A potentially dangerous Request.Form value was detected from the client

Question

I am using CKEditor/CKFinder as wysiwyg editor on my MVC.NET site.

I have set [ValidateInput(false)] and it works when debugging it locally, but I receive the following error when I have published the site:

A potentially dangerous Request.Form value was detected from the client (message="<p>
<em>Testing</e...").

can anyone explain why the published site is different from the locally site, especially when I have set [ValidateInput(false)]?

*Update:*I am using .Net 3.5 so shouldn't [ValidateInput(false)] work out the box?

Answer 1

Have you tried setting the htmlEncodeOutput property?

CKEDITOR.replace('editor1', {
    htmlEncodeOutput: true });

This should encode the output and you should be able to avoid setting the requestValidationMode.

Documentation for it is here: ckEditor documentation

Answer 2

Use Request.Unvalidated["myTextBox"]

for example,

var text = Request.Unvalidated["myTextBox"];

where "myTextBox" is the form field you want to allow HTML to be posted from.

Answer 3

Add ValidateRequest="false" to your Page:

<%@ Page Language="C#" AutoEventWireup="false" Codebehind="MyForm.aspx.cs" Inherits="Proj.MyForm" ValidateRequest="false"%>

Or add to web.config if using .NET Framework 4.0 (Visual Studio 2010)

<httpRuntime requestValidationMode="2.0" />

Answer 4

ValidateRequest="false" Add this in the particular Page.

Example:

Answer 5

Just add an Annotation to the Post method Action as [ValidateInput(false)]

[HttpPost]
    [ValidateAntiForgeryToken]
    [ValidateInput(false)]
    public ActionResult Detail(ModelClass m)
    { return View(); }

Answer 6

Add this to your web.config:

<httpRuntime requestValidationMode="2.0" />