Home/ Questions/Q 6058233
In Process

The Archive Base Latest Questions

Editorial Team
  • 0
Asked: 2026-05-23T08:34:38+00:00

In my custom model binder I use bindingContext.ValueProvider.GetValue(propertyName); I do have [ValidateInput(false)] on the

  • 0

In my custom model binder I use

bindingContext.ValueProvider.GetValue(propertyName);

I do have [ValidateInput(false)] on the action. However the GetValue call above results in

A potentially dangerous Request.QueryString value was detected from the client

How do I make my custom model binder get the unvalidated value from the value provider? Of course when it finds that there’s ValidateInput(false) on the action.

Share

Leave an answer

You must login to add an answer.

Need An Account,

1 Answer

  1. Editorial Team

    Just in case someone is curious, here’s a quick solution. Just call CheckUnvalidated() in BindModel/BindProperty methods. This will replace default QueryStringValueProvider with the unvalidated version.

      MethodInfo GetActionMethod(ControllerContext controllerContext)
  {
     var action = controllerContext.RouteData.Values["action"] as string;
     return controllerContext.Controller.GetType().GetMethods().FirstOrDefault(x => x.Name == action ||
        x.GetCustomAttribute<ActionNameAttribute>().SafeGet(a => a.Name) == action);
  }

  void CheckUnvalidated(ControllerContext controllerContext, ModelBindingContext bindingContext)
  {
     var method = GetActionMethod(controllerContext);
     if (method == null)
        return;
     if (method.GetCustomAttribute<ValidateInputAttribute>().SafeGet(x => x.EnableValidation, true))
        return;
     var collection = bindingContext.ValueProvider as ValueProviderCollection;
     if (collection == null)
        return;
     var old = collection.OfType<QueryStringValueProvider>().FirstOrDefault();
     if (old != null)
        collection.Remove(old);
     collection.Add(new UnvalidatedQueryStringValueProvider(controllerContext));
  }

  class UnvalidatedQueryStringValueProvider : NameValueCollectionValueProvider
  {
     public UnvalidatedQueryStringValueProvider(ControllerContext controllerContext)
        : base(controllerContext.HttpContext.Request.Unvalidated().QueryString, CultureInfo.InvariantCulture)
     {
         }
  }
    • 0