I am also getting a request validation error when using WIF. I get correctly sent to the STS, but on the way back, I get this validation error.
I followed all the instructions.
<httpRuntime requestValidationMode="2.0" />
check!
[ValidateInput(false)]
check!
<pages validateRequest="false" >
check!
I tried a custom validator, but it never gets instantiated.
Error stack:
[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="trust:RequestSecuri...").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11396740
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +82
System.Web.HttpRequest.get_Form() +212
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +26
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +145
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +108
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270
Any suggestions?
<httpRuntime requestValidationMode="2.0"/>
after this add
<configuration>
<system.web>
<pages validateRequest="false" />
</system.web>
</configuration>
also in mvc3 there is an AllowHtml attribute
[AllowHtml]
public string Property{ get; set; }
here are some useful links
See this answer if you are running .NET 4.5 which takes advantage of an updated request validator built in to ASP.NET.
You can put both constructs together in the system.web section as per ASP.NET : A potentially dangerous Request.Form value was detected from the client.
Note that this is standard ASP.NET functionality. It is not connected to WIF.
In MVC 3 (not sure about 2) you can add a global filter in global.asax.cs e.g.
public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
filters.Add(new ValidateInputAttribute(false));
}
That coupled with the following should allow all data in and display it correctly and safely I think:
<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>
in web.config and using (note colon):
<%: Model.Something %>
or in Razor:
@Model.Something
and in some cases in Javascript:
@Html.Raw(Ajax.JavaScriptStringEncode(Model.Something))
来源:https://stackoverflow.com/questions/7614978/a-potentially-dangerous-request-form-value-was-detected-from-the-client-wresult