views:

22

answers:

0

I am working on an application that I inherited from another dev shop that I recently upgraded to MVC2/.NET 4 from MVC 1/.NET 2/3.5. Everything is working fine with the exception of one page. On this page there is an iframe that loads up an instance of TinyMCE and allows for inline editing of some HTML templates. On the hosting page there is a JavaScript event wired up to the submit button that, when clicked, grabs the innerHtml value of the iframe, converts it into JSON, and places it into a hidden form field.

As the form posts I get the infamous 'A potentially dangerous Request.Form value was detected..." Now I followed Microsoft's whitepaper and added

<httpRuntime requestValidationMode="2.0" />

To my web.config and decorated my Controller with

[ValidateInput(false)]

And I am still getting this error. The relevant stack is below.

 [HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (HtmlContent="...orrectly? <a href=\"*|ARCHIVE|...").]
 System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
 System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
 System.Web.HttpRequest.get_Form() +114
 System.Web.HttpRequestWrapper.get_Form() +11
 System.Web.Mvc.HttpRequestExtensions.GetHttpMethodOverride(HttpRequestBase request) +235
 System.Web.Mvc.AcceptVerbsAttribute.IsValidForRequest(ControllerContext controllerContext, MethodInfo methodInfo) +119         
 System.Web.Mvc.<>c__DisplayClass11.<RunSelectionFilters>b__d(ActionMethodSelectorAttribute attr) +57
 System.Linq.Enumerable.All(IEnumerable`1 source, Func`2 predicate) +145
 System.Web.Mvc.ActionMethodSelector.RunSelectionFilters(ControllerContext controllerContext, List`1 methodInfos) +524
 System.Web.Mvc.ActionMethodSelector.FindActionMethod(ControllerContext controllerContext, String actionName) +122
 System.Web.Mvc.ReflectedControllerDescriptor.FindAction(ControllerContext controllerContext, String actionName) +182
 System.Web.Mvc.ControllerActionInvoker.FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, String actionName) +47
 System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +283
 System.Web.Mvc.Controller.ExecuteCore() +136
 System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +111
 System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +39
 System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__4() +65
 System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +44
 System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +42
 System.Web.Mvc.Async.WrappedAsyncResult`1.End() +140
 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +54
 System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40
 System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +52
 System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +38
 System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8836913
 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184

Interestingly is that if I hook the BeginRequest method in the Global.asax which would seem to indicate that the code is running under the 2.0 mode of request validation since, if my understanding of .NET 4s request validation is correct, I would not be able to get to this method if the code was running under 4.0 validation model since it processes everything before BeginRequest.

Now I was able to circumvent this problem by calling escape() from a JavaScript function on the the value of the hidden form field but that is, obviously, a hack. Has anyone else experienced this issue or have any idea what I can do to properly disable Request Validation for this method on my controller?

Thanks!