Request validation is a feature in ASP.NET that examines an HTTP request and determines whether it contains potentially dangerous content. In this context, potentially dangerous content is any HTML markup or JavaScript code in the body, header, query string, or cookies of the request. ASP.NET performs this check because markup or code in the URL query string, cookies, or posted form values might have been added for malicious purposes.
You can disable request validation for an entire application, but doing so is not recommended. To disable request validation in an ASP.NET MVC application, you must change request validation to occur earlier in the sequence of request processing. In the Web.config file, make the following setting:
<system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web><system.web>
<httpRuntime requestValidationMode="2.0" />
</system.web>
In ASP.NET MVC, you can disable request validation for an action method, for a property, or for a field (input element) in a request. If you disable validation for an action method, you disable it for any requests that invoke that method—that is, all user input is allowed for any request that calls the action method. This approach is therefore the least secure way to disable request validation.
[HttpPost]
[ValidateInput(false)]
public ActionResult Edit(string comment)
{
if (ModelState.IsValid)
{
// Etc.
}
return View(comment);
}
If you disable validation for a property, you allow user input for any reference to that property. To disable request validation for a specific property, mark the property definition with the AllowHtml attribute:
[AllowHtml]
public string Property1 { get; set; }