Reputation: 6840
How can I bypass request validation for a single field?
I can see the need for request validation in this age of XSS and other hacks. But it can be a bit of overkill, it's like cutting off your child's legs to ensure he won't run onto the road and get killed.
We're getting complaints from that it isn't possible to set a password like <password>.
The only way to fix this, as far as I can tell, is to set ValidateRequest="false" on a whole bunch of pages (such as registration, logon, reset password). And when using .NET 4.0, you also need to set <httpRuntime requestValidationMode="2.0" /> for the whole application.
Is this really the only way? Is there no way to state that only the password field should not be validated?
Upvotes: 4
Views: 2673
Answers (2)
Reputation: 107317
In ASP.Net MVC, you now have the following options for disabling request validation:
Disable request validation on a controller action:
[ValidateInput(false)]
ActionResult SomeAction(string validationIgnored){...}
On a property on a (View)Model:
[AllowHtml]
string SomeProperty {get; set;}
Or use Request.Unvalidated() on posted form fields:
var rawField = Request.Unvalidated().Form["field"];
Upvotes: 3
Reputation: 48280
In asp.net 4 you can create your custom server side request validator which could possibly accept such atypical requests. Writing one is easy, the first googled example should let you start writing your own:
http://jefferytay.wordpress.com/2010/04/15/creating-your-own-custom-request-validation/
Upvotes: 3
Related Questions
- ValidateRequest ="false" for single control
- Alternative to ValidateRequest="false"
- Disable validation for certain fields
- Bypass MVC validation for get request
- Removing request validation from page
- How to By Pass Request Validation
- How to validate data when validateRequest is set to "false"
- Bypassing a requiredfieldvalidator
- Asp.Net Validaterequest False
- Handling Request Validation 'silently'