Share via

How to disable request validation on a specific razor page, MVC 5, .NET framework (not Core)

Claudia Pinson 46 Reputation points
2023-02-15T14:58:26.7333333+00:00

Hi,

I'm building a MVC asp.net app, using razor views. On 1 specific page, I'm using ckeditor, and in 1 of the input fields, it will have tags like this:
{company_name}, {first_name}, etc.
When I submit this page, I get an error:
A potentially dangerous Request.Form value was detected from the client (Body="<p>Hi {company*name}...").
*
I tried different content, it looks like even without {company_name}, just input plain text, it still has the same error message:

A potentially dangerous Request.Form value was detected from the client (Body="<p>HI,</p>

<p>We ...").

I understand that razor page will html encode any input fields by default. Please let me know how I can get around this issue? I want to accept the input on this page, without validation.

I searched around and tried the following solutions, but none of them worked:

  1. in web.config, add <pages validateRequest="false" /> ; BTW - I don't want to use this approach; because I don't want to disable request validation for the whole app, just this 1 page;
  2. In the controller.cs, add this:

[IgnoreAntiforgeryToken(Order = 1001)]
However, this does not work; this seems to be only applicable for a .NET CORE application? Please confirm.
3. In the razor view itself, I add this to the <form> tag:

<form asp-antiforgery="false" ...>
Also, for the submit button, I added this:
<button class="btn btn-primary" formnovalidate>Save</button>
But this does not work either.

Please let me know what is the best approach to solve this problem? I'm not using .net CORE, I'm using .NET framework; and I don't want to disable request validation for the whole app, just a few pages.
Thanks,

Claudia

Developer technologies ASP.NET Other
0 comments
Accepted answer
  1. Lan Huang-MSFT 30,186 Reputation points Microsoft External Staff
    2023-02-16T08:00:47.9866667+00:00

    Hi @Claudia Pinson ,

    You can add the [AllowHtml] attribute on your model to every attribute you need to allow HTML

    [AllowHtml]
public string SomeProperty { get; set; }

    or On the controller action add [ValidateInput(false)] attribute to allow all HTML.

    [ValidateInput(false)]
public ActionResult SomeAction(MyViewModel myViewModel)

    Best regards,
    Lan Huang

    If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.

    1 person found this answer helpful.
    0 comments

1 additional answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. M J 681 Reputation points
    2023-02-15T20:39:43.54+00:00

    on the Controller for the post 

    [HttpPost]
[ValidateAntiForgeryToken]
[ValidateInput(false)]
    1 person found this answer helpful.

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.