Can a page's ValidateRequest setting be overridden?

Question

I have an ASP.NET MVC form that may (usually does) submit a response that would trigger the "A potentially dangerous Request.Form value was detected form the client" error.

To try to get around this, I have placed a ValidateRequest="false" in the page directive.

Only problem: I'm still getting the error!

Now, all was good until I updated to the ASP.NET MVC RC this morning, and (according to the readme), placed the following in the Views web.config:

<pages validateRequest="false" 
       pageParserFilterType="System.Web.Mvc.ViewTypeParserFilter, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
       pageBaseType="System.Web.Mvc.ViewPage, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35"
       userControlBaseType="System.Web.Mvc.ViewUserControl, System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35">
    <controls>
        <add assembly="System.Web.Mvc, Version=1.0.0.0, Culture=neutral, PublicKeyToken=31BF3856AD364E35" namespace="System.Web.Mvc" tagPrefix="mvc" />
    </controls>
</pages>

So, validateRequest should be false for all pages, right? What am I missing?

Answer 1

Hi Darren!

In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don't know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it's too late to do anything about it. The controller already will have committed the dangerous input to the database.

Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.

Thanks for the question!

Answer 2

We have a base controller that our controllers inherit from, allowing us to globally disable intrinsic ASP.NET request validation:

    protected override void Initialize(RequestContext requestContext)
    {
        // no client input will be checked on any controllers
        ValidateRequest = false;
        base.Initialize(requestContext);
    }

Just make sure that you validate all input from the client!

Answer 3

It`s necesary decorate the controller or action with the attribute [ValidateInput(false)] and add requestValidationMode="2.0" to the web.config file: Example:

The controller:

    [ValidateInput(false)]
    public class MensajesController : Controller
    {
        //or in an action
        [ValidateInput(false)]
        [HttpPost]
        public ActionResult Create(FormCollection collection)
        {
        }
    }

The configuration file:

    <configuration>
        <system.web>
           <httpRuntime requestValidationMode="2.0"/>
        </system.web>
    </configuration>