AntiXSS issue : The Official Microsoft ASP.NET Forums

Reply

skmcfadden

Member

35 Points

AntiXSS issue

Jan 24, 2013 10:59 PM|LINK

Recently ported our VS2010 MVC .NET 4.0 app to VS2012 (.NET 4.5). It uses WIF/WSFederation to support federation via POSTing of SAML tokens.

WHen an external entity posts a XML encoded SAML token to our controller AntiXSS throws the following error:

System.Web.HttpRequestValidationException occurred

HResult=-2147467259
Message=A potentially dangerous Request.Form value was detected from the client (wresult="<t:RequestSecurityTo...").
Source=System.Web
ErrorCode=-2147467259
WebEventCode=0
StackTrace:
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
InnerException:

How do you configure an exception for AntiXSS in .NET 4.5? This particular kind of dangerous request should go through (SAML token post) but not others.

Reply

skmcfadden

Member

35 Points

97 Posts

Re: AntiXSS issue

Jan 24, 2013 11:40 PM|LINK

Figured out that I needed to make my own request validator that lets this xml through. Did that but unforunately, I get a StackOverFLow exception when it is called.

using System;
using System.Web;
using System.Web.Util;
using System.IdentityModel.Services;
using System.IdentityModel.Metadata;
using System.Security.Claims;

namespace CT.ACME.Apps.Web.Utilities.Impl
{
    
    //This class allow us to perform custom request validation.  We basically check for (and allow through) xml based security tokens.  Everything else we defer to the base request validator.
    //<system.web>
    //  <httpRuntime requestValidationType="CT.ACME.Apps.Web.Utilities.WsFederationRequstValidator, CT.ACME.Apps.Web.Utilities" />
    public class WsFederationRequstValidator : RequestValidator
    {
        protected override bool IsValidRequestString(HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            
            CompositeHttpContext compositeCtx = new CompositeHttpContext();
            compositeCtx.Initialize(context);
            
            return IsValidRequestString(compositeCtx, value, requestValidationSource, collectionKey, out validationFailureIndex);
        }

        
        //Hack, this allow us to unit test request validation.
        public bool IsValidRequestString(CompositeHttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            validationFailureIndex = 0;

            if (requestValidationSource == RequestValidationSource.Form)  // collectionKey.Equals(WSFederationConstants.Parameters.Result, StringComparison.Ordinal)
            {
                //if (WSFederationMessage.CreateFromFormPost(context.Request) as SignInResponseMessage != null)
                //{
                //    return true;
                //}
                
                if (WSFederationMessage.CreateFromNameValueCollection(WSFederationMessage.GetBaseUrl(context.Request.Url), context.Request.Form) as SignInResponseMessage != null)
                {
                    return true;
                }
            }

            return base.IsValidRequestString(context.OriginalContext, value, requestValidationSource, collectionKey, out validationFailureIndex);
        }
        
    }
}