Asp.net-mvc – A potentially dangerous Request.Form value was detected

asp.net-mvc

I have a form with the wmd editor on it. The input text area is rendered using:

<%: Html.TextAreaFor(t => t.NewsBody, new{@class="wmd-panel", id="wmd-input"}) %>

Every time I submit the form I get A potentially dangerous Request.Form value was detected from the client

I tried setting [ValidateInput(false)] on the action method, I tried adding
<httpRuntime requestValidationMode="2.0" /> to the web.config and I've tried validateRequest="false" in the pages directive in web.config but it's still happening.

Any ideas?

Edit

Action method:

 [ILFFAuthorize(Roles = "Admin")] // this is a custom auth attrobite
        [HttpPost]
        [ValidateInput(false)]
        public ActionResult AddNews(FormCollection col){

        //public ActionResult AddNews(News news)
        //{
            if (ModelState.IsValid)
            {
                News news = new News();
                news.NewsDate = DateTime.Now;
                news.NewsPosterId = 0;

                news.NewsTitle = col["NewsTitle"];
                news.NewsBody = col["NewsBody"];
                newsRepository.Add(news);
                newsRepository.Save();

                return RedirectToAction("Index", "Home");
            }
            else
            {
                return View();
            }
        }

Best Answer

You need to place this on top of your [HttpPost] action method

    [HttpPost]
    [ValidateInput(false)]
    public ActionResult Edit(FormCollection collection) {
       .....
    }

If you are using MVC3 then you should't use [ValidateInput(false)] but use [AllowHtml] which is explained here: http://dailydotnettips.com/2011/08/24/how-to-allow-user-to-input-html-in-asp-net-mvc/

also: try putting [ValidateInput(false)] above your [HttpPost] not under, As I remember, these get executed top to bottom.

Related Topic