问题
The kendoUI grid uses HttpGet requests to update the data during an AJAX request. (http://www.kendoui.com/documentation/asp-net-mvc/helpers/grid/ajax-binding.aspx) The server returns a Json result, and, in order to get it to work, we need to use the following code:
return Json(Result, JsonRequestBehavior.AllowGet);
That does the job just fine, but it's a security vulnerability (that's why Microsoft makes us put the "AllowGet" in there).
The safe way to return the Json would be in an HttpPost, but the kendoui grid doesn't allow it.
I want to use the kendoui grid. Is there a way to use the HttpGet, return Json, and do it securely?
Thanks!
回答1:
If you are using the MVC wrapper of the Kendo Grid this would not happen. There the grid is configured to make POST requests because of this ASP.NET MVC behavior. Make sure you have included kendo.aspnetmvc.min.js though. More info can be found in the docs.
回答2:
The kendo datasource uses GET by default when using ajax, but it is possible to use POST by defining the transport settings to post.
Here is a shortened version of the code at a Telerik kendo CRUD example using post.
<script>
$(function () {
$("#grid").kendoGrid({
toolbar: ["create", "save", "cancel"],
dataSource: {
schema: {
model: {
id: "ProductID",
fields: {
ProductID: { editable: false, nullable: true },
ProductName: { validation: { required: true } },
UnitPrice: { type: "number", validation: { required: true } }
}
}
},
transport: {
create: {
url: "Products.svc/Create",
contentType: "application/json; charset=utf-8",
type: "POST"
},
read: {
url: "Products.svc/Read",
contentType: "application/json; charset=utf-8",
type: "POST"
},
parameterMap: function(data, operation) {
if (operation != "read") {
return JSON.stringify({ products: data.models })
}
}
}
}
});
});
</script>
来源:https://stackoverflow.com/questions/11531416/kendoui-grid-in-mvc3-security-vulnerability-how-do-i-get-around-it