tags:

views:

46

answers:

1
Q: 

ASP.NET MVC: WHY ValidateInput(false) works only when the postback action and controller are explicit on the Form?

Hello,

The whole weekend, I've been learning how to use TinyMCE with ASP.NET MVC. I was getting the XSS error ("A potentially dangerous Request.Form value was detected from the client(...)").

To deal with that, I was advised to use the [ValidateInput(false)] attribute to release the checking, but without success. Until, by accident, I did a postback to a different action method (i.e. not the one that displayed the view containning TextArea control). so I have to explicit both the Action and the controller. IT WORKED. So I tried to explicitly declare the BeginForm for the first case, then, IT WORKED AGAIN.

The question is WHY

<%Using(Html.BegiForm()){%>

or

<%Using(BeginForm("WriteArticle"))%>

both did not work.

<%Using(Html.BeginForm("WriteArticle", "ArticleManagement")){%>

This one worked.

So, Why the famous "Convention over configuration" didn't work?

EDIT

[ValidateInput(false)]
public class ArticleManagementController:Controller
{     
  protected override void OnActionExecuting(ActionExecutingContext filterContext)
  {
    //Here model is created and updated
  }
  public ActionResult WriteArticle()
  {
    //Here's the method that displays the View containing the TinyMCE editor
  }

  //There are more action methods
}

Thanks for helping.

+1  A: 

Html.BeginForm() does one thing. IT generates HTML. So if one overload works and the other does not, then they are generating different HTML. View source of the rendered page. They will be different. This is most likely tied to your routing or your view execution path, but it's hard to be sure without seeing the HTML and your code. The important point is this: When your server reacts differently, you are almost certainly sending it a different request. View Source and Firebug's Net panel are the two tools you should start with.

Craig Stuntz  2010-06-29 12:59:50
@Craig Stuntz: There's a bad news. I've playing with the view and action that generates (by adding and removing [ValidateInput(false)] here and there). Now, I don't know anymore what went wrong. I have now removed the action and controller's names, but it still working. So I don't know what went wrong anymore.
Richard77  2010-06-29 15:43:10
@Craig Stuntz: Anyway, thanks for you answer about Html.BeginForm what is the answer to my preoccupation. Now, I know that I need to pay attention to the url generated by a request. Also, your advice on View Source and FireBug.
Richard77  2010-06-29 15:53:21

related questions

What's the best way to implement field validation using ASP.NET MVC?
How do I handle page flow in MVC (particularly asp.net)
Entity diagrams in ASP.NET MVC
How do I get rid of Home in ASP.Net MVC?
Can I generate ASP.NET MVC routes from a Sitemap?
ASP.NET Model-view-controller (MVC) - where do I start from?
user controls and asp.net mvc
ASP.Net MVC route mapping
RSS Feeds in ASP.NET MVC
Open Source Licensing Options for ASP.NET MVC Application?
Does the OutputCacheFilter in the Microsoft MVC Preview 4 actually save on action invocations?
MVC Learning Resources
Validating posted form data in the ASP.NET MVC framework
Best mock framework that can do both WebForms and MVC?
Use the routing engine for form submissions in ASP.NET MVC Preview 4
How do you get a custom id to render using HtmlHelper in MVC
MVC Preview 4 - No route in the route table matches the supplied values.
Is there a way to include a fragment identifier when using Asp.Net MVC ActionLink, RedirectToAction, etc. ?
In ASP.NET MVC I encounter an incorrect type error when rendering a user control with the correct typed object
ASP.NET MVC - Is it worth it yet?
Multiple languages in an ASP.NET MVC application?
Is it better to create Model classes, or just stick with generic database utility class?
ASP.NET MVC Without Visual Studio
ASP.NET MVC "CRUD" Database Sample
How to RedirectToAction in ASP.NET MVC without losing request data