2

I am receiving this message from a site hosted publicly:

System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (&).

I have read articles about using:

<httpRuntime requestPathInvalidCharacters="" />

Not sure how to incorporate or resolve these type of potential dangerous requests. I may not be understanding something.

Thanks for any help understanding...

Damith
  • 62,401
  • 13
  • 102
  • 153
obautista
  • 3,517
  • 13
  • 48
  • 83

1 Answers1

2

Try setting ValidateRequest="false" in the page directive. Depending on what version of ASP.NET you're using, you may also need to add the following web.config setting:

<httpRuntime requestValidationMode="2.0" />

Important Note

By disabling the default request validation, you should be prepared to detect and handle potentially malicious content manually in your logic.

James Johnson
  • 45,496
  • 8
  • 73
  • 110
  • I am using 4.0. Can you tell me what ValidateRequest and requestValidationMode does? – obautista Nov 09 '11 at 18:14
  • Okay, then you'll probably need the `web.config` setting. – James Johnson Nov 09 '11 at 18:14
  • 1
    `ValidateRequest` determines whether ASP.NET should examine the input from the browser for potentially dangerous values. For example, request validation would throw an exception if an input contained markup of any sort. – James Johnson Nov 09 '11 at 18:17
  • So I do not want to allow potentially dangerous requests. So I do not want to turn off ValidateRequest in page directive, correct? I am trying to determine if I need to do anything special for this or if leaving the way I have it is okay (to not allow dangerous requests). I currently do not have requestValidationMode in my webconfig. – obautista Nov 09 '11 at 19:26
  • If you're getting that error, you probably *do* want to turn off request validation. – James Johnson Nov 09 '11 at 19:34
  • I am getting that error if someone tries to browse something like this: wwww.domain.com/& so getting the error is good because that isnt a valid page request. Actually have ELMAH configured, so I am notified when the site throws any kind of exceptions. – obautista Nov 09 '11 at 19:43
  • 1
    @JamesJohnson: Just because you are seeing this error does not at all imply tat you should turn off request validation! Did you consider that those requests could be malicious? What is the web app supposed to do with them anyways if they are invalid? – Oliver Jun 27 '12 at 17:26
  • @Oliver: In turning it off, you do so with the knowledge that you will be responsible for detecting and handling any potentially malicious code. There's no other way around it in ASP.NET, as any kind of markup whatsoever will trigger the request validation. It probably is worth mentioning this in my answer though, so I appreciate the comment. – James Johnson Jun 27 '12 at 17:42
  • @JamesJohnson: thanks for the update - I think it's important to make people aware of the pitfalls of such changes, especially for potentially more unexperienced folks. – Oliver Jun 27 '12 at 17:51
  • @JamesJohnson Could you add a way to disable the warnings noise? One may not want to disable it, but keep it quiet, the logs get spammed. – Ricardo C Jan 26 '15 at 16:22