How to remove characters to avoid .NET Request Validation Error (A potentially dangerous Request.Path value was detected from the client)

In .NET Framework 4 url checking – request validation – is different from .Net 2.0. This is the error you will see when you hit this:

Server Error in ‘/’ Application.
A potentially dangerous Request.Path value was detected from the client

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client

If you have control over the url, you can avoid using disallowed characters. The default characters that are being checked for are:
< > * % & : \\

If you set your url’s programtically, e.g. from info in a database, simply do replace on these characters into something allowed.
For example (VB.NET):
[code]
strUrl = strUrl.Replace("&", "-")
[/code]

Another method is to revert back to .NET 2.0 request validation and/or change the characters that are being validated. This can be done by changing the following in the web.config file:
[code]
<httpRuntime requestValidationMode="2.0" requestPathInvalidCharacters="*,%,:" />
[/code]

I however, prefer the first method as request validation is a good thing: the purpose is to secure your site from injection attacks.

More info:
HttpRuntimeSection.RequestValidationMode Property
HttpRuntimeSection.RequestPathInvalidCharacters Property

2 comments

Leave a comment

Your email address will not be published. Required fields are marked *