A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...")

I am also getting a request validation error when using WIF. I get correctly sent to the STS, but on the way back, I get this validation error.

I followed all the instructions.

<httpRuntime  requestValidationMode="2.0" />

check!

    [ValidateInput(false)]

开发者_如何学Python

check!

<pages validateRequest="false" >

check!

I tried a custom validator, but it never gets instantiated.

Error stack:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="trust:RequestSecuri...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11396740
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +82
   System.Web.HttpRequest.get_Form() +212
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +26
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +145
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +108
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

Any suggestions?

---

<httpRuntime requestValidationMode="2.0"/>

after this add

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

also in mvc3 there is an AllowHtml attribute

[AllowHtml]
public string Property{ get; set; }

here are some useful links

ASP.NET MVC – pages validateRequest=false doesn’t work?

Why is ValidateInput(False) not working?

---

See this answer if you are running .NET 4.5 which takes advantage of an updated request validator built in to ASP.NET.

---

You can put both constructs together in the system.web section as per ASP.NET : A potentially dangerous Request.Form value was detected from the client.

Note that this is standard ASP.NET functionality. It is not connected to WIF.

---

In MVC 3 (not sure about 2) you can add a global filter in global.asax.cs e.g.

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new ValidateInputAttribute(false));
}

That coupled with the following should allow all data in and display it correctly and safely I think:

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

in web.config and using (note colon):

<%: Model.Something %>

or in Razor:

@Model.Something

and in some cases in Javascript:

@Html.Raw(Ajax.JavaScriptStringEncode(Model.Something))