1

I have a Form in an MVC3 project. One of my input fields should accept HTML. Unfortunately I cannot have a ViewModel which this value maps to. The Field is autogenerated and read in automatically. I am getting the following error.

  A potentially dangerous Request.Form value was detected from the client

Since there is no viewmodel, I cannot apply the [AllowHTML] attribute. Does anyone know a workaround that does not involve disabling validation for the entire page?

Thank You

Additional Information: I can access the unvalidated value by doing the following: 

 using System.Web.WebPages;
 using System.Web.Helpers;

  .....Inside Controller....
  string value = Request.Unvalidated("input-40");

The problem now is that the Request.Params collection throws an exception. I would like to access all the other values and have them be validated...just not that one. Is there a way for me to validate the other fields either explicitly or access a validated collection.

The following would be fine

  string value = System.Web.Something.ValidateInput(Request.Unvalidated("input-41"));

Unfortunately I don't know where/if this method exists

AFrieze
  • 844
  • 1
  • 10
  • 26
  • If it's an argument to the action, I think you can decorate the argument with AllowHTML though I'm not positive. – Brad Christie Apr 10 '12 at 22:12
  • 1
    I think you could use [ValidateInputAttribute](http://msdn.microsoft.com/en-us/library/system.web.mvc.validateinputattribute.aspx) to decorate the action, but that's going to affect the whole form collection. – John H Apr 10 '12 at 22:14
  • Decorating the action is fine if I can figure out how to call validation on the other field values manually. Any ideas? I'd be looking for something like System.Web.ValidateInput(Request.Params["input-name"]) – AFrieze Apr 10 '12 at 22:32
  • @AFrieze Maybe [this](http://stackoverflow.com/questions/4426854/how-to-call-validationattributes-manually-dataannotations-and-modelstate) question will point you in the right direction. – John H Apr 11 '12 at 00:32
  • See [this](http://weblogs.asp.net/imranbaloch/archive/2011/05/23/security-issue-in-asp-net-mvc3-jsonvalueproviderfactory.aspx) – Imran Qadir Baksh - Baloch Apr 11 '12 at 03:25

2 Answers2

2

You can try the ValidateInput(false) attribute:

[ValidateInput(false)]
public ActionResult YourAction(FormCollection yourCollection)
{
    // your stuff
}
veblock
  • 1,904
  • 18
  • 10
  • This would turn off validation for all form values. This is ok if there is a way for me to call validate on each value manually. Is there? – AFrieze Apr 10 '12 at 22:27
  • Well, depends how you pass your viewmodel/values to the action. These are your options: [link](http://weblogs.asp.net/imranbaloch/archive/2011/02/19/understanding-request-validation-in-asp-net-mvc-3.aspx), but you may not find what you're after :( – veblock Apr 10 '12 at 23:01
0

Use ValidateInput attribute for your action method. Seems to be unsafe but should work, cannot test it now.

sleepwalker
  • 1,032
  • 1
  • 9
  • 15