a potentially dangerous request.form value was detected but validateinput(false) not working

Question

I have installed VS2010 and MVC2 and testing a simple form using tinyMCE. When I post the contents of the textarea in tinyMCE I get the dreaded YSD and the message "a potentially dangerous....." No problem I thought - seen this before so I put the ValidateInput(false) on the controller but no joy - I still get the error.

page code in edit.aspx is: <% using (Html.BeginForm()){ %>

<!-- Gets replaced with TinyMCE, remember HTML in a textarea should be encoded -->
<textarea id="elm1" name="mceText" rows="15" cols="80" style="width: 80%">
    &lt;p&gt;
        This is some example text that you can edit inside the     &lt;strong&gt;TinyMCE editor&lt;/strong&gt;.
</textarea>

<br />
<input type="submit" name="save" value="Submit" />
<input type="reset" name="reset" value="Reset" />

<%} %>

and Controller action is:

    [AcceptVerbs(HttpVerbs.Post)]
    [ValidateInput(false)]
    public ActionResult Edit(string mceText)
    {

        return View();
    }

Any thoughts - (I know the code is not complete) been trying this for hours but everyone just says to use ValidateInput(false)

Answer 1

I dont actually have an answer but when I use the .net framework 3.5 it works fine. Moving to .net 4.0 and the error appears.

Answer 2

Found it.

need to add <httpRuntime requestValidationMode="2.0"/>

in web.config

Answer 3

This is why: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147