2

I am using a standard MVC Controller to receive requests in raw httppost form fashion. No model objects. I want to suppress the check for potentially dangerous request form value on one of the form fields being passed. I expect HTML/XML to be entered into this field.

When I access the the HttpContext.Request.Form["XMLCode"] I don't care that it could be potentially dangerous. How can I suppress this validation?

Do I need to change this to an APIController instead of standard MVC Controller?

I have already tried adding the [ValidateInput(false)] but that did not work.

DanScan
  • 831
  • 2
  • 10
  • 23
  • `[AllowHtml]` [http://stackoverflow.com/questions/3621272/allow-user-to-input-html-in-asp-net-mvc](http://stackoverflow.com/questions/3621272/allow-user-to-input-html-in-asp-net-mvc) – markpsmith Sep 08 '15 at 16:32
  • I am not using a model. I am taking in a raw HttpPost form. I get the values passed like HttpContext.Request.Form["valuename"]. If there is a method to create a model from form values I would look at that too. – DanScan Sep 08 '15 at 16:39

2 Answers2

3

Try this:

var xmlString = Request.Unvalidated.Form["XMLCode"];

It looks like the Request validation is triggered when you try to access Request.Form. The way around this is to access the values through the Request.Unvalidated property.

From the docs for HttpRequestBase.Unvalidated:

When implemented in a derived class, provides access to HTTP request values without triggering request validation.

Peter
  • 12,541
  • 3
  • 34
  • 39
2

EDIT: The commentors are right: AllowHtml is only valid on a model property. I didn't read the question carefully enough but I don't know, why ValidateInput shouldn't work.

As far as I know there are 2 possibilities on controllers:

[HttpPost]
[AllowHtml]
public void YourMethod(SomeModelType model)
{
}

or

[HttpPost]
[ValidateInput(false)]
public void YourMethod(SomeModelType model)
{
}

or a combination of both.

Alexander Schmidt
  • 5,631
  • 4
  • 39
  • 79
  • 1
    I am not using a model. I am just grabbing the httppost request form values. I can't use the AllowHtml attribute. I don't control what the sender is sending. – DanScan Sep 08 '15 at 16:43
  • Is your first example correct? I think the `[AllowHtml]`attribute is only for properties. – Peter Sep 08 '15 at 19:55
  • 1
    AllowHtml is for the property of a model. i am not using a model at all which is my problem. otherwise the allowhtml would work for me. – DanScan Sep 08 '15 at 19:57
  • `[ValidateInput(false)]` is an action level attribute.. did you try adding this to your ActionResult and see if it worked? – JamieD77 Sep 08 '15 at 20:52