2

I have uploaded a file in my asp.net page with filename "Ex&#_17.pdf" then when getting file at backend using Request.Files[0] then getting following error.

A potentially dangerous Request.Files value was detected from the client (filename="Ex&#_17.pdf")

If i changed the file name to following types then it is working fine.

  • "Ex&_#_17.pdf"
  • "Ex#&_17.pdf"
  • "Ex&_17.pdf"
  • "Ex#_17.pdf"

I assume that only &# in file name is treated as potentially dangerous.

So, my question is that, is there any other special characters which and produce this error.

I googled this error, but finds nothing.

Virendra Yadav
  • 652
  • 8
  • 18

2 Answers2

4

By default, MVC tries to detect suspicious values that are sent to the server, resulting in "A potentially dangerous value was detected from the client." errors.

For example, you are not allowed to send <script>alert('hello');</script> in an text input. See ASP.NET MVC A potentially dangerous Request.Form value was detected from the client when using a custom modelbinder for a similar error.

Because &#___; can be used to reference an HTML Entity, the filename Ex&#_17.pdf is suspect. Here is a chart of these codes (thanks Train): The HTML Coded Character Set

You could disable the validation for the file upload:

  • I am not sure if attributing the HttpPostedFileBase property in the ViewModel with [AllowHtml] would work.

  • You can also try to mark the Action method with [ValidateInput(false)].

Or use a client side JavaScript to remove or encode suspicious characters in the filename before posting it, as phonemyatt suggested.

Georg Patscheider
  • 9,357
  • 1
  • 26
  • 36
2

Your using the syntax for HTML special characters

&#... are html coded markup sets. I would suggest changing it.

Community
  • 1
  • 1
Train
  • 3,420
  • 2
  • 29
  • 59