"A potentially dangerous Request.Form value.." error when ModelState.IsValid is false

0
votes

In one of our ASP.NET MVC application we are using FCKEditor to allow users to enter rich text. In order to turn off the validation in the controller actions we set the attribute 

[ValidateInput(false)]

Users are able to save and modify the rich text as long as there are no business validation errors in the page.

If any of the business validations fail and the ModelState.IsValid is set to false, on rendering the page the following exception is raised. Can someone let me know how to solve this issue?

A potentially dangerous Request.Form value was detected from the client (Programme_Overview="

Here is the code

    [ValidateInput(false)]
    [AcceptVerbs(HttpVerbs.Post)]
    public ActionResult Schedule(FormCollection formValues)
    {
      // some code
      if (ModelState.IsValid)
        {
            //do something here...
        }
        else
        {               
            return View(programDetails);
        }


     }

    //// View code that render the fckeditor text area
    <%= Html.TextArea("Programme_Overview", Model.Programme.Overview, new { row = 7 })%>
4
asp.net-mvcfckeditor
Sorry forgot to mention int he original post. We are setting [ValidateInput(false)] in the action methods. But still this exception is raised only if ModelState.IsValid is falseGopinath

4 Answers

1
votes

just had this crop up, fix was to update the fck config file fckconfig.js

FCKConfig.HtmlEncodeOutput = false;

should be 

FCKConfig.HtmlEncodeOutput = true ;
0
votes

Just add the following to your action:

[ValidateInput(false)]
[AcceptVerbs(HttpVerbs.Post)]
public ActionResult SomeAction() {}
0
votes

I'm guessing this project was migrated from a pre-1.0 RTM project.

Original ASP.NET has page-level "dangerous input" validation that you're tripping up. We have turned it off system-wide with a change to the Web.config file in the Views folder, but I don't remember exactly when we made that change. If your project pre-dates this change, then you won't have that setting in your Web.config file in the Views folder.

So you can make a new MVC project and look at the Web.config file to see what setting(s) you might want to copy over. You can also disable this on a page-by-page basis if you want.

http://www.asp.net/learn/whitepapers/request-validation/

0
votes

It is likely some HTML output from your FCKEditor gets somehow submitted.

You can try to switch the validation off:

public MyController
{
    [ValidateInput (false)]
    public ActionResult MyAction ()
    {
    }
}