11

I am using CKEditor/CKFinder as wysiwyg editor on my MVC.NET site.

I have set [ValidateInput(false)] and it works when debugging it locally, but I receive the following error when I have published the site:

A potentially dangerous Request.Form value was detected from the client (message="<p>
<em>Testing</e...").

can anyone explain why the published site is different from the locally site, especially when I have set [ValidateInput(false)]?

*Update:*I am using .Net 3.5 so shouldn't [ValidateInput(false)] work out the box?

Dofs
  • 17,737
  • 28
  • 75
  • 123
  • Adding the web.config won't disable the validation on all pages unless you specify `[ValidateInput(false)]` before action. – Vishal Jan 07 '11 at 22:58
  • 1
    Can you confirm that the .NET AppPool which your published site is using is not running under .NET 4.0? I am guessing it is. – Paul Hiles Jan 11 '11 at 09:49
  • Thanks, apparently the hos ran .Net 4.0. – Dofs Jan 11 '11 at 11:13

6 Answers6

26

Have you tried setting the htmlEncodeOutput property?

CKEDITOR.replace('editor1', {
    htmlEncodeOutput: true });

This should encode the output and you should be able to avoid setting the requestValidationMode.

Documentation for it is here: ckEditor documentation

DanB
  • 2,022
  • 1
  • 12
  • 24
Catch22
  • 3,261
  • 28
  • 34
  • 7
    +1 this is better than disabling the validation in my opinion. – ashes999 Feb 10 '12 at 19:25
  • 1
    I agree with @ashes999. Two indications to help future readers of the post **1** 'editor1' is the id of the ckeditor control **2** don't forget to decode the value received after POST with _System.Net.WebUtility.HtmlDecode_ otherwise you'll probably continue to have same error. – Mechanical Object Feb 10 '14 at 03:11
  • I am not use CKEDITOR.replace(), I use – Andiana Jun 23 '15 at 08:59
  • And then use to decode encoded text from database, when you need to edit the text. Se more here: https://stackoverflow.com/questions/14978281/html-encode-decode-ckeditor – hsop Oct 03 '19 at 11:46
7

Add this to your web.config:

<httpRuntime requestValidationMode="2.0" />
stian.net
  • 3,928
  • 4
  • 25
  • 38
  • Sorry I forgot to mention that I didn't want to disable it on all pages. Also my question was also about why it was different when debugging than when published. – Dofs Jan 07 '11 at 22:53
  • this won't turn it of for all pages. It will just make your attribute [ValidateInput(false)] work. http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx – stian.net Jan 07 '11 at 23:03
  • I am using MVC.Net 3.5 so shouldn't [ValidateInput(false)] work out of the box? – Dofs Jan 09 '11 at 19:51
  • requestValidationMode is as far as I know not an attribute in the .Net 3.5 – Dofs Jan 11 '11 at 07:47
  • 2
    The answer was to have the host change the App pool to .Net 3.5, but since this answer would have helped if i was running .net 4.0 I am marking it as the answer. – Dofs Jan 11 '11 at 11:14
  • This fixes the reported error, but removes request validation from your whole website, I don't think this should be the Accepted answer. – Robert Benyi Aug 29 '16 at 13:13
0

Just add an Annotation to the Post method Action as [ValidateInput(false)]

[HttpPost]
    [ValidateAntiForgeryToken]
    [ValidateInput(false)]
    public ActionResult Detail(ModelClass m)
    { return View(); }
Dpk-Kumar
  • 119
  • 1
  • 9
0

ValidateRequest="false" Add this in the particular Page.

Example:

Abhishek Kanrar
  • 418
  • 4
  • 6
0

Add ValidateRequest="false" to your Page:

<%@ Page Language="C#" AutoEventWireup="false" Codebehind="MyForm.aspx.cs" Inherits="Proj.MyForm" ValidateRequest="false"%>

Or add to web.config if using .NET Framework 4.0 (Visual Studio 2010)

<httpRuntime requestValidationMode="2.0" />
Hossein Golshani
  • 1,847
  • 5
  • 16
  • 27
phuc.nx
  • 78
  • 3
0

Use Request.Unvalidated["myTextBox"]

for example,

var text = Request.Unvalidated["myTextBox"];

where "myTextBox" is the form field you want to allow HTML to be posted from.

Mebin Joe
  • 2,172
  • 4
  • 16
  • 22
Abhishek Thakur
  • 21
  • 8