Control level ValidateRequestMode has no effect
I'm using ASP.NET WebForms (.NET 4.5) and have an "content block" control, which is reused on a number of pages. I've tried setting the ValidateRequestMode of the control and even individual elements to "Disabled", but the request validation coming from web.config still prevents unsafe input.
Is there a way around this or am I doing something wrong?
Example:
Answer
I just solved this same problem for a site with the code below, after a morning of trial and error - Microsoft's documentation on the new Request Validation process seems to be wrong when it comes to WebForms.
Target .NET 4.5 in the web.config like this:
<httpRuntime targetFramework="4.5" requestValidationMode="4.5" />
And then adding ValidateRequestMode="Disabled"to the input controls themselves i.e.:
<asp:textbox id="myControl" runat="server" ValidateRequestMode="Disabled"/>
If you are accessing POST data directly (as opposed to via myControl.Text) You will also need to bypass validation at that point:
Request.Unvalidated.Form("myControl");