AllowHtml not working

Question

I'm building a Content Management System to allow people other than me to update stuff on the site.

I have a front-facing HTML form that sends data, via AJAX, to a controller:

// CONTROLLER
[ValidateInput(false)]
public void CarAJAX()
{
    CarAdmin CA = new CarAdmin();
    CA.UpdateCar(System.Web.HttpContext.Current.Request);
}

This data will have HTML, so I keep getting an error in my Model:

// MODEL
using System;
using System.Web;
using System.Web.Mvc;

namespace Site.Models
{
    public class CarAdmin
    {
        public String id { get; set; }
        [AllowHtml]
        public String HTML_Stuff { get; set; }

        public CarAdmin(){}

        public void UpdateCar(HttpRequest Request)
        {
            HTML_Stuff = Request.Form["HTML_Stuff"]; // <-- ERROR HAPPENS HERE!!!!!!

            // sanitation and validation

            String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", HTML_Stuff, id);

            // Execute DB Command
        }
    }
}

As shown in the code, I'm getting an error when I try to set a member equal to a request variable that has HTML.

Edit: The error is 'A potentially dangerous Request.Form value was detected'

Here's what I've tried:

• Change the validation mode in web.config, but I don't want to change the validation for my entire site, when only one variable will have HTML.

• [AllowHtml] in the Model, however I'm still getting the same error - as if [AllowHtml] did nothing at all.

• [ValidateInput(false)] in the Controller, similar to AllowHtml, it seems to have no affect whatsoever.

Am I missing something here?

Answer 1

I had the same problem. "requestValidationMode="2.0"" was set in web.config, [AllowHtml] was also set on proper property and I still got the error "A potentially dangerous Request.Form value detected...".

But I observed that the controller method actually was called (I was able to debug the method) so this had to meant that validation is in fact turned off. In Call Stack I noticed repeatedly occurring of classes around cache like "System.Web.Caching.OutputCacheModule" and this led me to an idea that this has something to do with cache I had turned off on the whole controller like this "[OutputCache(NoStore = true, Duration = 0)]".

Based on this I tried to also set Location of the cache to OutputCacheLocation.None and this did the trick. So I ended up with [OutputCache(NoStore = true, Duration = 0, Location = OutputCacheLocation.None)] working and finally not validating and not failing my requests.