Why is ASP.net MVC putting the following in Form.Request

I have a line of code in my view which looks like the following:

<button id="show-Lookup" class="inithide" name="show-Lookup">Lookup&l开发者_JAVA百科t;/button>  

It crashes when it gets sent back to the controller on form submit with the following error: "A potentially dangerous Request.Form value was detected from the client show-Lookup="

When I analyze the the value of show-Lookup in the debugger I see the following: Request.Form["show-Lookup"] Lookup

Where is ASP.net MVC getting this from? This shouldn't have a value?

This has nothing to do with MVC; it's basic HTML. Anything with a name can be considered for inclusion in your form, subject to certain restrictions (see the spec). If you don't want it in the form, get rid of the name.

A <button></button> is submitted with the form. Different browsers treat this slightly differently - IE sends the value of whatever is between the opening and closing tags (the button "content") while other browsers send the value attribute.

Note too that the behavior of your button will vary by browser unless you specify it. In IE (prior to 9?) a <button> element is type "button", while in other browsers it is "submit". (This is the W3C spec, too.)

on contoller add this attribute

 [ValidateInput(false)]

One thing i would like to suggest, just dont use above code if you are not sure of what you are doing. The above code wont let server validate the input it received from form.

That means, if a user in ur form types his name like "alert('hacked')", your controller will receive that value as it is. And if you just add it in DB and displays it some where then its disaster. User may type fully qualified javascript to make ajax requests.

Another way to solve this problem is just remove the attribute name from button, as its not solving any purpose.

Question: When I analyze the the value of show-Lookup in the debugger I see the following: Request.Form["show-Lookup"] Lookup Where is ASP.net MVC getting this from? This shouldn't have a value?

You are seeing this value as you have added the attribute name to button, since you have added the attribute, browser is sending that property too to server.