and not working

asp.netrequest.formrequestvalidationmodeweb.config

I've inherited an MVC asp.net app using framework 4.0.

I'm getting the dreaded "A potentially dangerous Request.Form value was detected from the client" error and all my research leads me to believe that this should fix it:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

However, I've added that to my web.config and still get the error. I'm at the end of my rope here, what am I missing?

Best Answer

In addition to what you did you also have to decorate your methods with the ValidateInput attribute.

[ValidateInput(false)]
public ActionResult MyActionMethod(string myParameter)
{
    // Method implementation goes here... 
}

There is an alternative though, you can implement your own request validator and bind that in your web.config if you want to handle validation for your entire site. Take a look at this blog post on how to fully implement it.

Basically, create a class that inherits from RequestValidator and then hook it up on the web.config. 

<httpRuntime requestValidationType=”Globals.CustomRequestValidation”/>

Hopefully this helps!

Related Topic