A potentially dangerous Request.Form value was detected from the client (Text="

what?

"). ValidateInput(false) not working?

Question

_{Thursday, April 22, 2010 7:17 PM}

Hello,

On a CMS I am accepting some html tags on a Text Area from a TinyMCE WYSIWYG input.

On my controller action I have:

    [AcceptVerbs(HttpVerbs.Post), Authorize, ValidateAntiForgeryToken, ValidateInput(false)]
    public virtual ActionResult Edit(Int32 id, ResourceEditModel model) {
    }

I added the attribute ValidateInput(false). Shouldn't this work?

I keep having the error:

A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").

What am I missing?

This is the only view where I have a TinyMce so on all other forms I still want validation ...

I am using MVC2 and NET 4.0.

Thank You,

Miguel

All replies (12)

_{Thursday, April 22, 2010 9:40 PM ✅Answered}

In the web.config file, within the <system.web> tags, insert the httpRuntime element with the attribute requestValidationMode="2.0". Also add the validateRequest="false" attribute in the pages element.

Example:

<configuration>
  <system.web>
   <httpRuntime requestValidationMode="2.0" />
  </system.web>
  <pages validateRequest="false">
  </pages>
</configuration>

_{Thursday, April 22, 2010 9:59 PM ✅Answered}

It worked. No need to add <pages validateRequest="false">

Just the httpRuntime part and the action attribute.

Thank You,

Miguel

_{Tuesday, August 3, 2010 12:30 PM ✅Answered}

surely there must be some other way to make this work and still use the new 4.0 validation mode?

You can write a custom request validator which excludes certain fields from validation but still validates every other field.  See http://msdn.microsoft.com/en-us/library/system.web.util.requestvalidator.aspx for full documentation on how to do this.

In brief, your IsValidRequestString() method would have the following logic:

• If the current URL (as read from the HttpContext object) is ~/somepage *and* the current collection is form *and* the current key under consideration is "field-to-exclude", return true to signal that this value is OK.
• Otherwise call base.IsValidRequestString() to run the default validation logic over this field.

_{Thursday, April 22, 2010 8:11 PM}

I can confirm this problem. In addition I made an attempt adding "ValidateRequest=false" into the <%@ Page directive of the view but to no avail. It's rather strange as many website are naming [ValidateInput] or the ValidateRequest methods to be working. Anyone has more information on this?

_{Thursday, April 22, 2010 8:19 PM}

I remember this always happened to me years ago, when used to develop in frameworks 1.1 and 2.0. By that time you had to set the validateRequest flag to false in the machine.config. Now in Framework 4 you have to add this element in your configuration file. Check this out: http://msdn.microsoft.com/en-us/library/e1f13641.aspx

Hope it helps!

_{Thursday, April 22, 2010 9:17 PM}

I remember this always happened to me years ago, when used to develop in frameworks 1.1 and 2.0. By that time you had to set the validateRequest flag to false in the machine.config. Now in Framework 4 you have to add this element in your configuration file. Check this out: http://msdn.microsoft.com/en-us/library/e1f13641.aspx

Hope it helps!

I don't get it ... I don't see any validateRequest on the url you posted.

I also tried to use <pages validateRequest="false"> but didn't solve my problem.

The ValidateInput was working fine on my MVC2 / NET 3.5 projects. It seems the problem happens only with NET 4.

Can you, please, be more specific of what should I add to Web.Config?

Thanks,

Miguel

_{Thursday, April 22, 2010 9:56 PM}

By adding <pages validateRequest="false"> does that not mean that all pages will not validate input?

If I want only a few pages to behave as so shouldn't I need to use only the ValidateInput action attibute?

Thank You,

Miguel

_{Thursday, April 22, 2010 9:59 PM}

Instead of using the validateRequest attribute in the web.config file, you can use it only in certain pages in the @Page directive at the top of the aspx file. 

Bye.

_{Thursday, April 22, 2010 10:22 PM}

It worked. No need to add <pages validateRequest="false">

Just the httpRuntime part and the action attribute.

Thank You,

Miguel

In ASP.NET 4 Request Validation is changed little bit.

Here is the official documentation

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

However I am wondering that why ASP.NET MVC team not take this under consideration.

_{Thursday, April 22, 2010 10:32 PM}

In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.

Good explanation. So maybe we should force validateRequest="true" within the web.config file, and disable it in the page we want?

_{Thursday, April 22, 2010 11:05 PM}

So maybe we should force validateRequest="true" within the web.config file, and disable it in the page we want?

validateRequest is good in the context of WebForm, for MVC application thers is a ValidateInput Attribute, used to enable and disable Request validation.

If you are curious then disable validate Request, by using validateRequest="false" within the web.config file and call an MVC post action with html you will always get the above exception because MVC validate request during the creation of controller instance.

_{Tuesday, August 3, 2010 4:29 AM}

does this mean that the *only* way to avoid this error is to add <httpRuntime requestValidationMode="2.0" /> ?

surely there must be some other way to make this work and still use the new 4.0 validation mode?