A potentially dangerous Request.Form value was detected from the client (wresult=“<trust:RequestSecuri…”)

Question

I am also getting a request validation error when using WIF. I get correctly sent to the STS, but on the way back, I get this validation error.

I followed all the i

Answer 1

You can put both constructs together in the system.web section as per ASP.NET : A potentially dangerous Request.Form value was detected from the client.

Note that this is standard ASP.NET functionality. It is not connected to WIF.

Answer 2

In MVC 3 (not sure about 2) you can add a global filter in global.asax.cs e.g.

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new ValidateInputAttribute(false));
}

That coupled with the following should allow all data in and display it correctly and safely I think:

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

in web.config and using (note colon):

<%: Model.Something %>

or in Razor:

@Model.Something

and in some cases in Javascript:

@Html.Raw(Ajax.JavaScriptStringEncode(Model.Something))

Answer 3

<httpRuntime requestValidationMode="2.0"/>

after this add

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

also in mvc3 there is an AllowHtml attribute

[AllowHtml]
public string Property{ get; set; }

here are some useful links

ASP.NET MVC – pages validateRequest=false doesn’t work?

Why is ValidateInput(False) not working?

Answer 4

See this answer if you are running .NET 4.5 which takes advantage of an updated request validator built in to ASP.NET.