I added the attribute ValidateInput(false). Shouldn't this work?
I keep having the error:
A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").
Description:
Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow
pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you
can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information,
see http://go.microsoft.com/fwlink/?LinkId=153133.
Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").
What am I missing?
This is the only view where I have a TinyMce so on all other forms I still want validation ...
I can confirm this problem. In addition I made an attempt adding "ValidateRequest=false" into the <%@ Page directive of the view but to no avail. It's rather strange as many website are naming [ValidateInput] or the ValidateRequest methods to be working.
Anyone has more information on this?
Wishing coding was like Scottish weather: Don't like it? Wait for 5 minutes.
IvanL, .NET Developer
I remember this always happened to me years ago, when used to develop in frameworks 1.1 and 2.0. By that time you had to set the validateRequest flag to false in the machine.config. Now in Framework 4 you have to add this element in your configuration file.
Check this out:
http://msdn.microsoft.com/en-us/library/e1f13641.aspx
I remember this always happened to me years ago, when used to develop in frameworks 1.1 and 2.0. By that time you had to set the validateRequest flag to false in the machine.config. Now in Framework 4 you have to add this element in your configuration file.
Check this out:
http://msdn.microsoft.com/en-us/library/e1f13641.aspx
Hope it helps!
I don't get it ... I don't see any validateRequest on the url you posted.
I also tried to use <pages validateRequest="false"> but didn't solve my problem.
The ValidateInput was working fine on my MVC2 / NET 3.5 projects. It seems the problem happens only with NET 4.
Can you, please, be more specific of what should I add to Web.Config?
In the web.config file, within the <system.web> tags, insert the httpRuntime element with the attribute requestValidationMode="2.0". Also add the validateRequest="false" attribute in the pages element.
Instead of using the validateRequest attribute in the web.config file, you can use it only in certain pages in the @Page directive at the top of the aspx file.
It worked. No need to add <pages validateRequest="false">
Just the httpRuntime part and the action attribute.
Thank You,
Miguel
In ASP.NET 4 Request Validation is changed little bit.
Here is the official documentation
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the
BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also
active when custom HTTP modules are reading the contents of an HTTP request.
However I am wondering that why ASP.NET MVC team not take this under consideration.
"And whoever is removed away from the Fire and admitted to Paradise, he indeed is successful." (The Holy Quran)
Excellent Windows VPS Hosting Imran Baloch MVP, MVB, MCP, MCTS, MCPD
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the
BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also
active when custom HTTP modules are reading the contents of an HTTP request.
Good explanation. So maybe we should force validateRequest="true" within the web.config file, and disable it in the page we want?
shapper
Contributor
3932 Points
3789 Posts
A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>"). Va...
Apr 22, 2010 11:17 PM|LINK
Hello,
On a CMS I am accepting some html tags on a Text Area from a TinyMCE WYSIWYG input.
On my controller action I have:
[AcceptVerbs(HttpVerbs.Post), Authorize, ValidateAntiForgeryToken, ValidateInput(false)] public virtual ActionResult Edit(Int32 id, ResourceEditModel model) { }I added the attribute ValidateInput(false). Shouldn't this work?
I keep having the error:
A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>").
What am I missing?
This is the only view where I have a TinyMce so on all other forms I still want validation ...
I am using MVC2 and NET 4.0.
Thank You,
Miguel
IvanLieckens
Participant
1189 Points
194 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 12:11 AM|LINK
I can confirm this problem. In addition I made an attempt adding "ValidateRequest=false" into the <%@ Page directive of the view but to no avail. It's rather strange as many website are naming [ValidateInput] or the ValidateRequest methods to be working. Anyone has more information on this?
IvanL, .NET Developer
LuKiller
Participant
789 Points
170 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 12:19 AM|LINK
I remember this always happened to me years ago, when used to develop in frameworks 1.1 and 2.0. By that time you had to set the validateRequest flag to false in the machine.config. Now in Framework 4 you have to add this element in your configuration file. Check this out: http://msdn.microsoft.com/en-us/library/e1f13641.aspx
Hope it helps!
http://www.lukiller.net
shapper
Contributor
3932 Points
3789 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 01:17 AM|LINK
I don't get it ... I don't see any validateRequest on the url you posted.
I also tried to use <pages validateRequest="false"> but didn't solve my problem.
The ValidateInput was working fine on my MVC2 / NET 3.5 projects. It seems the problem happens only with NET 4.
Can you, please, be more specific of what should I add to Web.Config?
Thanks,
Miguel
LuKiller
Participant
789 Points
170 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 01:40 AM|LINK
In the web.config file, within the <system.web> tags, insert the httpRuntime element with the attribute requestValidationMode="2.0". Also add the validateRequest="false" attribute in the pages element.
Example:
<configuration>
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
<pages validateRequest="false">
</pages>
</configuration>
http://www.lukiller.net
shapper
Contributor
3932 Points
3789 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 01:56 AM|LINK
By adding <pages validateRequest="false"> does that not mean that all pages will not validate input?
If I want only a few pages to behave as so shouldn't I need to use only the ValidateInput action attibute?
Thank You,
Miguel
shapper
Contributor
3932 Points
3789 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 01:59 AM|LINK
It worked. No need to add <pages validateRequest="false">
Just the httpRuntime part and the action attribute.
Thank You,
Miguel
LuKiller
Participant
789 Points
170 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 01:59 AM|LINK
Instead of using the validateRequest attribute in the web.config file, you can use it only in certain pages in the @Page directive at the top of the aspx file.
Bye.
http://www.lukiller.net
imran_ku07
All-Star
45864 Points
7713 Posts
MVP
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 02:22 AM|LINK
In ASP.NET 4 Request Validation is changed little bit.
Here is the official documentation
In ASP.NET 4, by default, request validation is enabled for all requests, because it is enabled before the BeginRequest phase of an HTTP request. As a result, request validation applies to requests for all ASP.NET resources, not just .aspx page requests. This includes requests such as Web service calls and custom HTTP handlers. Request validation is also active when custom HTTP modules are reading the contents of an HTTP request.
However I am wondering that why ASP.NET MVC team not take this under consideration.
Excellent Windows VPS Hosting
Imran Baloch MVP, MVB, MCP, MCTS, MCPD
LuKiller
Participant
789 Points
170 Posts
Re: A potentially dangerous Request.Form value was detected from the client (Text="<p>what?</p>")...
Apr 23, 2010 02:32 AM|LINK
Good explanation. So maybe we should force validateRequest="true" within the web.config file, and disable it in the page we want?
http://www.lukiller.net