We have an old aspx login page and I have been handed the task of allowing the password field to allow < and > characters like .
I have been assured that this change will be immune to XSS as the password filed will never be sent to the client.
Whenever we try passwords with < or > I get the following stack trace:
at System.Web.HttpRequest.ValidateString(String value, String collectionKey, RequestValidationSource requestCollection)
at System.Web.HttpRequest.ValidateHttpValueCollection(HttpValueCollection collection, RequestValidationSource requestCollection)
at System.Web.HttpRequest.get_Form()
at System.IdentityModel.Services.WSFederationAuthenticationModule.IsSignInResponse(HttpRequestBase request)
at System.IdentityModel.Services.WSFederationAuthenticationModule.CanReadSignInResponse(HttpRequestBase request, Boolean onPage)
at System.IdentityModel.Services.WSFederationAuthenticationModule.OnAuthenticateRequest(Object sender, EventArgs args)
at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute()
at System.Web.HttpApplication.ExecuteStepImpl(IExecutionStep step)
at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)
I have never used WSFederationAuthenticationModule so would be open to suggestion on how to configure it to allow < and/or > in the password field, if such a thing is possible