Request Validation with ASP.Net MVC 5

Question

In the past, I've been accustomed to being able to use request validation as a first line of defense for XSS.

However, I don't seem to be able to get the validation to kick in.

<httpRuntime requestValidationMode="4.5"/>

<configuration>
    <system.web>
        <pages validateRequest="true" />
    </system.web>
</configuration>

Regardless of this configuration, errors are not thrown and validation is not being run. Is there some other global way to enable/disable validation that I am missing?

As in request validation is not triggering when a form is posted to the controller. — ddango, Nov 22 '16 at 22:51
So in C# code, not javascript. Ok where is your model, can wee see it? — CodingYoshi, Nov 22 '16 at 22:52
To confirm, you're not using any of the newfangled OWIN/Katana stuff, but "classic" IIS-hosted application? — Dai, Nov 22 '16 at 22:55

score 1 · Answer 1 · answered Apr 25 '18 at 08:13

There are enhancements added to request validation starting with ASP.NET 4.5 that include deferred ("lazy") validation, the ability to opt-out at the server control level, and the ability to access unvalidated data. In order to leverage these enhancements you will need to ensure that requestValidationMode has been set to "4.5"

web.config:

<configuration>
  <system.web>
    <httpRuntime requestValidationMode="4.5"/>
  </system.web>
</configuration>

from: https://www.owasp.org/index.php/ASP.NET_Request_Validation

Request Validation with ASP.Net MVC 5

1 Answers1