Can a page's ValidateRequest setting be overridden?

Question

I have an ASP.NET MVC form that may (usually does) submit a response that would trigger the "A potentially dangerous Request.Form value was detected form the client" error.

To try to get around this, I have placed a ValidateRequest="false" in the page directive.

Only problem: I'm still getting the error!

Now, all was good until I updated to the ASP.NET MVC RC this morning, and (according to the readme), placed the following in the Views web.config:

<pages validateRequest="false"         pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"        pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"        userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">     <controls>         <add assembly="System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />     </controls> </pages> 

So, validateRequest should be false for all pages, right? What am I missing?

Answer 1

In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don't know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it's too late to do anything about it. The controller already will have committed the dangerous input to the database.

Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.