22

When i call my webservice witch takes two parameters i get:

A potentially dangerous Request.Path value was detected from the client (&).

Routeconfig:

config.Routes.MapHttpRoute(
name: "PropertiesSearch",
routeTemplate: "api/property/Search/{category}/{query}",
defaults: new { controller = "Property", action = "Search", category = "common", query = string.Empty }
);

Controllermethod:

[HttpGet]
public SearchResult Search(string category, string query)
{
}

When i call the api with:

/api/property/search/homes/areaId%3D20339%26areaId%3D20015

A potentially dangerous Request.Path value was detected from the client (&).

Doing this:

/api/property/search/homes/?query=areaId%3D20339%26areaId%3D20015

works fine.

How do i solve the routing decoding problem?

tereško
  • 58,060
  • 25
  • 98
  • 150
espvar
  • 1,045
  • 5
  • 16
  • 28

1 Answers1

30

Scott Hanselman blogged about this. You might want to check the requestPathInvalidCharacters property of the <httpRuntime> node in your web.config.

Personally I would avoid such characters in the uri portion and simply put those values as query string parameters.

Amal Murali
  • 75,622
  • 18
  • 128
  • 150
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • 12
    +1 Personally I would **avoid** such characters in the uri portion and simply put those values as query string parameters. Can't make it any more bold. – Erik Philips Jan 16 '13 at 21:57
  • You're right. We got it to work with the web.config bypass, but ended up forcing it to be set using query string parameters in the end after all. The reason we wanted it to be part of the URL is becasue we're using the auto-generated Help-page to create the API reference. And the `routeTemplate` wouldn't let us include a `?` in there, so there was no good way of telling the user to include the `{query}` using query parameters – espvar Jan 17 '13 at 08:28
  • @ErikPhilips Why avoid using perfectly valid characters (&, =, etc.) in the path portion of a URI? The ampersand character is only reserved in the query portion of a URI. – Josh M. Feb 25 '16 at 19:41
  • @JoshM because there are very good, legitimate reasons why `requestpathInvalidCharacters` was created... Simply bypassing it on a whim because of a poor requirement is not a good reason to turn it off. – Erik Philips Feb 25 '16 at 20:55
  • @ErikPhilips I'm asking what those reasons are -- do you have a reference to which you can point me? Thanks. – Josh M. Feb 26 '16 at 00:31
  • 1
    @ErikPhilips Done: http://stackoverflow.com/questions/35653835/why-does-the-default-setting-for-requestpathinvalidcharacters-exclude-otherwis – Josh M. Feb 26 '16 at 14:07