#5279: Fixed "potentially dangerous request" error.

Fixes #5279

src/Orchard.Web/Modules/Orchard.DynamicForms/Controllers/FormController.cs

@@ -35,6 +35,7 @@ namespace Orchard.DynamicForms.Controllers {
         public ILogger Logger { get; set; }
 
         [HttpPost]
+        [ValidateInput(false)]
         public ActionResult Submit(int contentId, string formName) {
             var layoutPart = _layoutManager.GetLayout(contentId);
             var form = _formService.FindForm(layoutPart, formName);

src/Orchard.Web/Modules/Orchard.DynamicForms/Drivers/FormElementDriver.cs

@@ -78,12 +78,19 @@ namespace Orchard.DynamicForms.Drivers {
                         Title: "Store Submission",
                         Value: "true",
                         Description: T("Stores the submitted form into the database.")),
+                    _HtmlEncode: shape.Checkbox(
+                        Id: "HtmlEncode",
+                        Name: "HtmlEncode",
+                        Title: "Html Encode",
+                        Value: "true",
+                        Checked: true,
+                        Description: T("Check this option to automatically HTML encode submitted values to prevent code injection.")),
                     _CreateContent: shape.Checkbox(
                         Id: "CreateContent",
                         Name: "CreateContent",
                         Title: "Create Content",
                         Value: "true",
-                        Description: T("Check this to create a content item based using the submitted values. You will have to select a Content Type here and bind the form fields to the various parts and fields of the selected Content Type.")),
+                        Description: T("Check this option to create a content item based using the submitted values. You will have to select a Content Type here and bind the form fields to the various parts and fields of the selected Content Type.")),
                     _ContentType: shape.SelectList(
                         Id: "FormBindingContentType",
                         Name: "FormBindingContentType",

src/Orchard.Web/Modules/Orchard.DynamicForms/Elements/Form.cs

@@ -32,6 +32,11 @@ namespace Orchard.DynamicForms.Elements {
             set { this.Store(x => x.StoreSubmission, value); }
         }
 
+        public bool HtmlEncode {
+            get { return this.Retrieve(x => x.HtmlEncode, () => true); }
+            set { this.Store(x => x.HtmlEncode, value); }
+        }
+
         public bool? CreateContent {
             get { return this.Retrieve(x => x.CreateContent); }
             set { this.Store(x => x.CreateContent, value); }

src/Orchard.Web/Modules/Orchard.DynamicForms/Services/FormService.cs

@@ -3,6 +3,7 @@ using System.Collections.Generic;
 using System.Collections.Specialized;
 using System.Data;
 using System.Linq;
+using System.Web;
 using System.Web.Mvc;
 using Orchard.Collections;
 using Orchard.ContentManagement;
@@ -179,7 +180,12 @@ namespace Orchard.DynamicForms.Services {
                 ReadElementValues(element, context);
 
                 foreach (var key in from string key in context.Output where !String.IsNullOrWhiteSpace(key) && values[key] == null select key) {
-                    values.Add(key, context.Output[key]);
+                    var value = context.Output[key];
+
+                    if (form.HtmlEncode)
+                        value = HttpUtility.HtmlEncode(value);
+
+                    values.Add(key, value);
                 }
             }