Request Validation - ASP.NET MVC 2

Question

Has request validation changed for ASP.NET MVC 2, more precisely, not validating?

I did the following:

Web.configs (in App directory and Views directory)

<pages
    validateRequest="false"

Controller/Action Attribute

[ValidateInput(false)]

In @Page View Directive

ValidateRequest="false"

The page still gets validated an exception is thrown when HTML content is posted.

UPDATE

Created a new ASP.NET MVC 2 Application and I modified the Home Controller's Index to this

    [ValidateInput(false)]
    public ActionResult Index(string InputText)
    {
        ViewData["Message"] = "Welcome to ASP.NET MVC!";

        return View();
    }

and my View Page

<% using(Html.BeginForm()){ %>
    <%= Html.TextBox("InputText") %>
    <input type="submit" />
<% } %>

And still the same issue, an exception is thrown.

Answer 1

^{Insert obligatory warning about XSS here.}

That you decorated the controller (or action) with the ValidateInputAttribute should be enough, as all validation is done at this controller level in ASP.NET MVC

I have just tried this now on an action, and it returns a nice, evil alert() when I output it, so I'd venture a guess that there's something else going on here.

Do you have an HandleErrorAttribute set up anywhere?

Answer 2

I should read the error more carefully next time:

To allow pages to override application request validation settings, 
set requestValidationMode="2.0" in the configuration section. 
After setting this value, you can then disable request validation by 
setting validateRequest="false"

I put this in the application's web.config

<httpRuntime requestValidationMode="2.0"/>

and it worked.

Update:

I was running ASP.NET 4 thats why :P

Update 2:

Placed it in the <system.web> begin/end tags.