Error message "A potentially dangerous Request.Form value"

Question

I have added TinyMCE editor to add description in HTML format but when I write something in HTML and click Add Product It gives me this error:

A potentially dangerous Request.Form value was detected from the client (Description="

I've tried:

AllowHtml <= not working
[HttpPost, ValidateInput(true, Exclude = "Description")] and get this error

System.Web.Mvc.ValidateInputAttribute' does not contain a definition for Exclude

<httpRuntime requestValidationMode="2.0"> in web.config and getting this error

HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.

Product.cs

public partial class Product {

     public int productID {get; set;}

     [Required]
     public int Name {get; set;}

     [AllowHtml]
     public string Description {get; set;}

     public string ImagePath {get;set}
}

Add Product View

@using (Html.BeginForm("AddProduct", "Store", FormMethod.Post, new { enctype = "multipart/form-data",   @class = "form-horizontal", role = "form" }))
{
@Html.AntiForgeryToken()
<h4>Create a new product.</h4>
<hr />
@Html.ValidationSummary(true)
@ViewBag.SizeMsg
<div class="form-group">
    @Html.LabelFor(m => m.Name, new { @class = "col-md-2 control-label"})
    <div class="col-md-10">
        @Html.TextBoxFor(m => m.Name, new { @class = "form-control" })
        @Html.ValidationMessageFor(m=>m.Name)
    </div>
</div>
<div class="form-group">
    @Html.LabelFor(m => m.Description, new { @class = "col-md-2 control-label" })
    <div class="col-md-10">
        @Html.TextAreaFor(m => m.Description, new { @class = "form-control" })
    </div>
</div>
<div class="form-group">
    @Html.LabelFor(m => m.ImagePath, new { @class = "col-md-2 control-label" })
    <div class="col-md-10">
        <input type="file" name="file" id="file" style="width: 100%;" />
    </div>
</div>
<div class="form-group">
    <div class="col-md-offset-2 col-md-10">
        <input type="submit" class="btn btn-default" value="Add Product" />
    </div>
</div>
}

Controller

[HttpPost]
public ActionResult AddProduct(HttpPostedFileBase file)
{
   if (file != null)
   {
      var allowedExtensions = new[] { ".jpg", ".png", ".jpeg", ".gif", ".JPG", ".PNG", ".JPEG" };
      if (allowedExtensions.Contains(extension))
      {
        string ImagePath = System.IO.Path.GetFileName(file.FileName);
        string physicalPath = Server.MapPath("~/ProductImages/" + ImagePath);
        file.SaveAs(physicalPath);

        Product newRecord = new Product();
        newRecord.Name = Request.Form["Name"];
        newRecord.Description = Request.Form["Description"];
        newRecord.ImagePath = ImagePath;
        db.Products.Add(newRecord);
        db.SaveChanges();
        return RedirectToAction("Index", "Home");
      }
      else
      {
        ViewBag.SizeMsg = "File not supported.";
        return View();
       }
   }
   return View();
 }

@Mormegil Please see my question, I have updated it with the solutions that I tried. — user3223395667, Dec 08 '15 at 12:35
why are you applying an AllowHtml attribute to an int property? you should apply it to string properties.... — Ahmed ilyas, Dec 08 '15 at 12:47

score 3 · Answer 1 · answered Dec 08 '15 at 11:49

3

add this to your config

<httpRuntime requestValidationMode="2.0"/>

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

add add this too

[Post, ValidateInput(false)]
public ActionResult Operation(string Parameter) {
    ...
}

answered Dec 08 '15 at 11:49

1

Not working, still getting the same error. and when I added `` I get this error `HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid.` – user3223395667 Dec 08 '15 at 11:57
for your reference http://codingstill.com/2013/01/avoiding-the-a-potentially-dangerous-request-form-value-was-detected/ – Dec 08 '15 at 12:05
Already checked it, that didn't work. Tried `[AllowHtml]`and Tried this also `[HttpPost, ValidateInput(true, Exclude = "Description")]` but get this error `System.Web.Mvc.ValidateInputAttribute' does not contain a definition for Exclude` – user3223395667 Dec 08 '15 at 12:13

score 2 · Accepted Answer · answered Dec 08 '15 at 12:37

2

I've had similar problems, this is the configuration I run with:

<system.web>
    <httpRuntime requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

answered Dec 08 '15 at 12:37

janhartmann

14,713
15
82
138

1

I'm getting this error with your solution `IIS 8.0 Detailed Error - 500.19 - Internal Server Error` because of this `` – user3223395667 Dec 08 '15 at 12:43
2

Try accessing the Form Data with: `Request.Unvalidated.Form["MyFieldToFetch"];` – janhartmann Dec 08 '15 at 12:45
Thanks man! That worked for me. You just saved me from hittiing my head. Thanks alot! – user3223395667 Dec 08 '15 at 12:51

Error message "A potentially dangerous Request.Form value"

2 Answers2