A potentially dangerous Request.Form value was detected from the client (wresult="<trust:RequestSecuri...")

I am also getting a request validation error when using WIF. I get correctly sent to the STS, but on the way back, I get this validation error.

I followed all the instructions.

<httpRuntime  requestValidationMode="2.0" />

check!

    [ValidateInput(false)]

check!

<pages validateRequest="false" >

check!

I tried a custom validator, but it never gets instantiated.

Error stack:

[HttpRequestValidationException (0x80004005): A potentially dangerous Request.Form value was detected from the client (wresult="trust:RequestSecuri...").]
   System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection) +11396740
   System.Web.HttpRequest.ValidateNameValueCollection(NameValueCollection nvc, RequestValidationSource requestCollection) +82
   System.Web.HttpRequest.get_Form() +212
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.IsSignInResponse(HttpRequest request) +26
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequest request, Boolean onPage) +145
   Microsoft.IdentityModel.Web.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args) +108
   System.Web.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() +80
   System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously) +270

Any suggestions?

<httpRuntime requestValidationMode="2.0"/>

after this add

<configuration>
    <system.web>
        <pages validateRequest="false" />
    </system.web>
</configuration>

also in mvc3 there is an AllowHtml attribute

[AllowHtml]
public string Property{ get; set; }

here are some useful links

ASP.NET MVC – pages validateRequest=false doesn’t work?

Why is ValidateInput(False) not working?

See this answer if you are running .NET 4.5 which takes advantage of an updated request validator built in to ASP.NET.

You can put both constructs together in the system.web section as per ASP.NET : A potentially dangerous Request.Form value was detected from the client.

Note that this is standard ASP.NET functionality. It is not connected to WIF.

In MVC 3 (not sure about 2) you can add a global filter in global.asax.cs e.g.

public static void RegisterGlobalFilters(GlobalFilterCollection filters)
{
    filters.Add(new ValidateInputAttribute(false));
}

That coupled with the following should allow all data in and display it correctly and safely I think:

<httpRuntime encoderType="Microsoft.Security.Application.AntiXssEncoder, AntiXssLibrary"/>

in web.config and using (note colon):

<%: Model.Something %>

or in Razor:

@Model.Something

and in some cases in Javascript:

@Html.Raw(Ajax.JavaScriptStringEncode(Model.Something))