I can't turn off Request Validation for an ASP.NET MVC Controller

Asked 10/7, 2009 at 15:59 Answered 13/1, 2011 at 23:18

Solved c#.net asp.net asp.net-mvc request-validation

I am trying to turn off Request Validation for all action methods in a controller by doing this:

[ValidateInput(false)]
public class MyController : Controller
{
    ...

The reference I am using says this is possible and tells me to do it this way, but for some reason it's not working.

If I submit any html (even a simple <b> tag) through a text box, I get the error:

A potentially dangerous Request.Form value was detected from the client (text=<b>").

It's also not working by attaching the attribute to an individual method.

How can I disable Request Validation for a controller?

EDIT

I am working in VS2008 built in test server.

Stuyvesant answered 10/7, 2009 at 15:59 Comment(2)

Based on all the stuff that's not working, you'll have to provide a lot more detail. Are you running in IIS, or Cassini? You are running MVC v1.0, right? What is the method signature of the action that is failing? – Ramentum 10/7, 2009 at 17:25

I love when I find someone asking the exact question I have- only to see that it is closed for not being applicable to other visitors. FML. – Durant 29/4, 2013 at 18:58

I tested it on my machine, on both the class definition and the action method, and it worked for me in both cases. Are you sure your view lines up with your method/controller? Are you putting the attribute on the GET method or the POST method?

[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]   
public ActionResult MyAction (int id, string content) {   
    // ...   
}

Hawken answered 10/7, 2009 at 16:7 Comment(8)

In the original question, I stated that I did that. And my reference, Apress Pro ASP.NET MVC Framework, clearly states, "If you want to disable it either for a specific action method or across a specific controller, you can use the [ValidateInput] filter, as follows: [ValidateInput(false)] public class MyController : Controller { ... }" – Stuyvesant 10/7, 2009 at 16:24

See #808162 – Hawken 10/7, 2009 at 16:33

Sorry, Ronnie. It works on my machine, whether I put the attribute on the method or the class. – Hawken 10/7, 2009 at 16:41

I have tried on the controller and the action. I know the view lines up with the action method, because I have only 1 view and 1 controller. I have done a complete build and rebuild. I don't understand why this will not work! – Stuyvesant 10/7, 2009 at 17:13

Ronnie, try it Keithm's way. Put ValidateRequest=false; in the constructor of your controller. – Hawken 10/7, 2009 at 17:15

So there is something systemically wrong. Consider creating a new project with a simple controller and view, and test again. There is a counterpart in plain ASP.NET that can be tested also. Did you stumble across this post? #1038602 – Hawken 10/7, 2009 at 17:30

Make sure you add [ValidateInput(false)] in the postback Action. – Berti 9/6, 2011 at 13:22

@RobertHarvey are you saying it will not work if the action method is Get ? – Bullyboy 13/4, 2021 at 7:46

To make it working you need to modify web.config as well:

<system.web>
    <httpRuntime requestValidationMode="2.0"/>
    ...
</system.web>

Maturate answered 13/1, 2011 at 23:18 Comment(1)

I had an ASP.NET MVC 1.0 project deployed in production for over a year, tonight the client sends me an email telling me that one of the forms that uses a WYSIWYG editor wont submit. I've had [ValidateInput(false)] on the action for as long as the site has been deployed and it worked fine up until recently. The hosting provider must have changed something on their end. I added the httpRuntime tag to the system.web as Jan suggested and it fixed my issue. – Nutgall 20/9, 2011 at 1:38

Pro ASP.NET MVC Framework (p466) says the following is supposed to work:

public class MyController : Controller 
{
     public MyController() {
        ValidateRequest = false;
     }
}

Taxexempt answered 10/7, 2009 at 16:37 Comment(2)

It doesn't intellisense or compile there. I tried putting it into the action method (where it does intellisense), but it didn't work. – Hawken 10/7, 2009 at 16:49

"ValidateRequest = false;" is supposed to be in the constructor. I I had tried it on one of my controllers but transcribed it wrong. – Taxexempt 10/7, 2009 at 16:59

Can you post your controller file and your view file.

This works;

MytestController--------------------------------

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;

namespace testapp.Controllers
{
    [ValidateInput(false)]
    public class MyTestController : Controller
    {

        public ActionResult Index()
        {
            return View();
        }

    }
}

MyTest(Index)-------------------------------------------------------

<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Index</title>
</head>
<body>
 <% using (Html.BeginForm()) { %>
 <%= Html.TextBox("test")%>
 <button type="submit"  >Submit</button>
 <%} %>
</body>
</html>

Mcclenaghan answered 10/7, 2009 at 17:54 Comment(0)

EDIT

Recommended topics

Hot tags