TEnum))
                select new { Id = e, Name = e.ToString() };
            return new SelectList(values, "Id", "Name", enumObj);
        }
    }
}

This allows you to write:

ViewData["taskStatus"] = task.Status.ToSelectList();

by using MyApp.Common

C# – How to handle multiple submit buttons in ASP.NET MVC Framework

Here is a mostly clean attribute-based solution to the multiple submit button issue based heavily on the post and comments from Maarten Balliauw.

[AttributeUsage(AttributeTargets.Method, AllowMultiple = false, Inherited = true)]
public class MultipleButtonAttribute : ActionNameSelectorAttribute
{
    public string Name { get; set; }
    public string Argument { get; set; }

    public override bool IsValidName(ControllerContext controllerContext, string actionName, MethodInfo methodInfo)
    {
        var isValidName = false;
        var keyValue = string.Format("{0}:{1}", Name, Argument);
        var value = controllerContext.Controller.ValueProvider.GetValue(keyValue);

        if (value != null)
        {
            controllerContext.Controller.ControllerContext.RouteData.Values[Name] = Argument;
            isValidName = true;
        }

        return isValidName;
    }
}

razor:

<form action="" method="post">
 <input type="submit" value="Save" name="action:Save" />
 <input type="submit" value="Cancel" name="action:Cancel" />
</form>

and controller:

[HttpPost]
[MultipleButton(Name = "action", Argument = "Save")]
public ActionResult Save(MessageModel mm) { ... }

[HttpPost]
[MultipleButton(Name = "action", Argument = "Cancel")]
public ActionResult Cancel(MessageModel mm) { ... }

Update: Razor pages looks to provide the same functionality out of the box. For new development, it may be preferable.

Best Answer

Related Solutions

C# – How to create a dropdownlist from an enum in ASP.NET MVC

For MVC v5.1 use Html.EnumDropDownListFor

For MVC v5 use EnumHelper

For MVC 5 and lower

C# – How to handle multiple submit buttons in ASP.NET MVC Framework

Related Topic