I have my ViewModel / Action / Controller in the form of:
[HttpPost, ValidateInput(false)]
public ActionResult TheActionMethod(TheViewModel aViewModelVariable)
{
if (ModelState.IsValid)
{
//Do the things
return AnActionThatListsAllItemsOfSimilarTypeAndGivesSuccessMessage(); //Can get here
}
else
{
//Do other things
}
return View(aViewModelVariable); //Error occurs if this line executes
}
And my View Model in the form of:
[Display(Name = "Does not allow HTML")]
public string AFieldThatDoesntAllowHtml{ get; set; }
[Required]
[Display(Name = "Allows HTML")]
[AllowHtml]
public string AFieldThatAllowsHtml{ get; set; }
I can submit just fine, assuming everything validates, and save etc. The issue occurs that if !ModelState.isValid, and the code reaches return View(aViewModelVariable); I will always get:
System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (AFieldThatAllowsHtml="<div>SomeText That was entered...")
I am hoping to solve this WITHOUT resorting to
<httpRuntime requestValidationMode="2.0" />
I would also love to be able to do this without having ValidateInput(false) on my action
If you pass the parameters in JSON format, the HttpRequestValidationException will not be triggered.
However you should probably perform custom validations to strip the string content from any potentially dangerous html tags.
User contributions licensed under CC BY-SA 3.0