Getting “A potentially dangerous Request.Path value was detected from the client (&)”

6
votes

I have a REST Service and when I try and make a call to an item that has a & in it's name, I get the above error, which would make sense if I was not encoded the &

So this would be my call:

http://localhost:57851/myService/Servers/myServer/Repositories/myRepository/Models/Mine%26Yours

You can see "Mine&Yours" has been encoded as "Mine%26Yours" so should be safe.

But the request is being picked up as though I'd not encoded it.

Any ideas?

Edit:

This is not the same as (Getting "A potentially dangerous Request.Path value was detected from the client (&)")

2
asp.net-mvcvb.netrest
Possible duplicate of Getting "A potentially dangerous Request.Path value was detected from the client (&)"haraman
nope, not a duplication, in that question they were not encoding the &, so yes that should fail.sbarnby71
what do you mean by is 'picked up' as though i'd not encode it? the idea of encoding is to avoid potential dangerous behaviors, but finally you get the original value on the server side (not encoded)mikus
When I say picked up I mean when I enter that above url into my Browser (in This case IE) it shows the error message I've stated. So the value never reaches my service end points.sbarnby71

2 Answers

10
votes

It makes no difference to ASP.NET whether you encode the & symbol or not. See this answer: https://stackoverflow.com/a/12037000/134761

To allow special characters in your URL path you should modify the requestPathInvalidCharacters parameter in web.config like this:

<httpRuntime requestPathInvalidCharacters="" />

Or if you want to only allow & but disallow all other special chars:

<httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,\"/>
0
votes

Expanding on holdenmcgrohen answer you can limit the changes just to a particular path if you wish 

  <location path="documents">
    <system.web>
    <httpRuntime requestPathInvalidCharacters="&lt;,&gt;,*,%,\"/>
    </system.web>
  </location>