Hello SO:
I am working in ASP.NET MVC and made a simple form that is AJAX enabled (using MicrosoftAjax and MicrosoftMvcAjax). All it does is pass the form value to a partial view, then updates the target element with the new value.
Here is the view with the form:
<asp:Content ID="indexContent" ContentPlaceHolderID="MainContent" runat="server">
<h2>
<%=Html.Encode(ViewData["Message"]) ?? "Home Page"%></h2>
<div>
<p>
<% using (Ajax.BeginForm("AjaxView", new AjaxOptions { UpdateTargetId = "Test" })) { %>
<%= Html.Label("FormMessage","Message") %>
<%= Html.TextBox("FormMessage")%>
<br />
<%= Html.Submit("Submit","Go") %>
<% } %>
</p>
<p id="Test">
<% Html.RenderPartial("AjaxView"); %>
</p>
</div>
</asp:Content>
here is the code from the controller:
public ActionResult AjaxView()
{
if(Request.IsAjaxRequest())
{
ViewData["AjaxMessage"] = string.IsNullOrEmpty(Request.Form["FormMessage"]) ? "No Form Data!" : Request.Form["FormMessage"];
return PartialView("AjaxView");
}
return View();
}
and here is the partial view:
<%@ Control Language="C#" Inherits="System.Web.Mvc.ViewUserControl" %>
<%= ViewData["AjaxMessage"] ?? "Default Text" %>
Everything is working fine it seems, but when I try to enter something with < or >, the script does not execute. I am not intending for people to be able to enter html to this field, but why does the script fail to execute?
If it is a problem with the script getting confused by these characters, can I encode the incoming text (using Server.HtmlEncode() or something similar) before the ajax runs so that any 'unsafe' characters are converted and the script will continue on normally?
Thanks!
edit
I just realized if I enter "<<", I will get "<" back from the script. Maybe this info will help.