A potentially dangerous Request.Form value was detected from the client (password=

Topics: Core, General
Jul 14, 2013 at 12:43 AM
Edited Jul 14, 2013 at 12:51 AM

I've got next error after setup Orchard 1.6.1:

A potentially dangerous Request.Form value was detected from the client (password="Lf<edtnt").

Description: ASP.NET has detected data in the request that is potentially dangerous because it might include HTML markup or script. The data might represent an attempt to compromise the security of your application, such as a cross-site scripting attack. If this type of input is appropriate in your application, you can include code in a web page to explicitly allow it. For more information, see http://go.microsoft.com/fwlink/?LinkID=212874.

Exception Details: System.Web.HttpRequestValidationException: A potentially dangerous Request.Form value was detected from the client (password="Lf<edtnt").

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below.

Stack Trace:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (password="Lf<edtnt").]
System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +9664173
System.Web.<>c__DisplayClass5.<ValidateHttpValueCollection>b__3(String key, String value) +18
System.Web.HttpValueCollection.EnsureKeyValidated(String key) +9663589
System.Web.HttpValueCollection.GetValues(String name) +17
System.Web.Mvc.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture) +20
System.Web.Mvc.<>c__DisplayClass8.<.ctor>b__4() +18
System.Lazy1.CreateValue() +416
1.LazyInitValue() +10786323
System.Lazy1.get_Value() +75
System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation) +67
System.Web.Mvc.ValueProviderCollection.GetValueFromProvider(IValueProvider provider, String key, Boolean skipValidation) +55
System.Web.Mvc.<>c__DisplayClass9.<GetValue>b__4(IValueProvider provider) +33
2.MoveNext() +145
System.Linq.WhereSelectEnumerableIterator2.MoveNext() +171
1 source) +164
System.Web.Mvc.ValueProviderCollection.GetValue(String key, Boolean skipValidation) +272
System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext) +352
System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor) +317
System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor) +117
System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName) +324
System.Web.Mvc.<>c__DisplayClass1d.<BeginExecuteCore>b__19() +23
System.Web.Mvc.Async.<>c__DisplayClass1.<MakeVoidDelegate>b__0() +19
System.Web.Mvc.Async.<>c__DisplayClass81.<BeginSynchronous>b__7(IAsyncResult _) +10
1.End() +62
System.Web.Mvc.Controller.EndExecuteCore(IAsyncResult asyncResult) +57
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
System.Web.Mvc.Async.WrappedAsyncResult1.End() +62
System.Web.Mvc.Controller.EndExecute(IAsyncResult asyncResult) +47
System.Web.Mvc.Controller.System.Web.Mvc.Async.IAsyncController.EndExecute(IAsyncResult asyncResult) +10
System.Web.Mvc.<>c__DisplayClass8.<BeginProcessRequest>b__3(IAsyncResult asyncResult) +25
System.Web.Mvc.Async.<>c__DisplayClass4.<MakeVoidDelegate>b__3(IAsyncResult ar) +23
1.End() +62
System.Web.Mvc.MvcHandler.EndProcessRequest(IAsyncResult asyncResult) +47
System.Web.Mvc.MvcHandler.System.Web.IHttpAsyncHandler.EndProcessRequest(IAsyncResult result) +9
Orchard.Mvc.Routes.HttpAsyncHandler.EndProcessRequest(IAsyncResult result) in c:\Users\sebros\My Projects\Orchard\src\Orchard\Mvc\Routes\ShellRoute.cs:162
System.Web.CallHandlerExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +9628700
System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +155

Steps to reproduce:
  • Start setup Orchard
  • Type password like "Lf<edtnt" for admin user (system allows this password on setup)
  • Finish setup
  • Click SignOut
  • Try to login with this password
Orchard.Web has <httpRuntime requestValidationMode="2.0" /> in web.config but it doesn't help.

Is anyone know how to fix it?
Jul 14, 2013 at 3:24 AM
Reproducible with latest 1.x change set as well.
Jul 14, 2013 at 6:40 AM
That's reproducible with any ASP.NET application. It's ASP.NET preventing you from posting potentially dangerous input that has < chars in it. Choose a different password.
Jul 14, 2013 at 9:29 AM
BertrandLeRoy wrote:
That's reproducible with any ASP.NET application. It's ASP.NET preventing you from posting potentially dangerous input that has < chars in it. Choose a different password.
As for me it's not a solution. As I said before Orchard allowed me this password without any exception on setup and it's a good way do not restrict user in password.

After small research I found that on setup you don't validate any fields:
namespace Orchard.Setup.Controllers {
    [ValidateInput(false), Themed]
    public class SetupController : Controller {
There is no validation if I create user in Admin
namespace Orchard.Users.Controllers {
    public class AdminController : Controller, IUpdateModel {
But validation there is for LogOn, ChangePassword, Register in AccountController. It would be great if you create models for these actions and set [AllowHtml] for password property.

Thank you
Jul 14, 2013 at 10:36 AM
Edited Jul 14, 2013 at 10:37 AM
If we support any characters during setup, we should also support that during login, so this looks like a bug. Whether we need to enable ValidateInput on setup or disable ValidateInput on Login remains to be discussed, but it probably needs to be consistent to prevent this situation.

If you file a bug the team will triage. Thanks.
Jul 14, 2013 at 11:20 AM
Thank you sfmskywalker.

Created issue 19896