This bug occurs when using jQuery POST to send complex JavaScript objects to the server as encoded HTTP form data.
For example, if I need to post the following object:
```
{
singleProperty: 'hello',
arrayProperty: [
{
propertyOne: 1,
propertyTwo: 'Two',
},
{
propertyOne: 2,
propertyTwo: 'Four',
},
{
propertyOne: 3,
propertyTwo: 'Six',
}
]
}
```
Then when jQuery posts that object as form data, it posts the following (line breaks added for readability):
"singleProperty=hello&
arrayProperty[0][propertyOne]=1&
arrayProperty[0][propertyTwo]=Two&
arrayProperty[1][propertyOne]=2&
arrayProperty[1][propertyTwo]=Four&
arrayProperty[2][propertyOne]=3&
arrayProperty[2][propertyTwo]=Six"
But ASP.NET MVC is expecting this (line breaks added for readability):
"singleProperty=hello&
arrayProperty[0].propertyOne=1&
arrayProperty[0].propertyTwo=Two&
arrayProperty[1].propertyOne=2&
arrayProperty[1].propertyTwo=Four&
arrayProperty[2].propertyOne=3&
arrayProperty[2].propertyTwo=Six"
The result of this discrepancy is that the properties inside of each of the collection elements of the action parameter object are all defaulted.
I have attached a small project that exemplifies this behavior.
Comments: This sort of impedance matching between the client and the server should definitely be handled in the core MVC libraries. I think it is a security thing more than anything else. The mismatch exists, it doesn't really matter who does it right, it only matters that jQuery and MVC are doing it differently. To solve this mismatch I assume that people will have to do something like what Chris has done and write something to reformat the values. Eventually someone will write something that can be compromised by a cleverly formatted POST. And, in these days of cargo-cult development, that may be the lucky winner that gets copied a thousand times from Stack Overflow.
For example, if I need to post the following object:
```
{
singleProperty: 'hello',
arrayProperty: [
{
propertyOne: 1,
propertyTwo: 'Two',
},
{
propertyOne: 2,
propertyTwo: 'Four',
},
{
propertyOne: 3,
propertyTwo: 'Six',
}
]
}
```
Then when jQuery posts that object as form data, it posts the following (line breaks added for readability):
"singleProperty=hello&
arrayProperty[0][propertyOne]=1&
arrayProperty[0][propertyTwo]=Two&
arrayProperty[1][propertyOne]=2&
arrayProperty[1][propertyTwo]=Four&
arrayProperty[2][propertyOne]=3&
arrayProperty[2][propertyTwo]=Six"
But ASP.NET MVC is expecting this (line breaks added for readability):
"singleProperty=hello&
arrayProperty[0].propertyOne=1&
arrayProperty[0].propertyTwo=Two&
arrayProperty[1].propertyOne=2&
arrayProperty[1].propertyTwo=Four&
arrayProperty[2].propertyOne=3&
arrayProperty[2].propertyTwo=Six"
The result of this discrepancy is that the properties inside of each of the collection elements of the action parameter object are all defaulted.
I have attached a small project that exemplifies this behavior.
Comments: This sort of impedance matching between the client and the server should definitely be handled in the core MVC libraries. I think it is a security thing more than anything else. The mismatch exists, it doesn't really matter who does it right, it only matters that jQuery and MVC are doing it differently. To solve this mismatch I assume that people will have to do something like what Chris has done and write something to reformat the values. Eventually someone will write something that can be compromised by a cleverly formatted POST. And, in these days of cargo-cult development, that may be the lucky winner that gets copied a thousand times from Stack Overflow.