ValidateRequest = False but in action it's still True and ignored that?

Question

i want disable RequestValidation on particular view in ASP.NET MVC 2.0 RTM. so i added some necessary to view Page directive section as below:

<%@ Page ValidateRequest="false" Language="C#" MasterPageFile="Path" Inherits="System.Web.Mvc.ViewPage<Path>" %>

but RequestValidation isn't Disabled! i also added RequestValidation Attribute to related action in controller as below:

[System.Web.Mvc.ValidateInput(false)]
public System.Web.Mvc.ActionResult Create(Model instance)
{
    //Do here something
}

:') but RequestValidation isn't Disabled too!

in last try i set RequestValidation to false in Web.config file as below:

<pages validateRequest="false" />

RequestValidation still isn't turned off!

Why? thank's in advance ;)

How do you determine that ValidateRequest is not turned off? Also, please provide your .net framework version, asp.net and mvc versions. — Branislav Abadjimarinov, Apr 23 '10 at 13:19
because when i submit a form which one on field's have html tag i recieve an ValidationRequest exception. i'm using ASP.NET 4.0 and MVC 2.0 — Sadegh, Apr 23 '10 at 13:57
thank's for your link. but if i perform provided way to having this, all new feature's of this will be lose! there aren't any way to ignore validation for particular view/controller? — Sadegh, Apr 23 '10 at 14:02
same question, some interesting alternatives not covered here: http://stackoverflow.com/questions/2673850/validaterequest-false-doesnt-work-in-asp-net-4 — demp, Nov 08 '12 at 10:25

score 13 · Accepted Answer · answered Apr 23 '10 at 13:23

13

If you are using asp.net 4.0 the validate request feature behavior has been changed from version 2.0. Check out the breaking changes document here. If this is the case you can resolve the problems by setting the request validation behavior back to the 2.0 in the web.config like this:

<httpRuntime requestValidationMode="2.0" />

answered Apr 23 '10 at 13:23

Branislav Abadjimarinov

5,101
3
35
44

2

This saved my ass today. Thanks :) – SirDemon Aug 08 '10 at 09:42
2

This also fixes the problem for me. However I don't understand why. The breaking changes talk about extending validation to non-aspx-requests, however I'm only using it for a normal aspx page. Right now, it seems to me like validateRequest is simply broken in 4.0. If not, is there any proper way to doing it in 4.0 without essentially reverting to 2.0? – Nicolas78 May 19 '11 at 09:13
2

FYI: "The first change is to set the requestValidationMode attribute of the httpRuntime element to "2.0". This setting makes request validation occur later in the sequence of request processing events. The setting is required for applications that use ASP.NET 4 and later, because as of ASP.NET 4, request validation takes place earlier in the request life cycle than it did in previous versions of ASP.NET." from https://msdn.microsoft.com/en-us/library/hh882339.aspx – Gusman May 11 '15 at 21:06

score 0 · Answer 2 · answered Aug 05 '11 at 06:26

just add

[ValidateInput(false)]

in your controller function but don't forget to encode the value to prevent harmful code

    [ValidateInput(false)]
    public string Browse(string test)
    {
        string message = HttpUtility.HtmlEncode("Value = " + test);
        return message;
    }

ValidateRequest = False but in action it's still True and ignored that?

2 Answers2

Linked