I'm attempting to prove the viability of upgrading a copy of our current Moodle site which is running on 3.8 to the latest release of 3.10.3. We are running Moodle on Windows IIS.
After going through the process of logging in, the server responds with an error redirecting "/login/index.php" to "/login/<a> </a>" with the verbiage "A potentially dangerous Request.Path value was detected from the client (<)". I've never seen this behavior in any previous versions of Moodle, whether installed freshly or through an upgrade process. This is rather puzzling to me. Does anyone know anything about this sort of behavior? I've attempted to do a search for this on this site but have gotten no examples before me.
What appears in the browser is a standard IIS form of reporting errors. But the data is not all in that page. So I looked for the corresponding error in the Windows Event Log and this is the entire error text:
Event code: 3005 Event message: An unhandled exception has occurred. Event time: 4/12/2021 1:06:40 PM Event time (UTC): 4/12/2021 8:06:40 PM Event ID: 9dc4a7b396db46998614c6dae155f001 Event sequence: 4 Event occurrence: 1 Event detail code: 0 Application information: Application domain: /LM/W3SVC/16/ROOT-3-132627315898376896 Trust level: Full Application Virtual Path: / Application Path: C:\Websites\moodle_testing\website\ Machine name: ADMIN3 Process information: Process ID: 8552 Process name: w3wp.exe Account name: IIS APPPOOL\moodle_testing Exception information: Exception type: HttpException Exception message: A potentially dangerous Request.Path value was detected from the client (<). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context) Request information: Request URL: https://{our domain}:443/login/<a></a> Request path: /login/<a></a> User host address: 97.93.27.15 User: Is authenticated: False Authentication Type: Thread account name: ADMIN3\Administrator Thread information: Thread ID: 7 Thread account name: ADMIN3\Administrator Is impersonating: False Stack trace: at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context) Custom event details:Update, it appears that after logging in any path winds up being mangled with "<a> </a>" anchor tags being added to the end. So I am unable to use the site at all until I resolve this issue. Even if I close the browser and then open a new one and manually type in the URL, the path is appended with "<a> </a>". Very odd.