20

Has request validation changed for ASP.NET MVC 2, more precisely, not validating?

I did the following:

Web.configs (in App directory and Views directory)

<pages
    validateRequest="false"

Controller/Action Attribute

[ValidateInput(false)]

In @Page View Directive

ValidateRequest="false"

The page still gets validated an exception is thrown when HTML content is posted.

UPDATE

Created a new ASP.NET MVC 2 Application and I modified the Home Controller's Index to this

    [ValidateInput(false)]
    public ActionResult Index(string InputText)
    {
        ViewData["Message"] = "Welcome to ASP.NET MVC!";

        return View();
    }

and my View Page

<% using(Html.BeginForm()){ %>
    <%= Html.TextBox("InputText") %>
    <input type="submit" />
<% } %>

And still the same issue, an exception is thrown.

Improve this question

2 Answers 2

Reset to default
31

I should read the error more carefully next time:

To allow pages to override application request validation settings, set requestValidationMode="2.0" in the configuration section. After setting this value, you can then disable request validation by setting validateRequest="false"

I put this in the application's web.config

<system.web>
  <httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="" />
</system.web>

and it worked.

Update:

I was running ASP.NET 4 thats why :P

Improve this answer
Sign up to request clarification or add additional context in comments.

6 Comments

Inside the <system.web> begin/end tags
this did not work for me, I had to use the attributes for MVC2 RTM
@Alexandre Brisebois, odd are you using .NET 4?
yes, but thinking of it, it's on a project that was upgraded by VS 2010
I misunderstood your first comment. You have to use attributes AND this setting in your Web.config file for it to work in .NET 4
|
2

Insert obligatory warning about XSS here.

That you decorated the controller (or action) with the ValidateInputAttribute should be enough, as all validation is done at this controller level in ASP.NET MVC

I have just tried this now on an action, and it returns a nice, evil alert() when I output it, so I'd venture a guess that there's something else going on here.

Do you have an HandleErrorAttribute set up anywhere?

Improve this answer

2 Comments

I implemented a custom viewpage you can see at stackoverflow.com/questions/1480373/… , looking to see if anything is causing it to validate with ASP.NET MVC 2
No HandleError attribute too.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.