0

I'm still a bit new to ASP.Net MVC and Custom Routing and I'm not quite sure how to ask this question other than to post the URL link and the route that I'm using and ask for advice.

The problem is:

A potentially dangerous Request.Path value was detected from the client (&).

This is being caused by an "&" symbol inside my link:

http://localhost/search/cars-&-motorcycles

And, here's my route:

routes.MapRoute(
    "CategorySearch",
    "category/{searchcriteria}",
    new { controller = "Listing", action = "Index", isCategory = true, searchcriteria = UrlParameter.Optional }
);

What I want to do is strip out the "&" from the optional paramter before it gets passed, hopefully that will correct the "potentially dangerous" issue that I'm experiencing. I've tried to use

UrlParameter.Optional.ToString().Replace("&", "")

Is it even possible to strip out that "&" symbol from somewhere inside the Route.MapRoute method at all?

Mystus
  • 459
  • 6
  • 15
  • 1
    Isn't this easily solvable by just percent-encoding the ampersand? http://stackoverflow.com/q/16622504 – Robert Harvey Jun 01 '14 at 23:05
  • Thanks Robert, I was trying to react to the incoming invalid symbol, instead of changing it to send the encoded symbol as you and itsme86 suggested. – Mystus Jun 02 '14 at 00:06

1 Answers1

1

You can encode it using HtmlHelper.Encode:

string encodedUrl = HtmlHelper.Encode("http://localhost/search/cars-&-motorcyles");
Robert Harvey
  • 178,213
  • 47
  • 333
  • 501
itsme86
  • 19,266
  • 4
  • 41
  • 57
  • Can you do this within the routing engine? – Robert Harvey Jun 01 '14 at 23:19
  • That was really my main question, and although this solution solves it for me, I was actually wanting to do this inside the actual routing engine itself to handle if and when a user enters an invalid symbol in a search text box. Instead I'll need to strip it before posting the data. – Mystus Jun 02 '14 at 00:07
  • If I recall correctly, the *"potentially dangerous Request"* (request validation) is triggered very early in the request pipeline. I suspect it will be thrown before it gets to your routing. You would have to [disable request validation](http://msdn.microsoft.com/en-us/library/hh882339(v=vs.110).aspx). I would do that anyway. – Rowan Freeman Jun 02 '14 at 01:04