Not sure if this is the right place to ask this, but I struggle with one issue when posting HTML inside a string using MVC5. The question is: Once the controller has been hit by a request and a response is going to be sent, what else in ASP.NET MVC framework could trigger a validation error like the following?:
A potentially dangerous Request.Form value was detected from the client (messagebody="
An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.
Stack Trace:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client messagebody="html tags here"). System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +12339710
System.Web.HttpValueCollection.Get(String name) +90
System.Web.Caching.OutputCacheModule.CreateOutputCachedItemKey(String path, HttpVerb verb, HttpContext context, CachedVary cachedVary) +956 System.Web.Caching.OutputCacheModule.OnLeave(Object source, EventArgs eventArgs) +1212
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +92 System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +165
I am aware of the built-ind request validation in ASP.NET MVC and I have annotated my view model's property with the attribute [AllowHtml] as follows:
public class MyClassVM
{
[AllowHtml]
public string MessageBody { get; set; }
}
..so there are no problems reaching the controller action and deserializing into an object. Then in my controller's action I let the framework deserialize the posted message's content into a MyClassVM instance as follows:
[HttpPost]
public ActionResult Details(NotificationVM notificationVm)
{
if (ModelState.IsValid)
{
string messageBody = notificationVm.MessageBody;
//do things like saving something in DB. This works good!
}
var serverError = Server.GetLastError(); //null. No errors at this point
return new HttpStatusCodeResult(HttpStatusCode.OK);
}
However the private void Application_Error(object sender, EventArgs e) method is reached and Server.GetLastError(); at that stage contains the Validation exception due to the html code inside the request.
Why? What can possibly trigger that validation error once the controller has nearly done its job? Could it be something in a filter that is in the middle of the response? (there are some filters but they seem pretty basic authentication filters and another that modifies a Json serializer to replace some dates if any..).
Also when debugging, the last code I am able to see is some properties that access to System.Security.Principal.IIdentity but I don't see how that could be a problem..
UPDATE: I have tried adding [ValidateInput(false)] on the top of my controller's action but that doesn't make any difference. The potentially dangerous Request.Form value is also detected and the exception triggered.
UPDATE: I have also tried to disable the custom model binders that were being executed before the controller gets hit. But no luck, the problem must be something else that happens AFTER the controller's action is executed and the fields are properly read from the posted view model already deserialized.
Thank you
