ValidateInput Attribute and ASP.NET MVC

ASP.NET has built-in request validation in order to prevent security issues such as Cross Site Scripting.  If you have a form with an editor such as TinyMCE on it and perform a postback, ASP.NET will present you with an error page:

“A potentially dangerous Request.Form value was detected from the client…”

In order to prevent this error mesage, you can disable Request Validation by disabling it in your web.config file (for all the files in that location) or by adding a Page directive to specific pages: 

<%@ Page ValidateRequest="false" ... %>

Today I was working on an ASP.NET MVC application in which I needed to integrate TinyMCE, and was surprised to see that neither the Page directive nor the web.config adjustment solved this problem.   Eventually, Google helped me find the solution.

In order to disable request validation in ASP.NET MVC, you need to add a ValidateInput attribute to your controller’s method, as shown in the code fragment below:

[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult Edit(string editor)
{
   ViewData["editor"] = editor;  
   return View();
}

Works like a charm…  However, do note that you may need to implement your own request validation in order to prevent users from using the text editor to execute malicious scripts.

If you found this post helpful, please click below to “Kick” it:

kick it on DotNetKicks.com

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s


%d bloggers like this: