Input <abc into a textbox ASP.net MVC 2

I'm writing a hello world example using ASP.net MVC 2 framework with two text boxes for username and password field.

    <form action=/Home/Index method="post">
        <input type="text" id="UserName" name="UserName" maxlength="100" tabindex="1" autocomplete="off"/>
        <input type="password" id="Password" name="Password" maxlength="15" tabindex="2" autocomplete="off"/>
        <input type="submit" value="submit" />
    </form>

When I input into username field, I get this message

A potentially dangerous Request.Form value was detected from the client (Email=" Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: . After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in开发者_StackOverflow中文版 the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (Email="

Someone please tell me how to fix it, it appears sending request is not redirected to my controller yet. Thank you much!

The built-in input validation is throwing an exception because of the < character, which could potentially be used in cross-site scripting attacks, etc. Thus, it's intercepting the request and throwing the error before anything gets to your controller just to be on the safe side.

This isn't limited to just the MVC framework, it's an overall ASP .NET thing. There's a pretty good question with some pretty good answers about it here.

A few pointers:

First try running the site as as .NET 2.0 rather than 4.0. Are you using IISExpress? If so there is a switch to set the CLR to version 2. see here:

http://learn.iis.net/page.aspx/870/running-iis-express-from-the-command-line/

Next the system will always look for HTML chars in the posted data as this is an indication of cross site scripting attacks. If you expect these values to contain HTML chars then you can add an exception on the controller action like so:

[ValidateInput(false)]
public ActionResult ActionName(ModelType model)
{
   ....

  return View();
}