3

I am running into the problem with requestValidationMode="4.0" where if you submit html tags in a form the request will be marked as invalid and the app will throw A potentially dangerous Request.Form value was detected from the client.

The two most popular solutions are to use requestValidationMode="2.0" combined with validateRequest='false' on either a global level or keeping global as 4.0 but making a subdirectory that is listed as 2.0 in its web.config and putting all the pages that you don't want validated there.

What I would really like is to keep 4.0 but add a little logic to the 4.0 RequestValidator class to prevent it from throwing an error if it's just HTML in a form.

Community
  • 1
  • 1
user1873073
  • 3,580
  • 5
  • 46
  • 81
  • 1
    If what you want to achieve is only to allow HTML you can might find this article useful http://stackoverflow.com/questions/4324945/how-to-store-html-code-in-asp-net-mvc2-model – Tasos K. Jun 19 '14 at 13:02
  • That may be the only way to go but then someone would have to go through all of the old code and retest everything which is why I was hoping to deal with it all in one spot. – user1873073 Jun 19 '14 at 13:05

1 Answers1

1

I'm stupid. It's right in the documentation.

namespace WebApplication4
{
    public class CustomRequestValidator : RequestValidator
    {
        protected override bool IsValidRequestString(
            HttpContext context, string value,
            RequestValidationSource requestValidationSource, string collectionKey,
            out int validationFailureIndex)
        {
            return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
            //validationFailureIndex = -1;
            //return true;
        }
    }
}

 

<system.web>
    <httpRuntime targetFramework="4.5" requestValidationType="WebApplication4.CustomRequestValidator "/>
    ...
</system.web>
user1873073
  • 3,580
  • 5
  • 46
  • 81