In MVC, validation takes place at the controller level, not at the page level. To see why this is, consider that at the time the controller action is executing, we don’t know what view will be chosen to render. (In fact, the controller action might not even render a view at all! It might open a file download prompt on the client instead.) Additionally, if a user is submitting malicious input to the server, by the time the view is rendered it’s too late to do anything about it. The controller already will have committed the dangerous input to the database.
Instead, please decorate the controller or action with the attribute [ValidateInput(false)]. This will cause us to suppress request validation for that controller or action.