MVC 4 - Razor - "a potentially dangerous request.form value was detected from the client"

Question

I have an i-Frame on my view that links to an external site. This site takes in some values and some config settings. As part of these config settings is a "CallBackURL". This external website posts to this CallBackUrl.

I specified the CallBackURL to be an action on my control.

View Code

<form id="testForm" method="post" target="testFrame">
  <input type="hidden" name="RequestXML" ID="RequestXML" value="<Request><RedirectURL>Account/TokenRequest</RedirectURL></Request>"
</form>

<iframe id="testFrame" name="testFrame" frameborder="0" style="width:1000px;height:500px"></iframe>

Controller Code

  [HttpPost]
  [ValidateInput(false)]
  public ActionResult TokenRequest()
  {
    if (Request.Form["ResponseXML"] != null)
      ViewBag.ResponseXML = Request.Form["ResponseXML"];

    return PartialView();
  }

inside my controller action I get the following error:"a potentially dangerous request.form value was detected from the client"

I also set this in the webconfig

<httpRuntime requestValidationMode="2.0" />
<pages validateRequest="false"...

What am I doing wrong?

EDIT I was editing the wrong web.config file. I was adding it to the web.config inside the views folder. Once I changed it to the right place it started working.

Answer 1

The above solution was not working for me in MVC4. What works for me is only to put an attribute above the action. No need to change your web.config or add AllowHtml attribute.

[HttpPost]
[ValidateInput(false)]
public ActionResult TokenRequest(TokenRequestModel model)
{
  if (!string.IsNullOrEmpty(model.ResponseXML))
  ViewBag.ResponseXML = model.ResponseXML;
  // ...