A potentially dangerous Request.Form value was detected

Question

I have a form with the wmd editor on it. The input text area is rendered using:

<%: Html.TextAreaFor(t => t.NewsBody, new{@class="wmd-panel", id="wmd-input"}) %> 

Every time I submit the form I get A potentially dangerous Request.Form value was detected from the client

I tried setting [ValidateInput(false)] on the action method, I tried adding <httpRuntime requestValidationMode="2.0" /> to the web.config and I've tried validateRequest="false" in the pages directive in web.config but it's still happening.

Any ideas?

Edit

Action method:

 [ILFFAuthorize(Roles = "Admin")] // this is a custom auth attrobite         [HttpPost]         [ValidateInput(false)]         public ActionResult AddNews(FormCollection col){          //public ActionResult AddNews(News news)         //{             if (ModelState.IsValid)             {                 News news = new News();                 news.NewsDate = DateTime.Now;                 news.NewsPosterId = 0;                  news.NewsTitle = col["NewsTitle"];                 news.NewsBody = col["NewsBody"];                 newsRepository.Add(news);                 newsRepository.Save();                  return RedirectToAction("Index", "Home");             }             else             {                 return View();             }         } 

Answer 1

You need to place this on top of your [HttpPost] action method

    [HttpPost]     [ValidateInput(false)]     public ActionResult Edit(FormCollection collection) {        .....     } 

If you are using MVC3 then you should't use [ValidateInput(false)] but use [AllowHtml] which is explained here: http://dailydotnettips.com/2011/08/24/how-to-allow-user-to-input-html-in-asp-net-mvc/

also: try putting [ValidateInput(false)] above your [HttpPost] not under, As I remember, these get executed top to bottom.