0
Fixed

Less than symbol in text entry fields not escaped

Beau Harrison (Senior Product Software Engineer) 10 years ago updated by anonymous 8 years ago 0

If any standard text fields contain a less than symbol (<) followed by alphabetical characters the following is displayed when the form is submitted.

System.Web.HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (LesserValue="<value").
	at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
	at System.Web.HttpValueCollection.GetValues(String name)
	at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.GetResultFromCollection(String key, NameValueCollection collection, CultureInfo culture)
	at System.Lazy`1.CreateValue()
	at System.Lazy`1.LazyInitValue()
	at System.Web.Mvc.NameValueCollectionValueProvider.ValueProviderResultPlaceholder.get_ValidatedResult()
	at System.Web.Mvc.NameValueCollectionValueProvider.GetValue(String key, Boolean skipValidation)
	at System.Web.Mvc.ValueProviderCollection.<>c__DisplayClass9.<GetValue>b__4(IValueProvider provider)
	at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
	at System.Linq.Enumerable.WhereSelectEnumerableIterator`2.MoveNext()
	at System.Linq.Enumerable.FirstOrDefault[TSource](IEnumerable`1 source)
	at System.Web.Mvc.DefaultModelBinder.BindModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
	at System.Web.Mvc.DefaultModelBinder.GetPropertyValue(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor, IModelBinder propertyBinder)
	at System.Web.Mvc.DefaultModelBinder.BindProperty(ControllerContext controllerContext, ModelBindingContext bindingContext, PropertyDescriptor propertyDescriptor)
	at System.Web.Mvc.DefaultModelBinder.BindProperties(ControllerContext controllerContext, ModelBindingContext bindingContext)
	at System.Web.Mvc.DefaultModelBinder.BindComplexModel(ControllerContext controllerContext, ModelBindingContext bindingContext)
	at System.Web.Mvc.ControllerActionInvoker.GetParameterValue(ControllerContext controllerContext, ParameterDescriptor parameterDescriptor)
	at System.Web.Mvc.ControllerActionInvoker.GetParameterValues(ControllerContext controllerContext, ActionDescriptor actionDescriptor)
	at System.Web.Mvc.ControllerActionInvoker.InvokeAction(ControllerContext controllerContext, String actionName)