Imagine you need to make a web page in which you can edit HTML and send it back to the server (an html editor), so you place the input and when you submit the form, the famous “A potentially dangerous Request.Form value was detected from the client” error rises, so you try the old way and you set the input validation to false in the page.

Now imagine you’re using MVC, you are using controllers and views, not pages, and you want to disable the validation only on the specific controller that handles the editing.

You have to decorate the action method with the “ValidateInput” attribute this way:

[ValidateInput(false)]
public ActionResult Edit(ModelEdit mod) {…}

So you’re telling that this specific action should not be using the default validation (instead of all the controller). You try it and it does not work!.

It seems that the validation lyfecicle has changed in beta2 of the ASP.NET 4.0 runtime: http://www.asp.net/(S(ywiyuluxr3qb2dfva1z5lgeg))/learn/whitepapers/aspnet4/breaking-changes/#_TOC4

So to correct it you have to edit your web.config file and add the line in the <system.web> section:

<httpRuntime requestValidationMode="2.0"/>

Hope it helps!