asp mvc "A potentially dangerous Request.Form..."

Question

I'm sending post with html to controller, and get exception in Chrome:

Failed to load resource: the server responded with a status of 500 (Internal Server Error)

.net 4.0, webserver is webdev at vs2010 my config:

<system.web>
<compilation debug="true" targetFramework="4.0">
<assemblies>
<add assembly="System.Web.Abstractions, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Web.Routing, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Web.Mvc, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/>
<add assembly="System.Web.DataVisualization, Version=4.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"/></assemblies>
</compilation>
<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false">
<namespaces>
<add namespace="System.Web.Mvc"/>
<add namespace="System.Web.Mvc.Ajax"/>
<add namespace="System.Web.Mvc.Html"/>
<add namespace="System.Web.Routing"/>
</namespaces>
</pages>

...

what am i missing?

Answer 1

You need to set [ValidateInput(false)] on the Controller Action that you want to allow HTML for. (Or on the entire controller, but that's bad practice.

The other important thing is one that you got already, <httpRuntime requestValidationMode="2.0" /> in the web.config.

Setting RequestValidate in the .aspx files or web.config does not work in MVC as it's the controller, not the View that does request validation.

Edit: In the meantime, MVC 3 was released. This allows you to decorate individual properties of your model with [AllowHtml] to make them safe without completely disabling Request Validation.

Answer 2

If you are using MVC 3 RC then can use new Attribute for your property as [AllowHtml]

instead of setting [ValidateInput(false)] on the Controller Action.- this will not help you to prevent XSS attacks

ASP.NET MVC includes built-in support to protect against HTML and Cross-Site Script Injection Attacks, and will throw an error by default if someone tries to post HTML content as input. Developers need to explicitly indicate that this is allowed (and that they’ve hopefully built their app to securely support it) in order to enable it. With ASP.NET MVC 3, we are also now supporting a new attribute that you can apply to properties of models/viewmodels to indicate that HTML input is enabled, which enables much more granular protection in a DRY way. In last month’s RC release this attribute was named [SkipRequestValidation]. With RC2 we renamed it to [AllowHtml] to make it more intuitive: Setting the above [AllowHtml] attribute on a model/viewmodel will cause ASP.NET MVC 3 to turn off HTML injection protection when model binding just that property.