ValidateInput Attribute Doesn't Seem To Work in ASP.NET MVC

Question

I'm trying to get around the "potentially dangerous Request.Form value" error and I'm having no luck. Yes, yes, I've read all the other StackOverflow related questions and none of them seem to get me closer to an answer. I am using [ValidateInput(false)] on all related controller actions...and I've checked many times. I'm using ValidateRequest='false' in all the related ASPX views.

I am using ASP.NET MVC 2 Preview 1, but I don't think that's an issue since the error is being generated lower in the framework; Page.ProcessRequest to be exact. I can't see anything I'm doing wrong, I even set <page validateRequest='false'> in the web.config and that didn't solve it either.

Answer 1

With asp.net 4, you'll need to configure the validation mode in the web.config as well.

Set the following as a child of the <system.web> element:

<httpRuntime requestValidationMode="2.0"/>

Asp.Net 4 sets the requestValidationMode to 4.0 by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing the ValidateInput attribute to work as expected.

(thanks Jim - upvotes belong here)

Answer 2

Well...answered my own problem...the culprit: Html.RenderAction<T>. If there are any calls to other actions in the request context (e.g. from the Master Page or child partials) these actions also need to have [ValidateInput(false)] set appropriately. This seems like a bit of a problem though with MVC or the way the Page object works in ASP.NET as this is a really obfuscated bug to find.