How to disable Validation in ASP.net MVC2 if the parameter of the action is a model

Question

In ASP.net MVC 2, if the parameter of the action is a model, how to disable validation to dismiss the exception like 'A potentially dangerous Request.Form value was detected from the client (Post.Title="<b>Title</b>"). '?

For example, in MvcMusicStore (Which is an official demostration of ASP.net MVC2), the following code is in charge of creating new an Album. And Title is a property of it.

    [HttpPost]
    public ActionResult Create(Album album)
    {
        ...
    }

But if I add some sensitive code in the Title text box, like "<b>Title</b>", the aforementioned exception will be thrown. I tried to add [ValidateInput(false)] to this action, and ValidateRequest="false" to the view code, neither of them work.

Is there anyone can help on this?

Update: Since I'm using Visual studio 2010 and ASP.net 4.0, all these solution won't work unless I add:

<httpRuntime requestValidationMode="2.0" />

to web.config. Please refer: http://stackoverflow.com/questions/2019843/a-potentially-dangerous-request-form-value-in-mvc-2-asp-net-4-0, and http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#_TOC4.

Then a new problem come out. If we have to go back to use 2.0 mode of request validation, why Microsoft add this add this new feature to ASP.net 4.0? Is there any way to work around this exception without going back to 2.0 mode?

Answer 1

I decorated my actions with [ValidateInput(false)] and it works. I also have this in my web.config (see here):

<pages validateRequest="false">

Maybe it can be set on a per-page basis? In my website it's ok to turn it all completely.

Answer 2

If you look at the description underneath the error message you described you will find the following solution:

...To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

You mentioned that you tried adding a validateRequest attribute, but have you also tried adding the requestValidationMode="2.0" to the httpRuntime section in your web.config? That might do the trick.