How to avoid HttpRequestValidationException in ASP.NET MVC rendering the same view which caused the exception

Solution 1

With the latest version of ASP.NET MVC (the RC, at the time of writing this) you can just put an attribute on either your controller class or your action method, e.g.:

[ValidateInput(false)]
public ActionResult create()
{
    // ...method body
}

The ValidateInputAttribute is in System.Web.Mvc.

But as others have said, you do then have to perform your own manual input validation or cleaning.

Using MVC 3, you must also ensure this is in your Web.config: <system.web><httpRuntime requestValidationMode="2.0" /></system.web>

Solution 2

In ASP MVC 3 you can use the [AllowHtml] attribute on individual fields/properties in your Model/ViewModel to turn off validation for just that field, which is pretty nice. I will add this attribute to certain fields in my model, and then use the excellent AntiXSS library (also available via NuGet) to sanitize the user input by calling the Sanitizer.GetSafeHtmlFragment(mymodel.Description) (where the "Description" property is a string property on my view model, that has the [AllowHtml] attribute applied)

Solution 3

For a very detailed example of how to catch this (and other) exceptions with a filter see: http://code.google.com/p/geochat/source/browse/Source/Web/GeoChat.MvcExtensions/ExceptionHandlerAttribute.cs

This will allow you to keep the validation on, but prevent the user from seeing the "yellow screen of death".

This is a simplified (perhaps oversimplified) version:

[AttributeUsage(AttributeTargets.Method | AttributeTargets.Class, Inherited = true, AllowMultiple = true), AspNetHostingPermission(SecurityAction.LinkDemand, Level = AspNetHostingPermissionLevel.Minimal)]
public class ExceptionHandlerAttribute : FilterAttribute, IExceptionFilter {

private HandleErrorAttribute attribute = new HandleErrorAttribute();

public ExceptionHandlerAttribute() {
  this.ExceptionType = typeof(Exception);
  this.Order = 1;
}

public string View {
  get {
    return attribute.View;
  }
  set {
    attribute.View = value;
  }
}

public Type ExceptionType {
  get {
    return attribute.ExceptionType;
  }
  set {
    attribute.ExceptionType = value;
  }
}

public void OnException(ExceptionContext filterContext) {
  if (this.ExceptionType.IsInstanceOfType(filterContext.Exception)) {
    string controller = (string)filterContext.RouteData.Values["controller"];
    string action = (string)filterContext.RouteData.Values["action"];
    if (controller == null)
      controller = String.Empty;

    if (action == null)
      action = String.Empty;

    HandleErrorInfo model = new HandleErrorInfo(filterContext.Exception, controller, action);
    ViewResult result = new ViewResult();
    result.ViewName = this.View;
    result.MasterName = String.Empty;
    result.ViewData = new ViewDataDictionary<HandleErrorInfo>(model);

    result.TempData = filterContext.Controller.TempData;
    filterContext.Result = result;

    filterContext.ExceptionHandled = true;
    filterContext.HttpContext.Response.Clear();
    filterContext.HttpContext.Response.StatusCode = 500;
  }
}

}

Author by

eKek0

I'm a software developer living in Santiago del Estero, one of the smallest towns in Argentina. I'm also a system analyst, and program in Delphi and ASP.NET with C#. Currently, I'm working in a bank developing in-house software.

Updated on September 24, 2020