AllowHtml not working

Question

I\'m building a Content Management System to allow people other than me to update stuff on the site.

I have a front-facing HTML form that sends data, via AJAX, to a

Answer 1

just put [ValidateInput(false)] on controller

Answer 2

Try with this:

// CONTROLLER
[HttpPost]
public ActionResult CarAJAX(CarAdmin model)
{
    model.UpdateCar();
}

// MODEL
using System;
using System.Web;
using System.Web.Mvc;

namespace Site.Models
{
    public class CarAdmin
    {
        private string html;

        public String id { get; set; }
        [AllowHtml]
        public String HTML_Stuff { 
            get
            { 
                return html; 
            }
            set
            { 
                // sanitation and validation on "value"
                html = value;
            }
        }

        public CarAdmin(){}

        public void UpdateCar()
        {
            String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", HTML_Stuff, id);

            // Execute DB Command
        }
    }
}

I also noticed that you are validating inside a method. It would probably be better, if you do that when setting the property.

EDIT:
I researched quite a bit on the topic. You actually need to bind model to the controller using AJAX. Please look at this example. I'm not sure of extents of your code, but I think you also need ActionResult to return within controller. There are nice examples of what to return from ActionResult.

Answer 3

You should do it as-

Create a separate class with entities those are required-

public class EntityDto {
        public String id { get; set; }
        [AllowHtml]
        public String HTML_Stuff { get; set; }
}

And then use it in your controller method-

[ValidateInput(false)]
public void UpdateCar(EntityDto model)
{
    var html_stuff = model.HTML_Stuff; 

    // sanitation and validation

    String Select = String.Format("UPDATE Car Set HTML_Stuff = {0} WHERE id = {1}", html_stuff , id);

    // Execute DB Command
}

Let me know if it helps.

Answer 4

I had the same problem. "requestValidationMode="2.0"" was set in web.config, [AllowHtml] was also set on proper property and I still got the error "A potentially dangerous Request.Form value detected...".

But I observed that the controller method actually was called (I was able to debug the method) so this had to meant that validation is in fact turned off. In Call Stack I noticed repeatedly occurring of classes around cache like "System.Web.Caching.OutputCacheModule" and this led me to an idea that this has something to do with cache I had turned off on the whole controller like this "[OutputCache(NoStore = true, Duration = 0)]".

Based on this I tried to also set Location of the cache to OutputCacheLocation.None and this did the trick. So I ended up with [OutputCache(NoStore = true, Duration = 0, Location = OutputCacheLocation.None)] working and finally not validating and not failing my requests.