error when url resource contains ampersand

15
votes

We have a web api with the following resource url.

http://www.example.com/book/bookid/name/bookname

now there are some books which contains names with ampersand '&' and when a request is made for such names, we are receiving below error

URL used: 

http://www.example.com/book/123/name/ban&ban

Error: A potentially dangerous Request.Path value was detected from the client (&)

We tried passing or using encoded value for & i.e. %26 and getting same error.

URL used: 

http://www.example.com/book/123/name/ban%26ban

Error: A potentially dangerous Request.Path value was detected from the client (&)

Now, when I added requestPathInvalidCharacters="" property in the web.config in httpruntime element, it started working fine for both the above urls. But, when I read different articles, it is said that it is not a good practice to use requestPathInvalidCharacters="" property.

Also, since there are lot of book names in production with "&" and different special characters, we cannot avoid sending "&" ampersand for book names, is there a good way to handle this?

1
c#asp.net-web-api
Perhaps you need to modify your client logic a bit to ensure an encoded URL doesn't trigger false alarms. Ideally, it shouldn't.Mikaal Anwar
How to do that ?Vicky
Why do you need the name of the book in the Url if you already have a bookid?Daniel Leach

1 Answers

12
votes

You should opt into using parameter instead of path in your querystring. For example: http://www.example.com/book/bookid?name=Fizz&bookname=Buzz

Here's some explanation on why this exception is raised: http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx