Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Why is ValidateInput(False) not working?

I am converting an application I created using webforms to the asp.net mvc framework using vb.net. I have a problem with one of my views. I get the yellow screen of death saying "A potentially dangerous Request.Form value was detected from the client" when I submit my form. I am using tinymce as my RTE. I have set on the view itself

ValidateRequest="false"

I know that in MVC it doesn't respect it on the view from what I've read so far. So I put it on the controller action as well. I have tried different setups:

<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _ 

...and...

<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _ 

...and like this as well...

<ValidateInput(False)> _ <AcceptVerbs(HttpVerbs.Post)> _ 

Just to see if it made a difference, yet I still get the yellow screen of death. I only want to set it for this view and the specific action in my controller that my post pertains to. Am I missing something?

like image 708
Dekryptid Avatar asked Apr 30 '09 15:04

Dekryptid


People also ask

What is ValidateInput false?

ValidateInput(false) attribute is used to allow sending HTML content or codes to server which by default is disabled by ASP.Net MVC to avoid XSS (Cross Site Scripting) attacks.

What is ValidateInput in MVC?

The ValidateInput attribute is used to allow sending the HTML content or codes to the server which, by default, is disabled by ASP.NET MVC to avoid XSS (Cross-Site Scripting) attacks. This attribute is used to enable or disable the request validation. By default, request validation is enabled in ASP.NET MVC.


1 Answers

With asp.net 4, you'll need to configure the validation mode in the web.config as well.

Set the following as a child of the <system.web> element:

<system.Web>   ...   <httpRuntime requestValidationMode="2.0"/>      

Asp.Net 4 sets the requestValidationMode to 4.0 by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing the ValidateInput attribute to work as expected.

like image 121
Jim Geurts Avatar answered Sep 28 '22 16:09

Jim Geurts