Aka the validation that generates the "A potentially dangerous Request.Form value was detected..." error, and is normally resolved with ValidateInput(false) or AllowHtmlAttribute.

Somehow this got disabled in one of our apps, and of course an audit pinged us for XSS vulnerabilities. This project isn't too old (created under 4.5.2) and as far as I can that validation should have been enabled by default, but I can't figure out how they disabled it in order to re-enable it... Things I've checked so far:

• In web.config, the requestValidationMode property of httpRuntime under system.web is not set, so it looks like it should default to 4.5 and be enabled.
• Haven't had any luck finding other web.config settings that affect the XSS validation, and nothing jumps out at me from web.config or its transforms.
• No usage of ValidateInputAttribute, and I don't see anything in our custom action filters that should affect it.
• Don't know if it's even possible to apply AllowHtmlAttribute globally, but I didn't find any usage of it.
• There is a global model binder, but all it does is trim non-null string inputs.
• Most controllers inherit from a common base class, but it doesn't have attributes or anything else I can see that should affect this.

I'm basically out of ideas, and google/SO searches aren't producing any useful info... any suggestions?