When I run my ASPNet MVC 2 Preview 1 website under VS dev server, it works just fine when I do a form post with Form Method "Get" - the form has a textbox with text that has angle brackets (for ex: "i < 10;")
However under IIS, when the same form is posted (using Method "Get"), I get a 404 page not found.
The resource cannot be found. Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable. Please review the following URL and make sure that it is spelled correctly. Requested URL: /Rejected-By-UrlScan
Searched all over the web, nothing that helped solve the issue.
Yes, I do have
- ValidateRequest="false" set on Views->Web.config, Main Web.Config
- ValidateInput(false) attribute set on the Controller class as well as all the Action methods
None of these 2 options are helping solve the problem.
Any help appreciated
There's a major clue to the problem right there in your 404 message.
Requested URL: /Rejected-By-UrlScan
UrlScan is a security package that's installed into your IIS server but not into the Visual Studio dev server, which explains why you're only hitting this problem on IIS. You mention having angled-brackets in your post data, so it could be the case that UrlScan is blocking the request because of that, but I'm not familar enough with UrlScan to be sure.
Fiddling with the attributes of your ASP.NET controls may not provide a solution, since UrlScan will be blocking this request before it even reaches ASP.NET.
I can't really offer much more than this (as I say, I'm not really all that familiar with UrlScan, beyond a vague idea of what it is), but if I were you I'd start by googling for UrlScan and finding out how to configure it - or if it has some sort of log that will help you identify exactly why it's blocking this particular request.
EDIT: http://learn.iis.net/page.aspx/473/using-urlscan looks like a good place to start.
ValidateRequest changes in web.config have no effect in ASP.NET MVC. It's enabled by default and you need to use an attribute to enable/disable it.
See this reference: