I am working on an application that I inherited from another dev shop that I recently upgraded to MVC2/.NET 4 from MVC 1/.NET 2/3.5. Everything is working fine with the exception of one page. On this page there is an iframe that loads up an instance of TinyMCE and allows for inline editing of some HTML templates. On the hosting page there is a JavaScript event wired up to the submit button that, when clicked, grabs the innerHtml value of the iframe, converts it into JSON, and places it into a hidden form field.
As the form posts I get the infamous 'A potentially dangerous Request.Form value was detected..." Now I followed Microsoft's whitepaper and added
<httpRuntime requestValidationMode="2.0" />
To my web.config and decorated my Controller with
[ValidateInput(false)]
And I am still getting this error. The relevant stack is below.
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (HtmlContent="...orrectly? <a href=\"*|ARCHIVE|...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
System.Web.HttpRequestWrapper.get_Form() +11
System.Web.Mvc.HttpRequestExtensions.GetHttpMethodOverride(HttpRequestBase request) +235
System.Web.Mvc.AcceptVerbsAttribute.IsValidForRequest(ControllerContext controllerContext, MethodInfo methodInfo) +119
System.Web.Mvc.<>c__DisplayClass11.<RunSelectionFilters>b__d(ActionMethodSelectorAttribute attr) +57
System.Linq.Enumerable.All(IEnumerable`1 source, Func`2 predicate) +145
System.Web.Mvc.ActionMethodSelector.RunSelectionFilters(ControllerContext controllerContext, List`1 methodInfos) +524
System.Web.Mvc.ActionMethodSelector.FindActionMethod(ControllerContext controllerContext, String actionName) +122
System.Web.Mvc.ReflectedControllerDescriptor.FindAction(ControllerContext controllerContext, String actionName) +182
System.Web.Mvc.ControllerActionInvoker.FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, String actionName) +47
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +283
System.Web.Mvc.Controller.ExecuteCore() +136
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +111
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +39
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__4() +65
System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +44
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +42
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +140
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +54
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +52
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +38
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8836913
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184
Interestingly is that if I hook the BeginRequest method in the Global.asax which would seem to indicate that the code is running under the 2.0 mode of request validation since, if my understanding of .NET 4s request validation is correct, I would not be able to get to this method if the code was running under 4.0 validation model since it processes everything before BeginRequest.
Now I was able to circumvent this problem by calling escape() from a JavaScript function on the the value of the hidden form field but that is, obviously, a hack. Has anyone else experienced this issue or have any idea what I can do to properly disable Request Validation for this method on my controller?
Thanks!