Why is ValidateInput(False) not working?

2019-01-06 12:59发布

站内问答 / 后端开发
895 7 6

I am converting an application I created using webforms to the asp.net mvc framework using vb.net. I have a problem with one of my views. I get the yellow screen of death saying "A potentially dangerous Request.Form value was detected from the client" when I submit my form. I am using tinymce as my RTE. I have set on the view itself

ValidateRequest="false"

I know that in MVC it doesn't respect it on the view from what I've read so far. So I put it on the controller action as well. I have tried different setups:

<ValidateInput(False), AcceptVerbs(HttpVerbs.Post)> _

...and...

<AcceptVerbs(HttpVerbs.Post), ValidateInput(False)> _

...and like this as well...

<ValidateInput(False)> _
<AcceptVerbs(HttpVerbs.Post)> _

Just to see if it made a difference, yet I still get the yellow screen of death. I only want to set it for this view and the specific action in my controller that my post pertains to. Am I missing something?

7条回答
Luminary・发光体
2楼-- · 2019-01-06 13:16

You can try accessing the field like HttpContext.Request.Unvalidated.Form["FieldName"]

查看更多
0人赞 添加讨论(0) 举报
爱情/是我丢掉的垃圾
3楼-- · 2019-01-06 13:20

If you use an input model and use an AllowHtml on the property you want, you will be unblocked.

public class InputModel
{
    [AllowHtml]
    public string HtmlInput { get; set; }
}

...
[ValidateInput(false)]
public async Task<ActionResult> ControllerMethod(InputModel model)
{
}
查看更多
0人赞 添加讨论(0) 举报
Animai°情兽
4楼-- · 2019-01-06 13:24

With asp.net 4, you'll need to configure the validation mode in the web.config as well.

Set the following as a child of the <system.web> element:

<system.Web>
  ...
  <httpRuntime requestValidationMode="2.0"/>

Asp.Net 4 sets the requestValidationMode to 4.0 by default, which tells the system to perform request validation before the BeginRequst phase of the HTTP request. The validation will occur before the system reaches the action attribute telling it not to validate the request, thus rendering the attribute useless. Setting requestValidationMode="2.0" will revert to the asp.net 2.0 request validation behavior, allowing the ValidateInput attribute to work as expected.

查看更多
0人赞 添加讨论(0) 举报
干净又极端
5楼-- · 2019-01-06 13:26

Add the following line of code:

GlobalFilters.Filters.Add(new ValidateInputAttribute(false));

to the Application_Start() method.

查看更多
0人赞 添加讨论(0) 举报
SAY GOODBYE
6楼-- · 2019-01-06 13:27

When you are using your own model binders which implement the IModelBinder interface you will notice that those custom model binders always validate the data, regardless any attributes. You can add few lines of code to make the custom model binders respect the ValidateInput filter of the actions:

// First check if request validation is required
var shouldPerformRequestValidation = controllerContext.Controller.ValidateRequest && bindingContext.ModelMetadata.RequestValidationEnabled;

// Get value
var valueProviderResult = bindingContext.GetValueFromValueProvider(shouldPerformRequestValidation);
if (valueProviderResult != null)
{
    var theValue = valueProviderResult.AttemptedValue;

    // etc...
}

This is explained very nicely by Martijn Boland here: http://blogs.taiga.nl/martijn/2011/09/29/custom-model-binders-and-request-validation/

查看更多
0人赞 添加讨论(0) 举报
乱世女痞
7楼-- · 2019-01-06 13:39

Are you sure that the controller action being posted to is the one you have the attributes on?

查看更多
0人赞 添加讨论(0) 举报
1 2 下一页
登录 后发表回答
相关问题
查看全部
相关文章
查看全部
收藏的人(6)