why do i keep getting "A potentially dangerous Request.Form value was detected from the client"

i have a web.config, which will show a SALM login page. It will successfully login. but after that i will get the above error.

Done:
added :  <pages validateRequest="false"
tested : requestValidationMode="2.0"
added on aspx page : <%@ Page Language="C#" validateRequest="false"

still the same error.

web.config re-directs to an aspx page:

 <wsFederation passiveRedirectEnabled="true" issuer="https://login.website.nl" realm="http://localhost/" requireHttps="false" reply="http://localhost/Test.aspx"/>

Open in new window


Test.aspx directly runs fine. It's just that after loggin in, i will get the above error.

Any my landing pages looks really basic:

<%@ Page Language="C#" validateRequest="false" AutoEventWireup="true"%>

    <title>SAML authentication landing page</title>
</head>
<body>
    <h1>SAML authentication landing page</h1>

</body>
</html>

Open in new window


I don't see any request form there.

Anyone can help?
A. AmienAsked:
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

x
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

btanExec ConsultantCommented:
In fact, "<" is not inherently dangerous, its only dangerous in a specific context: when writing unencoded strings to HTML output (because of XSS). In other contexts different substrings are dangerous, e.g. if you write an user-provided URL into a link, the substring "javascript:" may be dangerous.

Also the single quote character on the other hand is dangerous when interpolating strings in SQL queries, but perfectly safe if it is a part of a name submitted from a form or read from a database field.

You can't filter random input for dangerous characters, because any character may be dangerous if the request is ill intended . It is better to encode at the point where some specific characters may become dangerous because they cross into a different sub language where they have special meaning. Most refer it as input validation checks...

E.g.  When you write a string to HTML, you should encode characters that have special meaning in HTML, using Server.HtmlEncode.  When you are sure you HTML-encode everywhere you pass strings to HTML, then set validateRequest="false". Not sure for the various .NET version especially v4 like some has to also add <httpRuntime requestValidationMode="2.0" /> to web.config...

E.g. If you pass a string to a dyamic SQL statement, you should encode different characters (or have the framework handle this using prepared statements or equivalent).

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
.NET Programming

From novice to tech pro — start learning today.