ASP.NET MVC Tip #48 – Disable Request Validation

By default, the ASP.NET MVC framework prevents you from submitting form data that contains potentially malicious content. This feature is called request validation. This is a good feature. You don't want people sneaking scripts into your website that can steal passwords or other sensitive user information. Normally, you want to leave request validation enabled. Unlike a Web Forms application, you cannot disable request validation by using the <%@ Page ValidateRequest=”false” %> directive. You also cannot disable request validation in the web configuration (web.config) file. If you want to disable request validation then you must use the [ValidateInput] attribute. You apply the [ValidateInput] attribute to the controller action that accepts the form input.