Reputation: 43
Restrict inline code in view from having other than model related code
I would want to restrict my .cshtml files so that the inline c# code only can be associated to the current model. So I would like to restrict the allowed namespaces or something similar.
The background is that I need the view folder to be edited by the apps users(the admins of the system - not the web visitors). Some of my customers would want to show the images and some would not. Therefore I need to be in control of what the can do so they cant do
<span>
title
@{
MyApp.Database.DeleteAll()
or
System.File.Read()
}
But I want them to be able to do
@foreach(var img in @Model.Images){
<img src="@img" />
}
The users will not have access to the server or to anything else(like webconfig ect). They will edit the .cshtml files through a web interface.
Lets say I have a page where that shows a collection of uploaded images. Some admins want to show the images as a slider others as a simple ul This won't have any effect on the rest of the application because everything is loosely connected.
Upvotes: 2
Views: 120
Answers (1)
Reputation: 15089
This isn't possible and creates huge security leaks since Razor allows to run any C#-code.
You could instead let them create templates in a different template-engine. There is for instance Handlebars for C# which should allow to do exactly what you need.
Upvotes: 1
Related Questions
- Razor Inline code generating Compiler Error
- Stop razor inline code-block within attribute
- ASP.NET/MVC: Inline code
- Adding inline conditional statements in an MVC View
- MVC Razor inline html
- Razor Syntax Inline Code
- How do I do inline Razor code within some HTML?
- Razor engine not happy with my inline code
- ASP.NET MVC 3.0 Conditionally writing inline text within a tag
- ASP.NET MVC2 inline code in view - mixing tags