I had to integrate CKEditor in my current MVC 3 (beta) project (System.Web.Mvc.dll version 3.0.10714.0), and come across this error when posting HTML markup:
Server Error in ‘/MyApp’ Application.
A potentially dangerous Request.Form value was detected from the client
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode=”2.0″. Example: . After setting this value, you can then disable request validation by setting validateRequest=”false” in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.
I set the requestValidationMode attribute in web.config, and the ValidateRequest attribute in the Page declaration, as described, but this did not change the web page’s behavior.
I found that MVC 3 requires the [ValidateInput(false)] attribute on the controller action (in addition to the requestValidationMode setting) instead of the Page ValidateRequest attribute, and it works indeed, even on asynchronous actions.
From the ASP.Net 4 Breaking Changes page, it is also not clear how to disable request validation and use the ASP.Net 4 request pipeline.
By the way: Using jQuery.ajax() and posting JSON data using the JSON.stringify() function, similar content can be posted without any validation errors.