I want to prevent posting sensitive data via url query string to a MVC 5 application.
In MVC there is a DefaultModelBinder
. The DefaultModelBinder
looks for the ActionMethod
parameters in the url query string, the body and the route. But my target is to bind the parameters exclusively from the body and not from route or query string.
In Asp.Net WebApi there is such a concept. The Attribute [FromBody] will do the job: http://www.asp.net/web-api/overview/formats-and-model-binding/parameter-binding-in-aspnet-web-api
Is there something suitable for MVC?
I´ve found the System.Web.ModelBinding.FormAttribute
(https://msdn.microsoft.com/en-us/library/system.web.modelbinding.formattribute(v=vs.110).aspx). However, if I decorate the parameter, it has no effect to the model binding.
By default, the binder looks for data in four places: form data, route data, the query string, and any uploaded files.
It is possible to restrict the binding to a single source of data. To do so you should call the UpdateModel method passing, as the second parameter, a FormValueProvider object( an implementation of IValueProvider).
public ActionResult Products()
{
IList<Products> products = new List<Products>();
UpdateModel(products, new FormValueProvider(ControllerContext));
return View(products);
}
The complete list of objects is (they all receive the ControllerContext as the contructor parameter):