ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection

Question

FYI I am using .NET 4.0 / MVC 3.

In my controller, the following is my code:

[HttpPost]
[ValidateInput(false)]
public ViewResult Edit(ContentTemplateView contentTemplateView, FormCollection collection)

Everything works fine when I don't enter HTML, so I know the proper controller is being fired. Also, I have following set properly in my web.config files:

<httpRuntime requestValidationMode="2.0"/>

I only get this problem when I include the FormCollection (which is needed for this particular Controller). So what exactly am I doing wrong?

[I have done what was proposed on the following questions, and they work as long as there is no FormCollection. None of them offer a solution with an included FormCollection]

score 22 · Accepted Answer · edited Aug 19 '14 at 10:30

22

I think I've solved my own riddle, with the help of this forum: http://forums.asp.net/p/1621677/4163625.aspx

I just modified my Controller so that it didn't accept the Controller, and instead grabbed the unvalidated form collection from the Request [with the help of System.Web.Helpers].

using System.Web.Helpers;

[HttpPost]
[ValidateInput(false)]
public ViewResult Edit(ContentTemplateView contentTemplateView)
{
    FormCollection collection = new FormCollection(Request.Unvalidated.Form);

edited Aug 19 '14 at 10:30

ebb

9,297
18
72
123

answered Dec 06 '10 at 01:13

dochoffiday

5,515
6
32
41

1

BTW I believe this bug is fixed for the next release of ASP.NET MVC 3, so this workaround won't be needed when you upgrade to that release. – Eilon Dec 06 '10 at 02:29
I have tried to add a reference to the `System.Web.Helpers` dll, and added a `using System.Web.Helpers` in my controller, but it wont accept `Unvalidated()` as a method under `Request`. Im using .NET 4 and MVC 3 RC. – Martin at Mennt Dec 08 '10 at 20:35
@Martin just answered your question: http://stackoverflow.com/questions/4392186/validate-request-with-request-unvalidated-in-asp-mvc-3-rc-and-net-4 – marcind Dec 08 '10 at 21:06
This help help to resolve my problem! I have this problem "Preventing CSRF With Ajax" (http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx) but this is fired before ValidateInput(false) so I replace _form = new NameValueCollection(request.Form); with _form = new NameValueCollection(request.Unvalidated().Form); – Vackup Feb 29 '12 at 14:13
Yes, it works. You should also add the following to web.config – Maksym Kozlenko May 08 '13 at 02:00

score 7 · Answer 2 · answered Dec 20 '10 at 08:40

7

I just installed ASP.NET MVC 3 RC2, and this bug has been fixed. The following code works as expected now.

[HttpPost]
[ValidateInput(false)]
public ViewResult Edit(FormCollection form)
{
}

answered Dec 20 '10 at 08:40

Johnny Oshika

54,741
40
181
275

score 0 · Answer 3 · answered Jan 23 '12 at 18:39

0

If you are using custom model binders and [ValidateInput(false)] is not working then you might find a solution here: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/

answered Jan 23 '12 at 18:39

Rahatur

3,147
3
33
49

ASP.NET MVC 3 ValidateRequest(false) not working with FormCollection

3 Answers3

Linked