Home/ Questions/Q 7082509
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-28T07:03:47+00:00

If I have a controller: [HttpPost] public ReturnType ControllerMethod(CustomModel c) { … } A

  • 0

If I have a controller:

[HttpPost]
public ReturnType ControllerMethod(CustomModel c)
{
...
}

A third party is posting data to this method:

abc-xyz=testdata

One way, would be to use:

Request.Params["abc-xyz"]

However, in the case where the Request could contain malicious code, if any Request Parameter contained some problematic code, IIS would throw an HttpRequestValidationException as soon as Request.Params[""] is called.

Now, rather than turn off that validation everywhere, I’d like to map the posted data to my model. That way, if the “potentially malicious code” is contained in any parameter that isn’t “abc-xyz”, my application won’t throw a HttpRequestValidationException. It will however, check the used paramaters, and throw a HttpRequestValidationException if the accessed data is potentially malicious.

How do I do that if the posted data has a dash/hyphen in the name?

I’ve tried a few variations including: 

public class CustomModel
{
    [Required]
    public string abc_xyz
}
Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    You should write your own ModelBinder in this case that transforms the values from the request into the ones needed for CustomModel.

    To over come the request validation, you can turn it off with the ValidateInputAttribute on your controller action.

    • 0