A potentially dangerous Request in asp.net 4

Question

I'm getting the following error in ASP NET 4:

A potentially dangerous Request.Path value was detected from the client (<).

I have read that I need to use requestValidationMode="2.0" in my Web.config:

<system.web>
    <compilation debug="true" targetFramework="4.0" />
    <httpRuntime requestValidationMode="2.0" />
</system.web>

So my method looks like:

[ValidateInput(false)]
public ActionResult Search(string query, string type){

//method body

return result;
}

It works great. However, I cannot modify my Web.config file because many other applications rely on this file and it may cause a security vulnerability or an error somewhere else.

My application is secure enough to accept special characters, but I cannot say the same for the rest of the system being developed. Is there an alternative to accept special characters as input in my method?

Example:

www.mydomain.com/search/query/<myquery<ffoo/type/dept

Answer 1

I have the same problem in my current project..I will post what I had to add in order to correct this.. also keep in mind that , there is a bug in .NET 4.0 where this use to work in .Net 2.0 my Project is 3.5 however I think that IIS AppPool they have our project to run 4.0

I added this in my web config file and it corrected the odd errors that I was experiencing

<httpRuntime requestValidationMode="2.0"
   requestPathInvalidCharacters="*,:,&amp;,\"
   relaxedUrlToFileSystemMapping="true"
/>

for MVC you could try the following

using System.Web.Helpers;

[HttpPost]
[ValidateInput(false)]
public ViewResult Edit(ContentTemplateView contentTemplateView)
{
    FormCollection collection = new FormCollection(Request.Unvalidated().Form);