0

EDIT:

Found the answer here: ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection

Turns out I needed to add System.Web.Helpers so I could use the Unvalidated() extension method on the Request object. That gives you a request that won't throw exceptions on unsafe-looking inputs.

--

So here's the context in which my problem is occurring:

  • I have a model class which contains a collection of child objects
  • I've written a constructor which will parse FORM inputs so that I can post the model to an action method
  • I've set up a binder which grabs the Form object from the posted Request and passes it to my model's constructor

As some of the child objects can accept string inputs which may contain HTML, I need to disable MVC's input validation. I've set a [ValidateInput(false)] attribute on the action method, but HttpRequestValidationException is still being thrown in my model's constructor. On a whim I even tried putting a [ValidateInput] attribute on my model's binder and on the model itself, but that didn't solve the issue either.

I'm at a loss here. How do I go about handling these exceptions in such a way that I can still pull information from the form? Or, what is the appropriate way to go about disabling MVC's input validation in this situation?

Class sketch follows:

public class FooController : ControllerBase {
  [HttpPost]
  [ValidateInput(false)]
  public ActionResult FooAction(FooModel model) { //do stuff; }
}

//tried [ValidateInput(false)] here as well, to no avail
public class FooBinder : BinderBase {
  public override object BindModel(...) {
    return new FooModel(controllerContext.HttpContext.Request.Form);
  }
}

//tried [ValidateInput(false)] here, too....again, no success
public class FooModel {
  public FooModel(NameValueCollection formData) {
    //do some initialization stuff

    var keys = formData.AllKeys;  //exception thrown here when inputs contain '<' or '>'

    //do some object construction stuff
  }

  public IEnumerable<FooChid> ChildCollection { get; set; }
}
Community
  • 1
  • 1
Nate Kennedy
  • 383
  • 3
  • 15
  • Possible duplicate: http://stackoverflow.com/questions/1110452/i-cant-turn-off-request-validation-for-an-asp-net-mvc-controller – rossipedia Aug 02 '12 at 18:24
  • Found the answer in this post: http://stackoverflow.com/questions/4361907/asp-net-mvc-3-validaterequestfalse-not-working-with-formcollection – Nate Kennedy Aug 02 '12 at 20:28

1 Answers1

1

Try putting the [ValidationInput(false)] on the Post method (where the exception is being thrown) and additionally adding [AcceptVerbs(HttpVerbs.Post)]. But if this is going to be a public website, you're opening yourself up to XXS, which is ill-advised.

Forty-Two
  • 7,535
  • 2
  • 37
  • 54
  • I've edited the code I posted to make it clearer that the action method is a POST handler. I thought I had made it pretty clear, though, that I have tried [ValidateInput(false)] and the exception is still getting thrown. – Nate Kennedy Aug 02 '12 at 18:55
  • I see. But you're still applying the filter tag to FooAction, while it's FooModel in which the exception is being thrown. – Forty-Two Aug 02 '12 at 18:59
  • I've tried setting the attribute for the model class as well - also with no success. Updated the question to reflect that now. Additionally, I don't understand what significance the ValidateInput attribute might have on an otherwise unrelated class. Sure, the class is instantiated in my binder, but I'm not deferring any work to the framework inside its constructor. I'm not doing anything in the constructor that would explicitly look for un/validated inputs, either. What significance would that decorator have inside the constructor, then? – Nate Kennedy Aug 02 '12 at 19:07