121

I've got a legacy code issue that requires that I support random URLs as if they were requests for the home page. Some of the URLs have characters in them that generate the error "A potentially dangerous Request.Path value was detected from the client (&)". The site is written with ASP.Net MVC 3 (in C#) and is running on IIS 7.5.

Here's an example URL...

http://mywebsite.example/Test123/This_&_That

Here's how I have my catch-all route setup (I have other routes to catch specific pages)...

routes.MapRoute(
    "Default", // Route name
    "{garb1}/{garb2}", // URL with parameters
    new { controller = "Website", action = "Home", garb1 = UrlParameter.Optional, garb2 = UrlParameter.Optional } // Parameter defaults
);

I've added the following things to my web.config file...

<configuration>
    <system.web>
        <pages validateRequest="false" />
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
<configuration>

I've also Added the ValidateInput attribute to the action that should be catching the urls...

public class WebsiteController : Controller
{
    [ValidateInput(false)]
    public ActionResult Home()
    {
        return View();
    }
}

But I'm still getting the error. Any ideas why? Did I miss something? Right now I'm just running on my local dev server (I haven't tried these fixes in production yet).

Stephen Ostermiller
  • 23,933
  • 14
  • 88
  • 109
Brian
  • 37,399
  • 24
  • 94
  • 109
  • 1
    There is a setting to allow certain chars I'll check shortly when back on computer......but can you urlencode your URL? – Adam Tuliper May 17 '11 at 03:23
  • possible duplicate of [A potentially dangerous Request.Path value was detected from the client (\*)](http://stackoverflow.com/questions/5967103/a-potentially-dangerous-request-path-value-was-detected-from-the-client) – Marijn Mar 11 '14 at 16:10
  • I don't know for what reason the website was internally trying a redirection which was creating a URL like 'http://localhost/://localhost/myWebsiteName/' which was giving me the same error. I don't know why ASP.net pipeline considers it a dangerous request URL. – RBT Sep 28 '16 at 08:19
  • In my case, I was missing a slash in the URL. The first thing to do would be to check for a typo in the URL. – Kishan Vaishnav Oct 24 '19 at 04:36

5 Answers5

169

While you could try these settings in config file

<system.web>
    <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

I would avoid using characters like '&' in URL path replacing them with underscores.

Alexander Prokofyev
  • 33,874
  • 33
  • 95
  • 118
  • 14
    It appears the requestPathInvalidCharacters="" did the trick. Thanks. I definitely agree that you shouldn't use & in the path, unfortunately we've been allowing it for years so we need to continue to support it. – Brian May 17 '11 at 16:17
  • 5
    isnt't that a security issue? – Marius Stănescu Mar 08 '13 at 12:44
  • 3
    @MariusStanescu - It's not inherently a security issue; it depends on what you do with it. If the input is taken and escaped and included with the output it will be fine. If it isn't escaped, then you might open yourself up to an attack. – Justin Helgerson Jun 03 '13 at 13:52
  • 1
    This is a nice reference question on so about the invalid char http://stackoverflow.com/a/8597868/169714 – JP Hellemons Aug 29 '13 at 10:06
  • 2
    This solution can give you this error: HTTP Error 500.19 - Internal Server Error The requested page cannot be accessed because the related configuration data for the page is invalid. – Tom Stickel Aug 17 '15 at 23:30
  • It didn't , thus it is a comment and not an answer. So basically it should be helpful to other people to see that just because it works for some people and it the selected answer, it didn't work for me – Tom Stickel Sep 30 '15 at 21:57
  • 2
    I also received an error 500 when using this answer. This was due to already having and tags, therefore there was a duplication conflict. After resolving that, this answer working fine for me too. – Kallum Tanton Oct 30 '15 at 09:33
  • A similar answer from a different that may be more secure: http://stackoverflow.com/a/8597868 – Ryan Kyle Oct 25 '16 at 00:28
  • 1
    If you are worried to remove all the invalid characters, juste remove the & from the default list : `requestPathInvalidCharacters="<,>,*,%,&,:,\,?"` , so it becomes : `requestPathInvalidCharacters="<,>,*,%,:,\,?"` – Matthieu Charbonnier Nov 28 '16 at 14:06
6

I have faced this type of error. to call a function from the razor.

public ActionResult EditorAjax(int id, int? jobId, string type = ""){}

solved that by changing the line

from

<a href="/ScreeningQuestion/EditorAjax/5&jobId=2&type=additional" />

to

<a href="/ScreeningQuestion/EditorAjax/?id=5&jobId=2&type=additional" />

where my route.config is

routes.MapRoute(
            "Default", // Route name
            "{controller}/{action}/{id}", // URL with parameters
            new { controller = "Home", action = "Index", id = UrlParameter.Optional }, new string[] { "RPMS.Controllers" } // Parameter defaults
        );
reza.cse08
  • 5,938
  • 48
  • 39
  • Is `EditorAjax` and `ApIController` (vs View Controller)? I have both and `ApiController` takes URL params well, because probably the defaults allow it because that's a common usage. I only have problem now that I want to add URL params to View Controllers. – Csaba Toth Aug 29 '20 at 04:16
1

If you want to allow Html tags only for few textbox in mvc

You can do one thing

in controller

 [ValidateInput(false)]
public ActionResult CreateNewHtml()  //view
{
    return View();
}
[ValidateInput(false)]
[HttpPost]
public ActionResult CreateNewHtml(cbs obj)//view cbs is database class
{
    repo.AddHtml(obj);
    return View();
}
Pavan
  • 45
  • 1
  • 1
    The OP explicitly speaks of URLs he needs to support (not text box content) and there's also no mention of HTML - so your answer really does not apply to the given question. – Oliver Apr 29 '13 at 12:59
  • 2
    It doesn't apply to the question, but I upvoted as it's something I didn't know was an option. Thanks @Pavan – MickJuice Aug 14 '14 at 13:31
0

We were getting this same error in Fiddler when trying to figure out why our Silverlight ArcGIS map viewer wasn't loading the map. In our case it was a typo in the URL in the code. There was an equal sign in there for some reason.
http:=//someurltosome/awesome/place
instead of
http://someurltosome/awesome/place

After taking out that equal sign it worked great (of course).

Josh P
  • 1,325
  • 14
  • 12
0

Check the below lines are present in your web.config file

<system.web> <httpRuntime requestPathInvalidCharacters="" /> </system.web>

Balamurugan
  • 137
  • 1
  • 1
  • 13