Login/Register
Why am I getting the "A potentially dangerous Request.Form value was detected from the client" error?
Asked Answered
Solved asp.net-mvc-3azurewifacs
K

9

23

I've created a new ASP.NET MVC 3 / .NET Framework 4.0 site using the "Internet Application" template. I used Nuget to install the Windows Azure Web Role (MVC3) package and then followed the Access Control Service walkthrough to set up Windows Live ID and Google authentication.

Soon enough, I came across the "A potentially dangerous Request.Form value was detected from the client" error and followed the article in the Windows Identity Foundation wiki to try and resolve it. Unfortunately nothing I've tried works, including:

  • Setting <httpRuntime requestValidationMode="2.0"/> and <pages validateRequest="false"> in both the root web.config and Views\web.config

  • Copying SampleRequestValidator from the WIF SDK into the project and setting <httpRuntime requestValidationType="SampleRequestValidator"/> in both web.configs

I've also tried variations of these without success.

Any ideas?

Here's the complete exception:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").]

System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +75
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +205
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request) +41
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +117
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
Kasi answered 7/5, 2011 at 7:19 Comment(0)
K
-1

I haven't been able to find the technical reason why this doesn't work. However from a business requirements perspective, this is the wrong sample to base my particular solution on because it prompts for authentication before any pages can be accessed. However access to the home page needs to be anonymous so a "Log On" button can be used.

Instead I found the MVC3 Custom Login Sample that meets these requirements and it works.

Kasi answered 8/5, 2011 at 20:28 Comment(0)
U
19

You might try decorating the controller action you are posting to (and the one which throws this exception) with the [ValidateInput(false)] attribute (by leaving <httpRuntime requestValidationMode="2.0"/> in web.config).

Uriniferous answered 7/5, 2011 at 7:24 Comment(1)
No luck. Exception seems to be occurring before hitting the controller. I'll update the question with the stack trace.Kasi
B
16

I had the same problem.

Here is an example of my solution:

 [ValidateInput(false)]

    public ActionResult *YourMethodName*(FormCollection forms)
    {
          // Encoded String
          string EncodedValue = Server.HtmlEncode(forms[*name or index*]);

         // Normal String 
         string value = forms[*name or index*]

         //.... 
    }

You don't need anything in your webconfig.

Buitenzorg answered 7/11, 2011 at 21:12 Comment(0)
M
13

I wrote a small blog note on this here: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/. It isn't necessary to turn off request validation, or set it to 2.0 for your entire site.

In short, you only need to alter the requestValidationMode to 2.0 mode on the specific URL that WIF posts back the SAML token to. This can be done with a element (see location Element (ASP.NET Settings Schema) for details) in your web.config, like this:

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

The “WIFHandler” location does not need to exist in your app, as WIF will shortcut the pipeline before ASP.NET tries to handle the request, and redirect you to the return url (ru in the wctx parameter of the SAML token POST) instead.

In your WIF configuration section of the web.config file, be sure to match the “reply” parameter with the location where you set request validation mode to 2.0 mode:

<microsoft.identityModel>
    <service>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://localhost/STS/" 
                      realm="https://localhost/MyApp/"
                      reply="https://localhost/MyApp/WIFHandler/" />

(...)
Mountainous answered 17/4, 2012 at 19:4 Comment(2)
Worked for me. I would recommend putting the full answer here instead of redirecting the answer to your website for details.Seasickness
FYI, the full answer is now inserted here :)Mountainous
B
2

First - narrow where this is coming from. Use fiddler to investigate which field is causing the issue. Items as simple as: <s will cause this error when posted without being encoded. Also you may want to decorate your MODEL with the [AllowHtml] attribute and try not to enable 2.0 encoding - its a bit dangerous.

Barocchio answered 7/5, 2011 at 16:12 Comment(0)
T
2

Copying SampleRequestValidator from the WIF SDK into the project and setting in both web.configs

This should fix it. Can you verify the code is actually executing? If you place a breakpoint in the Request validator, does it hit?

I assume you put <httpRuntime...> under <system.web> right?

Tilden answered 7/5, 2011 at 16:35 Comment(1)
There is a NuGet package for the WIF Request Validator nuget.org/packages/WifRequestValidatorVision
A
2

I don't see any answer here mention this. so here it goes.

In addition to the " [ValidateInput(false)]", in your aspx, you might need to add this to your <%@Page ...>

<%@ Page ValidateRequest="false">

This would allow disabling request validation on a per page basis instead of the whole web app.

Accelerometer answered 30/10, 2013 at 8:47 Comment(1)
100% agree, this is absolutely needed + this is clean since request validation gets discarded only for the concerned page and not for the whole site. Thanks for sharing!Noni
L
1

I came across this problem when walking through the "Single Sign-On from Active Directory to a Windows Azure Application" tutorial. In my case, the problem was that I had inadvertently placed the <httpRuntime ... /> value in the wrong <system.web /> section in my web.config file (I didn't originally notice this, but there's a new <location> section with a path of "FederationMetadata" that also contains system.web.). The value should be placed in the top-level <system.web> section.

Lory answered 7/12, 2011 at 18:40 Comment(0)
B
0

At first glance it looks like a bug in the Azure Mvc3 library. MVC 3 exposes special APIs that let you retrieve unvalidated values from the Form collection, but the module does not seem to be using them.

Beseem answered 7/5, 2011 at 16:10 Comment(0)
K
-1

I haven't been able to find the technical reason why this doesn't work. However from a business requirements perspective, this is the wrong sample to base my particular solution on because it prompts for authentication before any pages can be accessed. However access to the home page needs to be anonymous so a "Log On" button can be used.

Instead I found the MVC3 Custom Login Sample that meets these requirements and it works.

Kasi answered 8/5, 2011 at 20:28 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.