I have an ASP.NET MVC form that may (usually does) submit a response that would trigger the "A potentially dangerous Request.Form value was detected form the client" error.
To try to get around this, I have placed a ValidateRequest="false" in the page directive.
Only problem: I'm still getting the error!
Now, all was good until I updated to the ASP.NET MVC RC this morning, and (according to the readme), placed the following in the Views web.config:
<pages validateRequest="false" pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"> <controls> <add assembly="System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" /> </controls> </pages>
So, validateRequest should be false for all pages, right? What am I missing?
Request validation is a feature in ASP.NET that examines HTTP requests and determines whether they contain potentially dangerous content. This check adds protection from mark-up or code in the URL query string, cookies, or posted form values that might have been added for malicious purposes.
The ValidateRequest setting can be set to FALSE in the @Page Directive.
In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don't know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it's too late to do anything about it. The controller already will have committed the dangerous input to the database.
Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With