Why am I getting the "A potentially dangerous Request.Form value was detected from the client" error?

Alex Angas picture Alex Angas · May 7, 2011 · Viewed 47.4k times · Source

I've created a new ASP.NET MVC 3 / .NET Framework 4.0 site using the "Internet Application" template. I used Nuget to install the Windows Azure Web Role (MVC3) package and then followed the Access Control Service walkthrough to set up Windows Live ID and Google authentication.

Soon enough, I came across the "A potentially dangerous Request.Form value was detected from the client" error and followed the article in the Windows Identity Foundation wiki to try and resolve it. Unfortunately nothing I've tried works, including:

  • Setting <httpRuntime requestValidationMode="2.0"/> and <pages validateRequest="false"> in both the root web.config and Views\web.config

  • Copying SampleRequestValidator from the WIF SDK into the project and setting <httpRuntime requestValidationType="SampleRequestValidator"/> in both web.configs

I've also tried variations of these without success.

Any ideas?

Here's the complete exception:


Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").

Description: Request Validation has detected a potentially dangerous client input value, and processing of the request has been aborted. This value may indicate an attempt to compromise the security of your application, such as a cross-site scripting attack. To allow pages to override application request validation settings, set the requestValidationMode attribute in the httpRuntime configuration section to requestValidationMode="2.0". Example: <httpRuntime requestValidationMode="2.0" />. After setting this value, you can then disable request validation by setting validateRequest="false" in the Page directive or in the <pages> configuration section. However, it is strongly recommended that your application explicitly check all inputs in this case. For more information, see http://go.microsoft.com/fwlink/?LinkId=153133.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").]

System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +8755668
System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +122
System.Web.HttpRequest.get_Form() +114
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +75
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +205
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request) +41
Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +117
System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +148
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +75

Answer

Darin Dimitrov picture Darin Dimitrov · May 7, 2011

You might try decorating the controller action you are posting to (and the one which throws this exception) with the [ValidateInput(false)] attribute (by leaving <httpRuntime requestValidationMode="2.0"/> in web.config).