ValidateInput(false) doesn't seem to work when running under IIS

When I run my ASPNet MVC 2 Preview 1 website under VS dev server, it works just fine when I do a form post with Form Method "Get" - the form has a textbox with text that has angle brackets (for ex: "i < 10;")

However under IIS, when the same form is posted (using Method "Get"), I get a 404 page not found.

The resource cannot be found.

Description: HTTP 404. The resource you are looking for (or one of its dependencies) could have been removed, had its name changed, or is temporarily unavailable.  Please review the following URL and make sure that it is spelled correctly. 

Requested URL: /Rejected-By-UrlScan

Searched all over the web, nothing that helped solve the issue.

Yes, I do have

  1. ValidateRequest="false" set on Views->Web.config, Main Web.Config
  2. ValidateInput(false) attribute set on the Controller class as well as all the Action methods

None of these 2 options are helping solve the problem.

Any help appreciated

13.10.2009 22:10:28

There's a major clue to the problem right there in your 404 message.

Requested URL: /Rejected-By-UrlScan

UrlScan is a security package that's installed into your IIS server but not into the Visual Studio dev server, which explains why you're only hitting this problem on IIS. You mention having angled-brackets in your post data, so it could be the case that UrlScan is blocking the request because of that, but I'm not familar enough with UrlScan to be sure.

Fiddling with the attributes of your ASP.NET controls may not provide a solution, since UrlScan will be blocking this request before it even reaches ASP.NET.

I can't really offer much more than this (as I say, I'm not really all that familiar with UrlScan, beyond a vague idea of what it is), but if I were you I'd start by googling for UrlScan and finding out how to configure it - or if it has some sort of log that will help you identify exactly why it's blocking this particular request.

EDIT: looks like a good place to start.

17.11.2009 09:33:39

ValidateRequest changes in web.config have no effect in ASP.NET MVC. It's enabled by default and you need to use an attribute to enable/disable it.

See this reference:

13.10.2009 22:15:22
Thanks for responding, please read that I have already tried the ValidateInput attribute, and it doesn't work under IIS
Vin 13.10.2009 22:27:06
IIS isn't a player in this attribute. It's the core ASP.NET engine so that shouldn't matter. Are you deploying it to IIS 6? If so there are considerations you need to make:…
Keith Adler 13.10.2009 22:29:15
I am running it on IIS 5.1 - I meant that the ValidateInput attribute helps when I am running the web under vs dev server, but not under IIS
Vin 13.10.2009 22:39:58
Did you config to deploy it under 5.1?…
Keith Adler 13.10.2009 23:45:41
Yes, exactly as mentioned, clean urls work and everything looks good except this issue
Vin 14.10.2009 14:39:28