This was definitely one of those facepalm moments, where you spend a couple of hours beating on an issue then find out it's one line of code - so hopefully folks googling the same things I did will hit on this and have a solution.
Short version - if you need to HTTP post to your controller from an HTML form, and one of your fields has embedded HTML text (in my case, it was a nifty WYSIWYG text editor), you will get a very nasty error that looks something like this:
A potentially dangerous Request.Form value was detected from the client (PostText="TEST<br>TEST<br>TEST").
Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. You can disable request validation by setting validateRequest=false in the Page directive or in the configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case.
Googling will reveal suggestions to add the page directive 'ValidateRequest="false"'. This is pretty much moot with MVC since it sets this globally to false - yet the problem will still occur.
The solution is incredibly simple. If you need to push through unencoded HTML to your controller, you just need to add the [ValidateInput(false)] attribute to the action you're using for posting - for example:
[AcceptVerbs(HttpVerbs.Post)]
[ValidateInput(false)]
public ActionResult Topic(Post postToCreate)
{
//some stuff
}
Enjoy!