A potentially dangerous Request.Form value was detected from the client - ASP.NET MVC

Question

I am getting this error in my ASP.NET MVC application where I am taking HTML input from a WYSIWYG so I don't want the content validated.

I have attempted the solution I found here but it seems to make no difference in my MVC application. I have also tried doing it in the web.config but again - no joy.
Is this a bug in ASP.NET MVC or something?

Kelix, the post you refer to carries with it the recommendation to use the [pages requestValidation="false"] web.config paramater or the [@Page ValidateRequest="False"] attribute of the View. Any one of these options should work fine. — David Andres, Sep 21 '09 at 16:55
It doesn't, see: http://stackoverflow.com/questions/486408/can-a-pages-validaterequest-setting-be-overridden — Ryall, Sep 21 '09 at 16:57

Craig Stuntz · Accepted Answer · 2019-02-22T15:00:01.257

49

In MVC you would use the ValidateInput(false) attribute.

You then need to sanitize your inputs, e.g. with something like this (built in to ASP.NET 4.5+; use NuGet package for earlier).

edited Feb 22 '19 at 15:00

answered Sep 21 '09 at 16:55

Craig Stuntz

123,797
12
247
268

6

you must also have in web.config – dtucker1914 Feb 28 '14 at 16:03
4

[AllowHtml] on the model property is even better if you can. – Todd Jun 01 '16 at 09:02
Disabling validation is NOT the secure way to do this, especially if your app is facing public Internet. Consider using a more granular `[AllowHtml]` attibute – jazzcat Apr 04 '17 at 11:07
@jazzcat I agree, but `[AllowHtml]` didn't exist in 2009 – Craig Stuntz Apr 05 '17 at 13:23

Loren Paulsen · Answer 2 · 2019-02-21T00:54:47.270

29

In MVC 3 and later, you can also use the [AllowHtml] attribute. This attribute allows you to be more granular by skipping validation for only one property on your model.

https://docs.microsoft.com/en-us/dotnet/api/system.web.mvc.allowhtmlattribute?view=aspnet-mvc-5.2

edited Feb 21 '19 at 00:54

answered Jan 07 '13 at 07:18

Loren Paulsen

8,080
1
26
37

Worked for me, this seems safer than '[ValidateInput(false)]', thank you – MIP1983 Nov 08 '16 at 14:10
Had to apply to the model attributes as well the corresponding view model attributes, then it worked. – spadelives Nov 09 '16 at 19:19
Using this attribute [AllowHtml] in my model, got rid of the error. Will it still catch cross site scripting? – Paul Hegel Jun 12 '20 at 15:49
No, it will not catch cross-site scripting. Opting into this attribute either means that you will be safely encoding the contents yourself before outputting them, or you are developing an HTML editor for some sort of CMS where you actually want to allow the user to enter HTML/scripts with the intention of running them. – Loren Paulsen Jun 16 '20 at 23:55

score 21 · Answer 3 · answered Sep 21 '09 at 16:55

21

Just place this attribute: [ValidateInput(false)] on the action method on the controller that handles the form post.

answered Sep 21 '09 at 16:55

Pedro Jacinto

946
2
7
14

score 4 · Answer 4 · answered Mar 07 '10 at 17:26

4

use <httpRuntime requestValidationMode="2.0" /> in web config

answered Mar 07 '10 at 17:26

JGilmartin

7,352
12
59
79

http://www.asp.net/(S(ywiyuluxr3qb2dfva1z5lgeg))/learn/whitepapers/aspnet4/breaking-changes/#_TOC7 – Mauricio Scheffer Mar 07 '10 at 18:16

score 1 · Answer 5 · answered Jun 16 '15 at 13:20

In your controller action method, (the one which is bringing this) add [ValidateInput(false)]

Example

    [HttpPost]
    [ValidateInput(false)]
    public ActionResult Insert(FormCollection formCollection, Models.Page page)
    {
        //your code
        return View();
    }

A potentially dangerous Request.Form value was detected from the client - ASP.NET MVC

5 Answers5

Linked

Related