a potentially dangerous request.form value was detected but validateinput(false) not working

Question

I have installed VS2010 and MVC2 and testing a simple form using tinyMCE. When I post the contents of the textarea in tinyMCE I get the dreaded YSD and the message

"a potentially dangerous....."

I've seen this before so I put the ValidateInput(false) on the controller but no joy - I still get the error.

page code in edit.aspx is:

    <% using (Html.BeginForm()){ %>

    <!-- Gets replaced with TinyMCE, remember HTML in a textarea should be encoded -->
    <textarea id="elm1" name="mceText" rows="15" cols="80" style="width: 80%">
        &lt;p&gt;
            This is some example text that you can edit inside the
  &lt;strong&gt; TinyMCE editor&lt;/strong&gt;.
    </textarea>

    <br />
    <input type="submit" name="save" value="Submit" />
    <input type="reset" name="reset" value="Reset" />
<%} %>

and Controller action is:

    [AcceptVerbs(HttpVerbs.Post)]
    [ValidateInput(false)]
    public ActionResult Edit(string mceText)
    {

        return View();
    }

Any thoughts - (I know the code is not complete) been trying this for hours but everyone just says to use ValidateInput(false)

Answer 1

This is why: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

The request validation feature in ASP.NET provides a certain level of default protection against cross-site scripting (XSS) attacks. In previous versions of ASP.NET, request validation was enabled by default. However, it applied only to ASP.NET pages (.aspx files and their class files) and only when those pages were executing.

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

As a result, request validation errors might now occur for requests that previously did not trigger errors. To revert to the behavior of the ASP.NET 2.0 request validation feature, add the following setting in the Web.config file:

<httpRuntime requestValidationMode="2.0" />

However, we recommend that you analyze any request validation errors to determine whether existing handlers, modules, or other custom code accesses potentially unsafe HTTP inputs that could be XSS attack vectors.

Answer 2

A better solution may be to use the tinymce encoding option:

http://www.tinymce.com/wiki.php/Configuration:encoding

tinyMCE.init({
        ...
        encoding : "xml"
});

then use HttpUtility.HtmlDecode to decode it as required.

See here http://blog.tentaclesoftware.com/archive/2010/07/22/96.aspx