A potentially dangerous Request.Form value was detected from the client
The runtime throws an error when you try and enter HTML tags like content in the form. These tags are not inherently dangerous. It's only dangerous in a specific context. It can be an indication of a cross site scripting attack , which is why asp.net does not allow it by default. You can't filter random input for dangerous characters, because any character may be dangerous under the right circumstances.
However, you may sometimes want to allow your users to post html tags . You might just want to allow users to use characters such as "›" , or it might be because your implementing development functionality and want to support tags like ‹h1›, ‹div›, etc. What you can do is to encode at the point where some specific characters may become dangerous because they cross into a different sub-language where they have special meaning.
The solution for this error is that you should either HTML encode before submitting , or disabling request validation and potentially expose yourself to XSS . For ex. you need to Set ValidateRequest = false in your @Page directives in your .aspx file(s). But remember this can expose your site for Cross Site Scripting Attacks.C# sample: Visual Basic sample:
The ValidateInput attribute can be applied to a Controller's Action method and it will disable the validation by ASP.Net MVC only for that particular Action method.
Another way is to add the [AllowHtml] attribute to the property which requires html in your model. It allows a request to include HTML markup during model binding by skipping request validation for the property.
The Scope is limited to specific property of the Model class . It is the safe and recommended solution.
If you are using .Net 4.0 , make sure you add the following tag in your web.config file inside the ‹system.web› tags:
Also, you can disable request validate entirely by specifying: