11

I am trying to turn off Request Validation for all action methods in a controller by doing this:

[ValidateInput(false)]
public class MyController : Controller
{
    ...

The reference I am using says this is possible and tells me to do it this way, but for some reason it's not working.

If I submit any html (even a simple <b> tag) through a text box, I get the error:

A potentially dangerous Request.Form value was detected from the client (text=<b>").

It's also not working by attaching the attribute to an individual method.

How can I disable Request Validation for a controller?

EDIT

I am working in VS2008 built in test server.

Improve this question
2
  • Based on all the stuff that's not working, you'll have to provide a lot more detail. Are you running in IIS, or Cassini? You are running MVC v1.0, right? What is the method signature of the action that is failing? Commented Jul 10, 2009 at 17:25
  • 4
    I love when I find someone asking the exact question I have- only to see that it is closed for not being applicable to other visitors. FML. Commented Apr 29, 2013 at 18:58

4 Answers 4

Reset to default
17

I tested it on my machine, on both the class definition and the action method, and it worked for me in both cases. Are you sure your view lines up with your method/controller? Are you putting the attribute on the GET method or the POST method?

[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]   
public ActionResult MyAction (int id, string content) {   
    // ...   
}
Improve this answer
Sign up to request clarification or add additional context in comments.

8 Comments

In the original question, I stated that I did that. And my reference, Apress Pro ASP.NET MVC Framework, clearly states, "If you want to disable it either for a specific action method or across a specific controller, you can use the [ValidateInput] filter, as follows: [ValidateInput(false)] public class MyController : Controller { ... }"
See stackoverflow.com/questions/807662/…
Sorry, Ronnie. It works on my machine, whether I put the attribute on the method or the class.
I have tried on the controller and the action. I know the view lines up with the action method, because I have only 1 view and 1 controller. I have done a complete build and rebuild. I don't understand why this will not work!
So there is something systemically wrong. Consider creating a new project with a simple controller and view, and test again. There is a counterpart in plain ASP.NET that can be tested also. Did you stumble across this post? stackoverflow.com/questions/1038102/…
|
13

To make it working you need to modify web.config as well:

<system.web>
    <httpRuntime requestValidationMode="2.0"/>
    ...
</system.web>
Improve this answer

1 Comment

I had an ASP.NET MVC 1.0 project deployed in production for over a year, tonight the client sends me an email telling me that one of the forms that uses a WYSIWYG editor wont submit. I've had [ValidateInput(false)] on the action for as long as the site has been deployed and it worked fine up until recently. The hosting provider must have changed something on their end. I added the httpRuntime tag to the system.web as Jan suggested and it fixed my issue.
3

Pro ASP.NET MVC Framework (p466) says the following is supposed to work:

public class MyController : Controller 
{
     public MyController() {
        ValidateRequest = false;
     }
}
Improve this answer

2 Comments

It doesn't intellisense or compile there. I tried putting it into the action method (where it does intellisense), but it didn't work.
"ValidateRequest = false;" is supposed to be in the constructor. I I had tried it on one of my controllers but transcribed it wrong.
0

Can you post your controller file and your view file.

This works;

MytestController--------------------------------

using System;
using System.Collections.Generic;
using System.Linq;
using System.Web;
using System.Web.Mvc;
using System.Web.Mvc.Ajax;

namespace testapp.Controllers
{
    [ValidateInput(false)]
    public class MyTestController : Controller
    {

        public ActionResult Index()
        {
            return View();
        }

    }
}

MyTest(Index)-------------------------------------------------------

<%@ Page Language="C#" Inherits="System.Web.Mvc.ViewPage" %>

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">

<html xmlns="http://www.w3.org/1999/xhtml" >
<head runat="server">
    <title>Index</title>
</head>
<body>
 <% using (Html.BeginForm()) { %>
 <%= Html.TextBox("test")%>
 <button type="submit"  >Submit</button>
 <%} %>
</body>
</html>
Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.