0

I need to send an id to my MVC controller method, which is sent from a json call. At the end, I need to refresh the screen. This is working fine:

window.location.href = '/Reports/SpendingByCategoryByMonth/' + categoryId;

However, I need to send more than one parameter now. So, my controller methods takes two parameters named, and I try call my controller like this:

window.location.href = '/Reports/SpendingByCategoryByMonth/categoryId=' + categoryId + '&subCategoryId=' + subCategoryId;

But I get the error:

A potentially dangerous Request.Path value was detected from the client (&).

Is there a better way to do this - or, how do I fix this?

Craig
  • 18,074
  • 38
  • 147
  • 248
  • 3
    You are missing `?`. – Ram Nov 14 '14 at 23:24
  • Try `window.location.href = '/Reports/SpendingByCategoryByMonth?categoryId =' + categoryId + '&subCategoryId=' + subCategoryId;` –  Nov 14 '14 at 23:24

2 Answers2

3

In the first case:

window.location.href = '/Reports/SpendingByCategoryByMonth/' + categoryId;

You're probally using the default route that is generated when you create a new project(the id is an optional param):

    routes.MapRoute(
        "Default", // Route name
        "{controller}/{action}/{id}", // URL with parameters
        new { controller = "Home", action = "Index", id = UrlParameter.Optional } // Parameter defaults);

Your url doesn't have potential XSS chars int it.

The second url is probally not supported by your server(only if you created a relevant routing) but if it is you should read here and here to solve your problem.

The best practice is to use a url like this:

/Controller/Action?param1=abc&param2=deg
Community
  • 1
  • 1
Amir Popovich
  • 29,350
  • 9
  • 53
  • 99
0

Why don't you use the power of MVC routing to help you?

Create a new route

routes.MapRoute(
    name: "Spending report by month",
    url : "Reports/SpendingByCategoryByMonth/{categoryId}/{subCategoryId}",
    defaults: new { controller =  "Reports", action = "SpendingByCategoryByMonth" },
    constraints : new { categoryId = @"\d+", subCategoryId = @"\d+" });

Make sure this appears before

routes.MapRoute(
    name: "Default",
    url: "{controller}/{action}/{id}",
    defaults: new { controller = "Home", action = "Index", id = UrlParameter.Optional });

Then you could change the href to be:

window.location.href = '/Reports/SpendingByCategoryByMonth/' + categoryId + '/' + subCategoryId;

e.g.

http://localhost:54313/Reports/SpendingByCategoryByMonth/1/2

Controller

public ActionResult SpendingByCategoryByMonth(int categoryId, int subCategoryId)

No need for any & or ? characters at all in the href url.

Note, I'm assuming the category Id values are int, if they are not, then simply remove the constraints section of the route mapping.

Jason Evans
  • 28,906
  • 14
  • 90
  • 154