23

I've created a new ASP.NET MVC 3 / .NET Framework 4.0 site using the "Internet Application" template. I used Nuget to install the Windows Azure Web Role (MVC3) package and then followed the Access Control Service walkthrough to set up Windows Live ID and Google authentication.

Soon enough, I came across the "A potentially dangerous Request.Form value was detected from the client" error and followed the article in the Windows Identity Foundation wiki to try and resolve it. Unfortunately nothing I've tried works, including:

  • Setting <httpRuntime requestValidationMode="2.0"/> and <pages validateRequest="false"> in both the root web.config and Views\web.config

  • Copying SampleRequestValidator from the WIF SDK into the project and setting <httpRuntime requestValidationType="SampleRequestValidator"/> in both web.configs

I've also tried variations of these without success.

Any ideas?

Here's the complete exception:

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").]

System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +75
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +205
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request) +41
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +117
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75
Alex Angas
  • 59,219
  • 41
  • 137
  • 210

9 Answers9

19

You might try decorating the controller action you are posting to (and the one which throws this exception) with the [ValidateInput(false)] attribute (by leaving <httpRuntime requestValidationMode="2.0"/> in web.config).

Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • No luck. Exception seems to be occurring before hitting the controller. I'll update the question with the stack trace. – Alex Angas May 07 '11 at 07:32
16

I had the same problem.

Here is an example of my solution:

 [ValidateInput(false)]

    public ActionResult *YourMethodName*(FormCollection forms)
    {
          // Encoded String
          string EncodedValue = Server.HtmlEncode(forms[*name or index*]);

         // Normal String 
         string value = forms[*name or index*]

         //.... 
    }

You don't need anything in your webconfig.

Spence
  • 28,526
  • 15
  • 68
  • 103
Marco Ramos
  • 161
  • 1
  • 2
13

I wrote a small blog note on this here: http://erikbra.wordpress.com/2012/04/17/wif-saml-token-post-and-requestvalidationmode2-0/. It isn't necessary to turn off request validation, or set it to 2.0 for your entire site.

In short, you only need to alter the requestValidationMode to 2.0 mode on the specific URL that WIF posts back the SAML token to. This can be done with a element (see location Element (ASP.NET Settings Schema) for details) in your web.config, like this:

<location path="WIFHandler">
  <system.web>
    <httpRuntime requestValidationMode="2.0" />
  </system.web>
</location>

The “WIFHandler” location does not need to exist in your app, as WIF will shortcut the pipeline before ASP.NET tries to handle the request, and redirect you to the return url (ru in the wctx parameter of the SAML token POST) instead.

In your WIF configuration section of the web.config file, be sure to match the “reply” parameter with the location where you set request validation mode to 2.0 mode:

<microsoft.identityModel>
    <service>
      <federatedAuthentication>
        <wsFederation passiveRedirectEnabled="true" 
                      issuer="https://localhost/STS/" 
                      realm="https://localhost/MyApp/"
                      reply="https://localhost/MyApp/WIFHandler/" />

(...)
Erik A. Brandstadmoen
  • 10,430
  • 2
  • 37
  • 55
2

I don't see any answer here mention this. so here it goes.

In addition to the " [ValidateInput(false)]", in your aspx, you might need to add this to your <%@Page ...>

<%@ Page ValidateRequest="false">

This would allow disabling request validation on a per page basis instead of the whole web app.

Jach
  • 557
  • 5
  • 12
  • 100% agree, this is absolutely needed + this is clean since request validation gets discarded only for the concerned page and not for the whole site. Thanks for sharing! – Patrick from NDepend team Aug 26 '14 at 07:44
2

First - narrow where this is coming from. Use fiddler to investigate which field is causing the issue. Items as simple as: <s will cause this error when posted without being encoded. Also you may want to decorate your MODEL with the [AllowHtml] attribute and try not to enable 2.0 encoding - its a bit dangerous.

Adam Tuliper
  • 29,982
  • 4
  • 53
  • 71
2

Copying SampleRequestValidator from the WIF SDK into the project and setting in both web.configs

This should fix it. Can you verify the code is actually executing? If you place a breakpoint in the Request validator, does it hit?

I assume you put <httpRuntime...> under <system.web> right?

Eugenio Pace
  • 14,094
  • 1
  • 34
  • 43
  • There is a NuGet package for the WIF Request Validator http://nuget.org/packages/WifRequestValidator/ – webwires Jun 27 '13 at 18:31
1

I came across this problem when walking through the "Single Sign-On from Active Directory to a Windows Azure Application" tutorial. In my case, the problem was that I had inadvertently placed the <httpRuntime ... /> value in the wrong <system.web /> section in my web.config file (I didn't originally notice this, but there's a new <location> section with a path of "FederationMetadata" that also contains system.web.). The value should be placed in the top-level <system.web> section.

NateTheGreat
  • 2,295
  • 13
  • 9
0

At first glance it looks like a bug in the Azure Mvc3 library. MVC 3 exposes special APIs that let you retrieve unvalidated values from the Form collection, but the module does not seem to be using them.

marcind
  • 52,944
  • 13
  • 125
  • 111
-1

I haven't been able to find the technical reason why this doesn't work. However from a business requirements perspective, this is the wrong sample to base my particular solution on because it prompts for authentication before any pages can be accessed. However access to the home page needs to be anonymous so a "Log On" button can be used.

Instead I found the MVC3 Custom Login Sample that meets these requirements and it works.

Alex Angas
  • 59,219
  • 41
  • 137
  • 210