Facebook C# SDK on ASP.NET MVC 3, Potentially dangerous request

The standard "Potentially dangerous request" is expected, resolve it with [ValidateInput(false)] or something more granular if you wish.

In my case, it happens when I make a call to FbApp.Session. I have a BaseController that all Controllers derive from. In there is an override OnActionExecuting call. Pretty common scenario.

Inside of OnActionExecuting, I use the Facebook C# SDK to manage my use membership. Using if (FbApp.Session != null) is how I check if the user is authenticated.

While running the debugger, it points to the call to FbApp.Session as the source of the exception stating "A potentially dangerous request...", due to HTML in one of the posted request vars - even开发者_JS百科 though the actual action I'm posting to has [ValidateInput(false)] attribute.

What is going on inside the Facebook C# SDK that would cause this behavior? How can this be resolved?

Edit: looks like this could be a bug in ASP.NET MVC 3 RC2 (I haven't upgraded to full release yet). I'll upgrade and report my findings.

---

The answer is, make sure you're on ASP.NET MVC3 RTM, and have <httpRuntime requestValidationMode="2.0" /> in web.config.