I've got an ASP.NET 4 site on which I want to allow people to put '<' in their password. However, .NET gets in the way by blocking (what it sees as) an attempt to put HTML in a form field. I know I can turn off input validation entirely, but I only want to turn it off for this one field. Does anyone know an easy way to do that?
A:
You can turn input validation off for the single MVC action using the ValidateInputAttribute. Since you're only accepting username/password (I would assume) you should be able to scrub input yourself of any invalid characters. Use the Microsoft Web Protection Library to do that.
John Bledsoe
2010-09-27 14:12:35
This is Webforms, not MVC, and I have a lot of inputs on this page. Otherwise that would work great :)
eliah
2010-09-27 14:14:23
Mah bad. There is a ValidateRequest property on the @Page directive that you can use to turn off validation only for that particular page, but I think that's as granular as you can get.
John Bledsoe
2010-09-27 17:09:45
A:
You can only turn off input validation for the entire page. The only solution I can think of is to turn off the input validation, and then scrub all the other (non-password) input fields using something like Anti-XSS.
Jason Berkan
2010-09-28 15:30:02