AllowHtml attribute not working

Question

I have a model with this property:

     [AllowHtml]
     [DisplayName("Widget for Table")]
     [StringLength(1000, ErrorMessage = "Maximum chars 1000")]
     [DataType(DataType.Html)]
     public object TableWidget { get; set; }

And here is the create methods in controller:

  //
  // GET: /Admin/Table/Create

  public ActionResult Create(int id)
  {
     Season season = _seasonRepository.GetSeason(id);

     var table = new Table
                     {
                        SeasonId = season.SeasonId
                     };
     return View(table);
  }

  //
  // POST: /Admin/Table/Create

  [HttpPost]
  public ActionResult Create(Table a)
  {
     if (ModelState.IsValid)
     {
        _tableRepository.Add(a);
        _tableRepository.Save();
        return RedirectToAction("Details", "Season", new { id = a.SeasonId });
     }
     return View();
  }

And last here is my view:

@model Stridh.Data.Models.Table
@using (Html.BeginForm())
{
   @Html.ValidationSummary(true)
   <fieldset>
      <legend>Fields</legend>
      <div class="editor-label">
         @Html.LabelFor(model => model.Name)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.Name) @Html.ValidationMessageFor(model => model.Name)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.TableURL)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.TableURL) @Html.ValidationMessageFor(model => model.TableURL)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.SortOrder)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.SortOrder) @Html.ValidationMessageFor(model => model.SortOrder)
      </div>
      <div class="editor-label">
         @Html.LabelFor(model => model.TableWidget)
      </div>
      <div class="editor-field">
         @Html.EditorFor(model => model.TableWidget) @Html.ValidationMessageFor(model => model.TableWidget)
      </div>
      <div class="editor-label invisible">
         @Html.LabelFor(model => model.SeasonId)
      </div>
      <div class="editor-field invisible">
         @Html.EditorFor(model => model.SeasonId)
      </div>
      <p>
         <input type="submit" value="Create" />
      </p>
   </fieldset>
}

When I add a "normal" message without html everything is saved OK, but when saving it says A potentially dangerous Request.Form...

Another strange thing is that I got this [AllowHtml] to work in another model class. I cant find why this is causing me troubble. Need your help. :-)

Maybe this can help: http://stackoverflow.com/questions/4821274/problem-with-mvc3-allowhtml-attribute your web.config need — Felipe Pessoto, Feb 01 '11 at 13:34
@Fujiy this suggestion is not neccessary correct. You should not have to set requestValidationMode. — marcind, Feb 01 '11 at 17:48
Please also include a stack trace of the exception you're seeing. That will help diagnose the problem. — Levi, Feb 02 '11 at 07:47
This must have been an old Asp.Net MVC bug, in earlier releases. Because I dont have these problems in newer installs of MVC. But still thanks for the responses — superfrallan, Jun 29 '11 at 07:08
I've been struggling with this issue and in my case this [answer](http://stackoverflow.com/a/16839699/2519625) helped :) — Michael Brennt, May 30 '16 at 19:35
I'll just add that `[OutputCache]` also breaks `[AllowHtml]`. Tested in MVC 5.2.3. — Gup3rSuR4c, Aug 23 '16 at 21:02

score 19 · Accepted Answer · answered Feb 01 '11 at 17:47

19

The way you are using AllowHtml should work. Make sure that you are not accessing the HttpRequest.Form collection anywhere else in your code (controller, filter, etc) as this will trigger ASP.NET Request Validation and the error you are seeing. If you do want access to that variable then you should access it via the following code.

using System.Web.Helpers;

HttpRequestBase request = ..  // the request object
request.Unvalidated().Form;

answered Feb 01 '11 at 17:47

marcind

52,944
13
125
111

5

FYI, if you are using custom model binding you can hit a similar issue, you need to use an IUnvalidatedValueProvider to access the values: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/ – felickz Feb 03 '14 at 16:27
Almost a decade old but still a brilliant diagnosis! – spadelives Dec 08 '20 at 04:43

score 4 · Answer 2 · edited May 23 '17 at 10:30

4

I get the same problem and i solve it with the help of this post.

If you are on .net 4.0 make sure you add this in your web.config

<httpRuntime requestValidationMode="2.0" />

Inside the <system.web> tags

edited May 23 '17 at 10:30

Community

1
1

answered Jun 28 '11 at 07:55

Sword-Breaker

429
5
10

We recently updated out servers and functionality with AllowHtml on properties ceased to work. Adding this to the web.config cleared up the issue. – Ben Call Nov 03 '15 at 18:37
But keep in mind the consequences of it through the app – Roberto Aug 26 '16 at 15:53
Consequences: http://stackoverflow.com/questions/16590032/requestvalidationmode-4-5-vs-2-0 – robrich Jan 03 '17 at 17:40
Don't do this, not secure. – spadelives Dec 08 '20 at 04:44

score 3 · Answer 3 · answered Nov 16 '15 at 18:24

3

I had the same problem. My model class is named "GeneralContent" and has the property "Content". In my action method i used attribute like this:

public ActionResult Update(GeneralContent content)

when i renamed content argument to cnt, everything works well. I think MVC is confused when some attribude of model class has the same name as the argument in action method.

answered Nov 16 '15 at 18:24

TheArchon

31
1

I can confirm this. After hours of pulling my hair; changing CreateTemplate(TextTemplate template) into CreateTemplate(TextTemplate model) solved the problem. (The TextTemplate has a property named "Template"). – Niklas Jonsson May 16 '19 at 14:38

score 1 · Answer 4 · answered Apr 13 '11 at 22:55

1

I also had this issue. I could not get a model property marked with [AllowHtml] to actually allow HTML, and instead encountered the same error you describe. My solution ended up being to mark the Controller action that accepts the posted model with the [ValidateInput(false)] attribute.

answered Apr 13 '11 at 22:55

Adam Price

10,027
1
20
16

3

This is not a good practice. It will not put any validation on any property of the model. – Jitendra Pancholi Jun 30 '15 at 07:12

score 0 · Answer 5 · answered Dec 08 '20 at 05:03

The answer that @marcind put me on the right track but my issue was that I was passing the FormCollection into the Controller method, so changing this...

public ActionResult Edit(MyClass myClass, FormCollection collection)

To this...

public ActionResult Edit(MyClass myClass)

Solved the problem.

Subsequently, I was able to access the heck out of the form collection with code like this without issue.

foreach (var key in Request.Form.AllKeys)
{
   ...
}

So, it was the passing the form collection parameter that caused the problem, not merely accessing the form collection.

AllowHtml attribute not working

5 Answers5

Linked