ASP.NET MVC 2 RTM, Content Management System, & ValidateInput
I have a lot of clients asking whether I can enable them to edit their own content. Most of the time I ask questions that make them realize that they don’t really need it, but sometimes they really do want it. I’ve been developing ASP.NET MVC web applications in VS2008, but as VS2010 comes closer to being released and with ASP.NET MVC 2 hitting release, I am starting to focus my efforts on using both technologies. So I sat down today and looked at CKEditor, a WYSIWYG editor that is embeddable into your site.
The issue that I found is that ASP.NET 4.0 is really concerned about Security, so much so that it ignores my ValidateInputAttribute on my controllers. When I submit my HTML content from the client, the MVC application throws a red screen of death. By default, ASP.NET will validate all incoming requests to make sure there are no malicious things coming in. The ValidateInputAttribute was designed to tell ASP.NET that this request is meant to contain things that might be dangerous.
There is a really simple fix to this, and it is one line long.
- Open up your web.config
- Under System.Web add a httpRuntime node.
- Add requestValidationMode attribute and set it to “2.0”
The solution defaults back to ASP.NET 2.0’s request validation, which will respect your ValidateInputAttribute on your controller actions.
Hope this helps.