Getting "A potentially dangerous Request.Path value was detected from the client (&)"

asp.net-mvc asp.net-mvc-3

I've got a legacy code issue that requires that I support random urls as if they were requests for the home page. Some of the URLs have characters in them that generate the error "A potentially dangerous Request.Path value was detected from the client (&)". The site is written with ASP.Net MVC 3 (in C#) and is running on IIS 7.5.

Here's an example URL...

http://mywebsite.com/Test123/This_&_That

Here's how I have my catch-all route setup (I have other routes to catch specific pages)...

routes.MapRoute(
    "Default", // Route name
    "{garb1}/{garb2}", // URL with parameters
    new { controller = "Website", action = "Home", garb1 = UrlParameter.Optional, garb2 = UrlParameter.Optional } // Parameter defaults
);

I've added the following things to my web.config file...

<configuration>
    <system.web>
        <pages validateRequest="false" />
        <httpRuntime requestValidationMode="2.0" />
    </system.web>
<configuration>

I've also Added the ValidateInput attribute to the action that should be catching the urls...

public class WebsiteController : Controller
{
    [ValidateInput(false)]
    public ActionResult Home()
    {
        return View();
    }
}

But I'm still getting the error. Any ideas why? Did I miss something? Right now I'm just running on my local dev server (I haven't tried these fixes in production yet).


Solution 1:

While you could try these settings in config file

<system.web>
    <httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
    <pages validateRequest="false" />
</system.web>

I would avoid using characters like '&' in URL path replacing them with underscores.

Solution 2:

I have faced this type of error. to call a function from the razor.

public ActionResult EditorAjax(int id, int? jobId, string type = ""){}

solved that by changing the line

from

<a href="/ScreeningQuestion/EditorAjax/5&jobId=2&type=additional" />

to

<a href="/ScreeningQuestion/EditorAjax/?id=5&jobId=2&type=additional" />

where my route.config is

routes.MapRoute(
            "Default", // Route name
            "{controller}/{action}/{id}", // URL with parameters
            new { controller = "Home", action = "Index", id = UrlParameter.Optional }, new string[] { "RPMS.Controllers" } // Parameter defaults
        );

Related

Is there an easy way to attach source in Eclipse?
How to reset (clear) form through JavaScript?
Trying to Understand Asynchronous Operation Subclass
Is it possible to connect an iPhone/iPad via WiFi Protected Setup (WPS)?
Uninstalling macOS App Extensions from System Preferences
Disable autosave in Preview
iOS apps "could not be purchased at this time"
How do I prevent prompts to update to iOS 10
Rosetta 2 installation on M1 MBP fails
NoScript for Safari
How to take a full length screenshot of the iPhone Messages app?
Why doesn't my calendar alert me when events are upcoming?