ASP .NET Core 2 MVC - Populating List<someoject> with dynamically added html on form post

I'm developing an ASP.NET Core 2.1 MVC WebApp. In a View which is form for creating a meeting (think outlook's create meeting), I'm allowing the user to dynamically add meeting attendees, which are displayed on the form by injecting the input from a modal popup as table tr/td for FirstName, LastName, Email. See below code.

These entries are added based on a modal popup on the page...
            
   var n = "<tr data-fn='" + fn + "' data-ln='" + ln + "' data-em='" + em + "'><td>" + fn + "</td>" + "<td>" + ln + "</td>" + "<td>" + em + "</td></tr>";
   $("#attendee-list tbody").append(n);

Open in new window


On HTTPPost, I have the below code to populate a ViewModel List with above table values, but this is all client side. I feel this has security holes if someone decides to manipulate the javascript before the post hits the server.

I'm always looking to implement best practices and I have a feeling this client side JS can be manipulated by someone before the post hits the server. Some things are still new to me and just because it works doesn't mean it's good code! Is this approach for populating my ViewModel's List appropriate, or Is there a better approach other than validating entries client-side and then server-side?

$("#form-submit").on("click", function () {
    var i = 0;
    $("#attendee-list > tbody > tr").each(function () {
        var fn = $(this).data("fn");
        var ln = $(this).data("ln");
        var em = $(this).data("em");

        $("#formPost").prepend("<input type='hidden' name='MeetingAttendees[" + i + "].FirstName' value='" + fn + "'>");
        $("#formPost").prepend("<input type='hidden' name='MeetingAttendees[" + i + "].LastName' value='" + ln + "'>");
        $("#formPost").prepend("<input type='hidden' name='MeetingAttendees[" + i + "].Email' value='" + em + "'>");
        i++;
    });
});

Open in new window

nightshadzAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Chinmay PatelChief Technical NinjaCommented:
Hi nightshadz,

It will be better to do simple validation on client and then server both. If you want to be extra careful, remember ViewStateMac of ASP.Net WinForms? Whatever client operations are performed a hash is generated when the client state is posted to the server. Now, before the post hits you server if anything was changed in-between(over the wire) you will get a ViewStateMac failed exception and your server will then automatically discard that data.

In your current case, I think it will be an overkill to device such an mechanism hence going with both client + server side validation will make more sense here. Put appropriate input validations on the client and Just sanitize the model on server side and you will be fine.

Regards,
Chinmay.
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
nightshadzAuthor Commented:
Thank you!

By "ViewStateMac" are you referring to ModelState.IsActive from within my controller post method?

I've done WinForms development, but not for a while. I do remember ViewState as the hash containing posted form values. I'm not sure if ViewState applies in an ASP .NET Core MVC Web App?
0
Chinmay PatelChief Technical NinjaCommented:
You are right nightshadz. I didn't mean to say we have similar feature in ASP.Net MVC(Not in the core as well). You have the feature to implement model validation. For ASP.Net Core MVC, you can use out of the box validation attributes OR you can implement your custom validation(which I think is not required in most of the business cases). You can find that documentation here: https://docs.microsoft.com/en-us/aspnet/core/mvc/models/validation?view=aspnetcore-2.1

And I am really sorry for the confusion, I meant to say ASP.Net WebForms, not WinForms.

Regards,
Chinmay.
0
nightshadzAuthor Commented:
Thank you for the information and clarification! Much appreciated.
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
ASP.NET

From novice to tech pro — start learning today.