From 22fa33c06f8c1620b0e690efd3bf13db2aeb0b22 Mon Sep 17 00:00:00 2001
From: Sipke Schoorstra <sipke@ideliverable.com>
Date: Sat, 4 Jul 2015 12:25:23 +0200
Subject: [PATCH] #5279: Fixed "potentially dangerous request" error.

Fixes #5279
---
 .../Orchard.DynamicForms/Controllers/FormController.cs   | 1 +
 .../Orchard.DynamicForms/Drivers/FormElementDriver.cs    | 9 ++++++++-
 .../Modules/Orchard.DynamicForms/Elements/Form.cs        | 5 +++++
 .../Modules/Orchard.DynamicForms/Services/FormService.cs | 8 +++++++-
 4 files changed, 21 insertions(+), 2 deletions(-)

diff --git a/src/Orchard.Web/Modules/Orchard.DynamicForms/Controllers/FormController.cs b/src/Orchard.Web/Modules/Orchard.DynamicForms/Controllers/FormController.cs
index 3a033fa65..4630fe116 100644
--- a/src/Orchard.Web/Modules/Orchard.DynamicForms/Controllers/FormController.cs
+++ b/src/Orchard.Web/Modules/Orchard.DynamicForms/Controllers/FormController.cs
@@ -35,6 +35,7 @@ namespace Orchard.DynamicForms.Controllers {
         public ILogger Logger { get; set; }
 
         [HttpPost]
+        [ValidateInput(false)]
         public ActionResult Submit(int contentId, string formName) {
             var layoutPart = _layoutManager.GetLayout(contentId);
             var form = _formService.FindForm(layoutPart, formName);
diff --git a/src/Orchard.Web/Modules/Orchard.DynamicForms/Drivers/FormElementDriver.cs b/src/Orchard.Web/Modules/Orchard.DynamicForms/Drivers/FormElementDriver.cs
index 1a8b72db7..7c6a0be09 100644
--- a/src/Orchard.Web/Modules/Orchard.DynamicForms/Drivers/FormElementDriver.cs
+++ b/src/Orchard.Web/Modules/Orchard.DynamicForms/Drivers/FormElementDriver.cs
@@ -78,12 +78,19 @@ namespace Orchard.DynamicForms.Drivers {
                         Title: "Store Submission",
                         Value: "true",
                         Description: T("Stores the submitted form into the database.")),
+                    _HtmlEncode: shape.Checkbox(
+                        Id: "HtmlEncode",
+                        Name: "HtmlEncode",
+                        Title: "Html Encode",
+                        Value: "true",
+                        Checked: true,
+                        Description: T("Check this option to automatically HTML encode submitted values to prevent code injection.")),
                     _CreateContent: shape.Checkbox(
                         Id: "CreateContent",
                         Name: "CreateContent",
                         Title: "Create Content",
                         Value: "true",
-                        Description: T("Check this to create a content item based using the submitted values. You will have to select a Content Type here and bind the form fields to the various parts and fields of the selected Content Type.")),
+                        Description: T("Check this option to create a content item based using the submitted values. You will have to select a Content Type here and bind the form fields to the various parts and fields of the selected Content Type.")),
                     _ContentType: shape.SelectList(
                         Id: "FormBindingContentType",
                         Name: "FormBindingContentType",
diff --git a/src/Orchard.Web/Modules/Orchard.DynamicForms/Elements/Form.cs b/src/Orchard.Web/Modules/Orchard.DynamicForms/Elements/Form.cs
index 3360dafc8..2c6c44996 100644
--- a/src/Orchard.Web/Modules/Orchard.DynamicForms/Elements/Form.cs
+++ b/src/Orchard.Web/Modules/Orchard.DynamicForms/Elements/Form.cs
@@ -32,6 +32,11 @@ namespace Orchard.DynamicForms.Elements {
             set { this.Store(x => x.StoreSubmission, value); }
         }
 
+        public bool HtmlEncode {
+            get { return this.Retrieve(x => x.HtmlEncode, () => true); }
+            set { this.Store(x => x.HtmlEncode, value); }
+        }
+
         public bool? CreateContent {
             get { return this.Retrieve(x => x.CreateContent); }
             set { this.Store(x => x.CreateContent, value); }
diff --git a/src/Orchard.Web/Modules/Orchard.DynamicForms/Services/FormService.cs b/src/Orchard.Web/Modules/Orchard.DynamicForms/Services/FormService.cs
index 8dcaf52ec..97f2fbaca 100644
--- a/src/Orchard.Web/Modules/Orchard.DynamicForms/Services/FormService.cs
+++ b/src/Orchard.Web/Modules/Orchard.DynamicForms/Services/FormService.cs
@@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.Data;
 using System.Linq;
+using System.Web;
 using System.Web.Mvc;
 using Orchard.Collections;
 using Orchard.ContentManagement;
@@ -179,7 +180,12 @@ namespace Orchard.DynamicForms.Services {
                 ReadElementValues(element, context);
 
                 foreach (var key in from string key in context.Output where !String.IsNullOrWhiteSpace(key) && values[key] == null select key) {
-                    values.Add(key, context.Output[key]);
+                    var value = context.Output[key];
+
+                    if (form.HtmlEncode)
+                        value = HttpUtility.HtmlEncode(value);
+
+                    values.Add(key, value);
                 }
             }