8

I have a REST Service and when I try and make a call to an item that has a & in it's name, I get the above error, which would make sense if I was not encoded the &

So this would be my call:

http://localhost:57851/myService/Servers/myServer/Repositories/myRepository/Models/Mine%26Yours

You can see "Mine&Yours" has been encoded as "Mine%26Yours" so should be safe.

But the request is being picked up as though I'd not encoded it.

Any ideas?

Edit:

This is not the same as (Getting "A potentially dangerous Request.Path value was detected from the client (&)")

Community
  • 1
  • 1
sbarnby71
  • 584
  • 4
  • 7
  • 21
  • Possible duplicate of [Getting "A potentially dangerous Request.Path value was detected from the client (&)"](http://stackoverflow.com/questions/6025522/getting-a-potentially-dangerous-request-path-value-was-detected-from-the-client) – haraman Oct 21 '15 at 11:11
  • 1
    nope, not a duplication, in that question they were not encoding the &, so yes that should fail. – sbarnby71 Oct 21 '15 at 11:12
  • 1
    what do you mean by is 'picked up' as though i'd not encode it? the idea of encoding is to avoid potential dangerous behaviors, but finally you get the original value on the server side (not encoded) – mikus Oct 21 '15 at 11:15
  • 1
    When I say picked up I mean when I enter that above url into my Browser (in This case IE) it shows the error message I've stated. So the value never reaches my service end points. – sbarnby71 Oct 21 '15 at 11:20

2 Answers2

14

It makes no difference to ASP.NET whether you encode the & symbol or not. See this answer: https://stackoverflow.com/a/12037000/134761

To allow special characters in your URL path you should modify the requestPathInvalidCharacters parameter in web.config like this:

<httpRuntime requestPathInvalidCharacters="" />

Or if you want to only allow & but disallow all other special chars:

<httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,\"/>
Community
  • 1
  • 1
holdenmcgrohen
  • 1,031
  • 2
  • 9
  • 30
  • Hi @holdenmcgrohen, Thanks for the info, I'm aware of requestPathInvalidCharacters setting and wanted to avoid using it and allowing chars like <, >, & being passed in un-checked. – sbarnby71 Oct 22 '15 at 10:23
  • 1
    Wanted to see if anyone had a safer way of dealing with this other than allowing potentially dangerous chars in unchecked. – sbarnby71 Oct 22 '15 at 10:29
  • 1
    A safer way would be to avoid using special characters in path altogether: convert this part of your URL to a parameter (e.g. myRepository?Models=Mine%26Yours) or use some custom encoding/decoding mechanism for special chars – holdenmcgrohen Oct 22 '15 at 10:46
0

Expanding on holdenmcgrohen answer you can limit the changes just to a particular path if you wish 

  <location path="documents">
    <system.web>
    <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,\"/>
    </system.web>
  </location>
Matthew Lock
  • 13,144
  • 12
  • 92
  • 130