AllowHtml attribute not working

Question

I have a model with this property:

     [AllowHtml]
     [DisplayName("Widget for Table")]
     [StringLength(1000, ErrorMessage = "Maximum chars 1000")]
     [DataType(DataType.Html)]
     public object TableWidget { get; set; }

And here is the create methods in controller:

  //
  // GET: /Admin/Table/Create

  public ActionResult Create(int id)
  {
     Season season = _seasonRepository.GetSeason(id);

     var table = new Table
                     {
                        SeasonId = season.SeasonId
                     };
     return View(table);
  }

  //
  // POST: /Admin/Table/Create

  [HttpPost]
  public ActionResult Create(Table a)
  {
     if (ModelState.IsValid)
     {
        _tableRepository.Add(a);
        _tableRepository.Save();
        return RedirectToAction("Details", "Season", new { id = a.SeasonId });
     }
     return View();
  }

And last here is my view:

@model Stridh.Data.Models.Table
@using (Html.BeginForm())
{
   @Html.ValidationSummary(true)
   <fieldset>
      <legend>Fields</legend>
      <div class="editor-label">
         @Html.LabelFor(model => model.Name)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.Name) @Html.ValidationMessageFor(model => model.Name)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.TableURL)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.TableURL) @Html.ValidationMessageFor(model => model.TableURL)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.SortOrder)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.SortOrder) @Html.ValidationMessageFor(model => model.SortOrder)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.TableWidget)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.TableWidget) @Html.ValidationMessageFor(model => model.TableWidget)
      </div>
      <div class="editor-label invisible">
         @Html.LabelFor(model => model.SeasonId)
      </div>
      <div class="editor-field invisible">
         @Html.EditorFor(model => model.SeasonId)
      </div>
      <p>
         <input type="submit" value="Create" />
      </p>
   </fieldset>
} 

When I add a "normal" message without html everything is saved OK, but when saving it says A potentially dangerous Request.Form...

Another strange thing is that I got this [AllowHtml] to work in another model class. I cant find why this is causing me troubble. Need your help. :-)

Answer 1

The way you are using AllowHtml should work. Make sure that you are not accessing the HttpRequest.Form collection anywhere else in your code (controller, filter, etc) as this will trigger ASP.NET Request Validation and the error you are seeing. If you do want access to that variable then you should access it via the following code.

using System.Web.Helpers;

HttpRequestBase request = ..  // the request object
request.Unvalidated().Form;

Answer 2

I get the same problem and i solve it with the help of this post.

If you are on .net 4.0 make sure you add this in your web.config

<httpRuntime requestValidationMode="2.0" />

Inside the <system.web> tags

Answer 3

I had the same problem. My model class is named "GeneralContent" and has the property "Content". In my action method i used attribute like this:

public ActionResult Update(GeneralContent content)

when i renamed content argument to cnt, everything works well. I think MVC is confused when some attribude of model class has the same name as the argument in action method.

Answer 4

I also had this issue. I could not get a model property marked with [AllowHtml] to actually allow HTML, and instead encountered the same error you describe. My solution ended up being to mark the Controller action that accepts the posted model with the [ValidateInput(false)] attribute.