I'm working on an application that I inherited from another developer store that has recently been updated to MVC2 / .NET 4 from MVC 1 / .NET 2 / 3.5. Everything works fine except for one page. There is an iframe on this page that loads an instance of TinyMCE and allows in-line editing of some HTML templates. The hosting page has a JavaScript event associated with the submit button, which, when clicked, captures the value of innerHtml iframe, converts it to JSON and places it in a hidden form field.
As a form message, I get the infamous “Potentially dangerous Request.Form value was detected ...” Now I have completed the Microsoft white paper and added
<httpRuntime requestValidationMode="2.0" />
In my web.config and decorated my controller with
[ValidateInput(false)]
And I still get this error. The corresponding stack is below.
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (HtmlContent="...orrectly? <a href=\"*|ARCHIVE|...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8730676
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
System.Web.HttpRequestWrapper.get_Form() +11
System.Web.Mvc.HttpRequestExtensions.GetHttpMethodOverride(HttpRequestBase request) +235
System.Web.Mvc.AcceptVerbsAttribute.IsValidForRequest(ControllerContext controllerContext, MethodInfo methodInfo) +119
System.Web.Mvc.<>c__DisplayClass11.<RunSelectionFilters>b__d(ActionMethodSelectorAttribute attr) +57
System.Linq.Enumerable.All(IEnumerable`1 source, Func`2 predicate) +145
System.Web.Mvc.ActionMethodSelector.RunSelectionFilters(ControllerContext controllerContext, List`1 methodInfos) +524
System.Web.Mvc.ActionMethodSelector.FindActionMethod(ControllerContext controllerContext, String actionName) +122
System.Web.Mvc.ReflectedControllerDescriptor.FindAction(ControllerContext controllerContext, String actionName) +182
System.Web.Mvc.ControllerActionInvoker.FindAction(ControllerContext controllerContext, ControllerDescriptor controllerDescriptor, String actionName) +47
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +283
System.Web.Mvc.Controller.ExecuteCore() +136
System.Web.Mvc.ControllerBase.Execute(RequestContext requestContext) +111
System.Web.Mvc.ControllerBase.System.Web.Mvc.IController.Execute(RequestContext requestContext) +39
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__4() +65
System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +44
System.Web.Mvc.Async.<>c__DisplayClass8`1.<BeginSynchronous>b__7(IAsyncResult _) +42
System.Web.Mvc.Async.WrappedAsyncResult`1.End() +140
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +54
System.Web.Mvc.Async.AsyncResultWrapper.End(IAsyncResult asyncResult, Object tag) +40
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +52
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +38
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +8836913
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +184
Interestingly, if I plug in the BeginRequest method in Global.asax, which seems to indicate that the code works in 2.0 validation mode, because if my understanding of .NET 4s query validation is correct, I would not be able to get this method if the code works under the 4.0 validation model, as it handles everything up to BeginRequest.
Now I managed to get around this problem by calling escape () from the JavaScript function by the value of the hidden form field, but this is obviously a hack. Has anyone else experienced this problem or had any idea what I can do to properly disable request validation for this method on my controller?
Thank!