Reputation: 13788
ASP.NET Request Validation Exception Even When Validation Is Disabled
I am using ASP.NET MVC 2, .NET 4.0.
I have a controller that disables request validation:
[AcceptVerbs("POST")]
[ValidateInput(false)]
public ActionResult Add(string userId, FormCollection formValues)
{
//...
}
and I still get a HttpRequestValidationException when a POST contains HTML:
System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (ThisWeek=""). at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) at System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) at System.Web.HttpRequest.get_Form() at System.Web.Mvc.HttpRequestExtensions.GetHttpMethodOverride(HttpRequestBase request) at System.Web.Mvc.AcceptVerbsAttribute.IsValidForRequest(ControllerContext controllerContext, MethodInfo methodInfo) at System.Linq.Enumerable.All[TSource](IEnumerable`1 source, Func`2 predicate) at System.Web.Mvc.ActionMethodSelector.RunSelectionFilters(ControllerContext controllerContext, List`1 methodInfos) at System.Web.Mvc.ReflectedControllerDescriptor.FindAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.ControllerActionInvoker.FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, String actionName) at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) at System.Web.Mvc.Controller.ExecuteCore() at System.Web.Mvc.MvcHandler.c__DisplayClass8.b__4() at System.Web.Mvc.Async.AsyncResultWrapper.c__DisplayClass1.b__0() at System.Web.HttpApplication.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I need to allow HTML text in the input here as the app is a bug tracking system and people talk about HTML in their bug submissions. I am handling the inputs of this action correctly and appropriately encoding things as they are re-output, so it is reasonable to disable validation for this action.
We recently switched to MVC2 and .NET 4 and this started appearing. From the stack trace, it appears that the validation is happening as part of processing of the new support for HTTP method overrides (making a POST look like a PUT or DELETE by including a specially named hidden input). But I don't know how to tell that subsystem to stop validating the input.
What do I need to do to make this work?
Upvotes: 3
Views: 1836
Answers (2)
Reputation: 13359
Yeah .NET4 upped the security a bit. You can put it back to .NET2 mode in web.config like this:
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
Upvotes: 4
Reputation: 3034
Add this to system.web section of your web.config:
<httpRuntime requestValidationMode="2.0" />
Upvotes: 4
Related Questions
- How do I turn off request validation in MVC3?
- Validation exception even with ValidateRequest="false"
- I can't turn off Request Validation for an ASP.NET MVC Controller
- Request validation turned off doesn't work on MVC pages
- why I cant disable request validation?
- How do I turn off request validation in MVC2?
- MVC request validation is off, still throws exception when accessing Request.Form
- ValidateRequest="false" not worked
- Conditionally disable validation
- How to disable request validation in ASP.NET MVC running at IIS6?