Search code examples
asp.netasp.net-mvc-2asp.net-mvc-3request-validation

ASP.NET MVC2 on .NET 4.0: is [ValidateInput(false)] enough?

Good day!

I plan to upgrade my ASP.NET MVC 2 application to .NET 4.0, and have a couple of questions:

  1. Is having [ValidateInput(false)] on action enough to accept HTML, or I need to set <httpRuntime requestValidationMode="2.0"/> as described here: ASP.NET 4 Breaking Changes

  2. How it will work if I upgrade ASP.NET MVC to version 3 (in addition to uprading to .NET 4.0)?

Thanks in advance!

Solution
    1. You need to set <httpRuntime requestValidationMode="2.0"/> as well in ASP.NET 4.0.

    2. The same as in ASP.NET MVC 2 (.NET 4.0) but in addition you have more fine grained control with the [AllowHtml] attribute which could be placed on a single property of your view model instead of disabling validation for the entire request:

      public class MyViewModel
{
    [AllowHtml]
    public string SomeHtmlProperty { get; set; }

    public string SomeOtherProperty { get; set; }
}

    and have a controller action like this:

    [HttpPost]
public ActionResult Update(MyViewModel model) { ... }