Disabling Request Validation in ASP.Net 4 MVC 3 Beta

I had to integrate CKEditor in my current MVC 3 (beta) project (System.Web.Mvc.dll version 3.0.10714.0), and come across this error when posting HTML markup:

Server Error in ‘/MyApp’ Application.

A potentially dangerous Request.Form value was detected from the client

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode=”2.0″. Example: . After setting this value, you can then disable request validation by setting validateRequest=”false” in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Not quite!

I set the requestValidationMode attribute in web.config, and the ValidateRequest attribute in the Page declaration, as described, but this did not change the web page’s behavior.

I found that MVC 3 requires the [ValidateInput(false)] attribute on the controller action (in addition to the requestValidationMode setting) instead of the Page ValidateRequest attribute, and it works indeed, even on asynchronous actions.

However, I am a bit worried about upgrading to MVC 3 RC, since the internets say that request validation cannot be switched off in RC.

From the ASP.Net 4 Breaking Changes page, it is also not clear how to disable request validation and use the ASP.Net 4 request pipeline.

By the way: Using jQuery.ajax() and posting JSON data using the JSON.stringify() function, similar content can be posted without any validation errors.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.