Unable to disable "...potentially dangerous Request.Path..." in MVC 3

Question

I'm aware that there are a LOT of posts on this topic, however no matter how hard I try (using the detail within such posts) I can't FULLY remove Request Validation from MVC 3.

By way of an ugly, but simple test I have followed these steps:-

1. Open VS and create a new sample MVC3 Internet application.
2. Above each on my Controller Actions I've placed the [ValidateInput(false)] attribute.
3. Edit the root web.config so that <httpRuntime requestValidationMode="2.0" /> is in the <system.web /> section.

Whilst this now means that I can submit forms with thing like <script> in the field, I still can't work out how to allow Request.Paths such as http://localhost/MySampleApp/Account/LogOn<script>.

If I call such a URL I still get "A potentially dangerous Request.Path value was detected from the client (<)."

Does anyone know how to REALLY remove all request validation in MVC 3 on .Net 4.0?

Many thanks,

Answer 1

You may find the following blog post useful. My personal advice would be to avoid using such characters in your url paths (unless strictly required) and use query string parameters for transmitting such data to the server:

http://localhost/MySampleApp/Account/LogOn?script=%3Cscript%3E