ValidateInput(false) and AllowHtml attributes still cause 'A potentially dangerous Request.Form value was detected'

Question

I have on my model:

public class EmailTemplateModel
{
    public int EmailTemplateId { get; set; }

    [Required]
    public string Name { get; set; }
    [Required]
    public string Subject { get; set; }

    [AllowHtml]
    [Required]        
    public string Content { get; set; }
}

And on my controller:

[ValidateInput(false)]
public ActionResult AddNewTemplate(EmailTemplateEditorModel model)
{
}

Yet I am getting the following error:

A potentially dangerous Request.Form value was detected from the client

Why am I getting these errors even though this check should be disabled using the ValidateInput/AllowHtml attributes? Looking at other posts its not clear if I need both or just one of these attributes...

skolima skolima · Accepted Answer · 2011-10-25T12:48:05

You need to add

<httpRuntime requestValidationMode="2.0" />

to your web.config. See ASP.Net 4.0 Breaking Changes. Despite confusing configuration value, this is a breaking change between 3.5 and 4.0 - validation now runs earlier in the pipeline, before MVC gets a chance to disable it based on your attributes.

ValidateInput(false) and AllowHtml attributes still cause 'A potentially dangerous Request.Form value was detected'

1 Answers