Home/ Questions/Q 718083
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-14T05:29:10+00:00

I have installed VS2010 and MVC2 and testing a simple form using tinyMCE. When

  • 0

I have installed VS2010 and MVC2 and testing a simple form using tinyMCE. When I post the contents of the textarea in tinyMCE I get the dreaded YSD and the message

“a potentially dangerous…..”

I’ve seen this before so I put the ValidateInput(false) on the controller but no joy – I still get the error.

page code in edit.aspx is:

    <% using (Html.BeginForm()){ %>

    <!-- Gets replaced with TinyMCE, remember HTML in a textarea should be encoded -->
    <textarea id="elm1" name="mceText" rows="15" cols="80" style="width: 80%">
        &lt;p&gt;
            This is some example text that you can edit inside the
  &lt;strong&gt; TinyMCE editor&lt;/strong&gt;.
    </textarea>

    <br />
    <input type="submit" name="save" value="Submit" />
    <input type="reset" name="reset" value="Reset" />
<%} %>

and Controller action is:

    [AcceptVerbs(HttpVerbs.Post)]
    [ValidateInput(false)]
    public ActionResult Edit(string mceText)
    {

        return View();
    }

Any thoughts – (I know the code is not complete) been trying this for hours but everyone just says to use ValidateInput(false)

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    This is why: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc256770147

    The request validation feature in ASP.NET provides a certain level of
    default protection against cross-site scripting (XSS) attacks. In
    previous versions of ASP.NET, request validation was enabled by
    default. However, it applied only to ASP.NET pages (.aspx files and
    their class files) and only when those pages were executing.

    In ASP.NET 4, by default, request validation is enabled for all
    requests, because it is enabled before the BeginRequest phase of an
    HTTP request. As a result, request validation applies to requests for
    all ASP.NET resources, not just .aspx page requests. This includes
    requests such as Web service calls and custom HTTP handlers. Request
    validation is also active when custom HTTP modules are reading the
    contents of an HTTP request.

    As a result, request validation errors might now occur for requests
    that previously did not trigger errors. To revert to the behavior of
    the ASP.NET 2.0 request validation feature, add the following setting
    in the Web.config file:

    <httpRuntime requestValidationMode="2.0" />

    However, we recommend that you analyze any request validation errors
    to determine whether existing handlers, modules, or other custom code
    accesses potentially unsafe HTTP inputs that could be XSS attack
    vectors.

    • 0