I’m working on a project with Castle MonoRail, and got stuck on a problem for several hours. After a lot of useless reflecting and forum trolling, I eventually narrowed it down to a breaking change in ASP.NET 4.0.
Short answer: ASP.NET 4.0 validates every request by default, which means it can ignore your overriding @Page directive validateRequest=”false” or controller [ValidateInput(false)] attributes. Go back to the 2.0 behavior by adding this to your web.config’s system.web configuration section:
<httpRuntime requestValidationMode=”2.0″ />
I was getting the following exception when submitting a textarea in which the user could enter HTML:
MonoRailException: Error building method arguments.
With the following inner exception:
HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client.
Usually I can get around this by following one of several methods:
- <%@ Page ValidateRequest=”false” %> in .aspx-file.
- <pages validateRequest=”false” /> in web.config.
- [ValidateInput(false)] on controller’s action (ASP.NET MVC 2).
- [SkipFilter(typeof(RequestValidatorFilter))] on controller’s action (Castle MonoRail)
But none of this stopped the exception.
Finally I narrowed it down to a breaking change in ASP.NET 4.0, found here: http://www.asp.net/learn/whitepapers/aspnet4/breaking-changes#0.1__Toc245724857
The solution? Go back to the 2.0 behavior by adding this to your web.config’s system.web configuration section:
<httpRuntime requestValidationMode=”2.0″ />
After you do this, you can use any of the existing options for overriding the default .NET behavior for validating requests.
BEWARE! Only do this if you’re aware of the consequences. You could be making your site vulnerable by following these instructions!
Here’s to hoping I post!
