0

I have allowed HTML on a model property like so:

Model

public class FooViewModel
{
  [AllowHtml]
  public string Description { get; set; }
}

View

@using (Html.BeginForm("EditDescription", "Foo", FormMethod.Post))
{
    @Html.AntiForgeryToken();

    <input type="hidden" value="@(Model != null && Model.Item1 != null ? Model.Item1 : string.Empty)" name="fooId" />

    <p>
        <textarea name="Description" cols="100" id="Description">
            @(Model != null && Model.Item2 != null ? Model.Item2 : string.Empty)
        </textarea>
    </p>

    <p><input type="submit" value="Submit" /></p>
}

@section Scripts {
    @Scripts.Render("~/bundles/nicEdit")

    <script type="text/javascript">
        bkLib.onDomLoaded(function()
        {
            new nicEditor({fullPanel : true}).panelInstance('Description');
        });
    </script>
    }

Controller

public class FooController
{
  public ActionResult EditDescription(string fooId)
  {
    if (Request.HttpMethod == "POST")
    {
      using (var context = new ApplicationDbContext())
      {
        var foo = context.Foos
                     .SingleOrDefault(f => f.Id == fooId);

        // I get the HttpRequestValidationException here
        foo.Description = Request["Description"];
        context.SaveChanges();

        return RedirectToAction("MyProfile");
      }
    }
  }
}

Still, I get a request validation exception. I even tried annotating the entire action method with ValidateInput(false) since the View has only one field, which is the single property on the model, but I still keep getting the exception.

I cleared the ASP.NET temporary files and folders cache, cleaned and rebuilt my solution all to no avail.

Water Cooler v2
  • 32,724
  • 54
  • 166
  • 336
  • There are so many fundamentals wrong with your basic code. You shouldn't be using Request.HttpMethod and instead should be using [HttpPost and Httpget](http://stackoverflow.com/questions/5332275/httppost-vs-httpget-attributes-in-mvc-why-use-httppost). Secondly you aren't using binding to send back a model so your attribute is pretty much useless. – Erik Philips Oct 13 '15 at 16:36
  • @ErikPhilips I am mindful of all of them. I've been using MVC since its version 1. This particular action and its entire flow I did in a hurry and after a mutual agreement with the client that we'd come back to it to fix it and now is the time. I fixed it after your comment by separating actions for each method and actually posting back to a model. I just didn't realize (as you infer) the correlation between request validation and not having separate methods for each HTTP request. – Water Cooler v2 Oct 15 '15 at 07:46

1 Answers1

2

Update your code to use the non validated version of the string like below 

foo.Description = Request.Unvalidated["Description"];

There is a good read about how request validation has evolved with MVC and why input validation attribute is not working http://weblogs.asp.net/imranbaloch/understanding-request-validation-in-asp-net-mvc-3

Sam.C
  • 1,601
  • 13
  • 17