0

By default ASP.net will do request validation to make sure values submitted by the user aren't potentially dangerous. See this popular queston regarding how to disable it.

I have disabled it successfully so that the controller doesn't throw an exception if potentially dangerous characters are detected. However, if I access the Request.Forms property, it attempts to do request validation again and will throw the exception. Specifically what I'm doing is this: request.Form.ToString().

The controller has been decorated with [ValidateInput(false)] and the Model decorated with [AllowHtml()] neither of which are being honored while accessing the Request.Forms property. How can I do this without the exception being thrown?

Community
  • 1
  • 1
w.brian
  • 16,296
  • 14
  • 69
  • 118
  • 1
    did you add `requestValidationMode="2.0"` to the `httpRuntime` element in your web.config? http://www.asp.net/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147 – bhamlin Jul 23 '12 at 20:05
  • That was is. Wish I would have tried it before asking the question -- if you submit this as the answer I will mark it accordingly. – w.brian Jul 23 '12 at 20:40
  • Net 4.5 provides the [`Request.Unvalidated`](https://msdn.microsoft.com/en-us/library/system.web.httprequest.unvalidated(v=vs.110).aspx) property which provides request values without validation. E.g.: `request.Unvalidated.Form.ToString()` – Ouroborus Dec 01 '16 at 23:40

1 Answers1

1

.Net 4.0 adds additional request validation that you need to disable by adding requestValidationMode="2.0" to the httpRuntime element of your web.config.

See ASP.NET breaking changes for more info.

bhamlin
  • 5,177
  • 1
  • 22
  • 17