Potentially dangerous Request caused by OutputCache filter

Question

I'm seeing a strange behavior in my MVC3 application. I have an Action that is called by Ajax, and receives a Post with HTML text. I want to allow the entry of HTML, so I set the ValidateInput(false) attribute. I also have a global OutputCache filter with this parameters: (NoStore = true, Duration = 0, VaryByParam = "*" )
The code looks like this:

[HttpPost]
[ValidateInput(false)]
[OutputCache(NoStore = true, Duration = 0, VaryByParam = "*" )]
public ActionResult Edit(SomeModel someModel)
{
   saveModel(someModel);
   return new AjaxEditSuccessResult();
}

When I send a post to that method, it is executed and the model is saved, but the response I get is the standard "A potentially dangerous Request.Form value was detected from the client" error message, with this stacktrace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (text="<p class="MsoNormal"...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9665149
System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9664565
System.Web.HttpValueCollection.Get(String name) +17
System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(String path, HttpVerb verb, HttpContext context, CachedVary cachedVary) +676
System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(HttpContext context, CachedVary cachedVary) +55
System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) +9716788
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +136
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +69

Do you know if I can indicate in any way to the OutputCache attribute that it needs to respect the ValidateInput attribute?

Answer 1

There are two places in the flow where validation is invoked:

1. on controller method invokation
2. when rendered result is stored in the cache.

You have fixed first problem with ValidateInputAttribute(false), but looks like cache module is ignoring the NoStore directive and still tries to construct the cache key and before doing that it validates the arguments, to get rid of that specify: Location = System.Web.UI.OutputCacheLocation.None, so that cache module will not even try to do anything. Replace your OutputCache[...] with something like this:

[OutputCache(NoStore = true, Location = System.Web.UI.OutputCacheLocation.None)]