For an ASP.NET MVC 4 website hosted by SiteFinity, I can enter in a text box this text:
< input type="text" >
It passes the values to the MVC back-end with no issues. I was expecting to see the "potentially dangerous request" error but I am not getting it.
The only attributes on the action on the controller back end are:
[HttpPost]
[AllowAnonymous]
[ValidateAntiForgeryToken]
I don't have [AllowHTML]
I tried adding in [ValidateInput(true)] but it didn't do anything.
I have checked in my filterconfig file but that is just adding the [Authorize] attribute.
I have checked the web.config and the httpRuntime settings are here
<httpRuntime maxRequestLength="102400"
maxUrlLength="102400"
maxQueryStringLength="10000"
requestValidationType="Telerik.Sitefinity.Security.Claims.CustomRequestValidator, Telerik.Sitefinity" />
It doesn't have requestValidationMode="2.0" set and don't have validateRequest="false" set. I don't know what that Sitefinity CustomRequest Validator does, was a part of updating to Sitefinity 6.0 and is suspicious, but I have that setting set on prod and I do get the potentially dangerous errors.
I'm only finding pages telling me how to avoid getting this error. Anyone have an idea how I enable it? Any ideas on what else may be in the code that is disabling it?
