Thursday, June 2, 2011

Disable RequestValidation in ASP.NET MVC3

In a recent ASP.NET MVC3 project I’ve got the dreaded yellow screen of death with the error

A potentially dangerous Request.Form value was detected from the client

What to do? I’ve got the error in ASP.NET forms, and know how to fix it by disabling request validation. Request validation can be disabled both globally and on a single page. Generally I would recommend not disabling request validation globally as it is very effective against simple cross-site scripting (XSS) attacks.

But how to fix this in MVC? After some searching on the web, I found a blog post by David Hayden describing how to do this in MVC, AllowHtml Attribute in ASP.NET MVC3. As the post describes you can use the AllowHtml attribute to disabled request validation on a single property on the model. If you don’t use a model and just want to receive some HTML in a action, you can still use the ValidateInput attribute, which disables request validation on the whole action.

No comments:

Post a Comment