Login/Register
Why is ValidateInput(False) not working?
Asked Answered
Solved asp.net-mvcvb.nettinymcerequest.form
A

7

35

I am converting an application I created using webforms to the asp.net mvc framework using vb.net. I have a problem with one of my views. I get the yellow screen of death saying "A potentially dangerous Request.Form value was detected from the client" when I submit my form. I am using tinymce as my RTE. I have set on the view itself

ValidateRequest="false"

I know that in MVC it doesn't respect it on the view from what I've read so far. So I put it on the controller action as well. I have tried different setups:

<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _

...and...

<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _

...and like this as well...

<ValidateInput(False)> _
<AcceptVerbs(HttpVerbs.Post)> _

Just to see if it made a difference, yet I still get the yellow screen of death. I only want to set it for this view and the specific action in my controller that my post pertains to. Am I missing something?

Artifice answered 30/4, 2009 at 15:58 Comment(0)
T
17

Are you sure that the controller action being posted to is the one you have the attributes on?

Tocsin answered 30/4, 2009 at 16:9 Comment(3)
You are a life saver! I burnt myself on this project yesterday. This has been bugging me since last night and I thought sleeping on it would help. But yeah, my form action was empty from me testing my jQuery validation on that view and I forgot to put the Url.Action back. I feel embarassed lol.Artifice
In my case, I have a method which receives both a full model and some extra parameters (like Save(SomeModel model, string inputFromMemo)). Firstly I coded just Save(SomeModel model). Adding the other parameter fixed it.Suspicion
In my case I have an mvc controller with index controller(httpGet) that only returns jsonData. I have tried all the combination but validate input is not working for me.Lubin
D
137

With asp.net 4, you'll need to configure the validation mode in the web.config as well.

Set the following as a child of the <system.web> element:

<system.Web>
  ...
  <httpRuntime requestValidationMode="2.0"/>

Asp.Net 4 sets the requestValidationMode to 4.0 by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing the ValidateInput attribute to work as expected.

Disini answered 27/3, 2010 at 20:32 Comment(4)
is this going to be 'fixed' for MVC 3?Gamopetalous
What are the other things to watch out for if we revert it to 2.0?Kalevala
I spent about 4 hours battling this problem. When I saw your solution in my frustration I didn't think it would work. It did. I felt such a relief when that line of code ran without the "dangerous value" error. Thanks very much.Leveret
Can we use ValidateInput(false) with HttpGet action method, which takes no param ?Lubin
T
17

Are you sure that the controller action being posted to is the one you have the attributes on?

Tocsin answered 30/4, 2009 at 16:9 Comment(3)
You are a life saver! I burnt myself on this project yesterday. This has been bugging me since last night and I thought sleeping on it would help. But yeah, my form action was empty from me testing my jQuery validation on that view and I forgot to put the Url.Action back. I feel embarassed lol.Artifice
In my case, I have a method which receives both a full model and some extra parameters (like Save(SomeModel model, string inputFromMemo)). Firstly I coded just Save(SomeModel model). Adding the other parameter fixed it.Suspicion
In my case I have an mvc controller with index controller(httpGet) that only returns jsonData. I have tried all the combination but validate input is not working for me.Lubin
A
4

When you are using your own model binders which implement the IModelBinder interface you will notice that those custom model binders always validate the data, regardless any attributes. You can add few lines of code to make the custom model binders respect the ValidateInput filter of the actions:

// First check if request validation is required
var shouldPerformRequestValidation = controllerContext.Controller.ValidateRequest && bindingContext.ModelMetadata.RequestValidationEnabled;

// Get value
var valueProviderResult = bindingContext.GetValueFromValueProvider(shouldPerformRequestValidation);
if (valueProviderResult != null)
{
    var theValue = valueProviderResult.AttemptedValue;

    // etc...
}

This is explained very nicely by Martijn Boland here: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/

Ansel answered 23/1, 2012 at 18:36 Comment(0)
A
3

You can try accessing the field like HttpContext.Request.Unvalidated.Form["FieldName"]

Anaconda answered 13/6, 2016 at 12:36 Comment(1)
Should be: HttpContext.Current.Request.Unvalidated.Form["FieldName"]Monitor
A
1

Please note that these suggestions will not fix the problems caused by a bug that occurs when you have to use [ValidateInput(false)] in combination with a FormCollection.

See: ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection

Administrator answered 8/12, 2010 at 9:21 Comment(0)
H
1

Add the following line of code:

GlobalFilters.Filters.Add(new ValidateInputAttribute(false));

to the Application_Start() method. Hehe good

Hydroquinone answered 18/12, 2013 at 11:12 Comment(2)
This will disable validation on ALL controller actions, which you probably don't want to do.Easton
Nonetheless, I think it's useful to know you can do thisIntermediate
D
0

If you use an input model and use an AllowHtml on the property you want, you will be unblocked.

public class InputModel
{
    [AllowHtml]
    public string HtmlInput { get; set; }
}

...
[ValidateInput(false)]
public async Task<ActionResult> ControllerMethod(InputModel model)
{
}
Drastic answered 29/1, 2017 at 6:30 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.