A potentially dangerous Request.Path value was detected from the client (*)
The *
character is not allowed in the path of the URL, but there is no problem using it in the query string:
http://localhost:3286/Search/?q=test*
It's not an encoding issue, the *
character has no special meaning in an URL, so it doesn't matter if you URL encode it or not. You would need to encode it using a different scheme, and then decode it.
For example using an arbitrary character as escape character:
query = query.Replace("x", "xxx").Replace("y", "xxy").Replace("*", "xyy");
And decoding:
query = query.Replace("xyy", "*").Replace("xxy", "y").Replace("xxx", "x");
Getting A potentially dangerous Request.Path value was detected from the client (&)
While you could try these settings in config file
<system.web>
<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />
<pages validateRequest="false" />
</system.web>
I would avoid using characters like '&' in URL path replacing them with underscores.
Getting “A potentially dangerous Request.Path value was detected from the client (&)”
It makes no difference to ASP.NET whether you encode the &
symbol or not. See this answer: https://stackoverflow.com/a/12037000/134761
To allow special characters in your URL path you should modify the requestPathInvalidCharacters
parameter in web.config
like this:
<httpRuntime requestPathInvalidCharacters="" />
Or if you want to only allow &
but disallow all other special chars:
<httpRuntime requestPathInvalidCharacters="<,>,*,%,\"/>
How to catch A potentially dangerous Request.Path value was detected from the client (:) to avoid web role crash?
The ideal behavior for it that: we catch the exception, log it and return some error messages without crashing. How should we do that?
Per my understanding, you could leverage the Application_Error
event to capture unhandled exception(s) within ASP.NET. Here is my test, you could refer to it:
protected void Application_Error()
{
HttpContext httpContext = HttpContext.Current;
var exception=Server.GetLastError();
var httpException = exception as HttpException ?? new HttpException(500, "Internal Server Error", exception);
var jsonResponse = new
{
Message = exception.Message,
StatusCode = httpException.GetHttpCode(),
StackTrace=httpException.StackTrace
};
httpContext.Response.ContentType = "application/json";
httpContext.Response.ContentEncoding = Encoding.UTF8;
httpContext.Response.Write(JsonConvert.SerializeObject(jsonResponse));
httpContext.Response.End();
}
Note: You could also redirect to a specific error page.
Moreover, you could leverage the customErrors
in web.config and catch the error page for the specific HTTP error code. Also, you could check the HTTP status code under the Application_EndRequest
event and write your custom response, details you could refer to this similar issue. Additionally, I would recommend you follow Demystifying ASP.NET MVC 5 Error Pages and Error Logging for more details about error handling.
A potentially dangerous Request.Path value was detected from the client (?)
It dawned on me why the querystring was not showing anything in our logs.
Requests that encode the "?" (%3f) will cause the exception described above to be raised, for example:
/cities/index.aspx%3flocid=4163
The encoded %3f is interpreted as part of the path, hence the exception of "A potentially dangerous Request.Path value was detected from the client (?)".
When I entered the URL shown above in a browser -- the exception is raised and the log does not contain a querystring. So I can only assume everything is functioning as it should and that the requester is encoding the ? when they should not be; basically wrecking the querystring portion of the URL.
We also have requestValidationMode="2.0" in system.web, but DO NOT make use of the requestPathInvalidCharacters (httpRuntime) setting.
Related Topics
How to Convert Numbers Between Hexadecimal and Decimal
How to Update an Observablecollection Via a Worker Thread
How to Remove All Namespaces from Xml With C#
How to Handle Wndproc Messages in Wpf
Getting Servicestack to Retain Type Information
How to Make a Window Always Stay on Top in .Net
Assign Bitmapimage from Resources.Resx to Image.Source
Cross-Platform File Name Handling in .Net Core
How to Specify a Custom Location to "Search For Views" in ASP.NET MVC
Pass Array Parameter in Sqlcommand
Remove Element of a Regular Array
Raw SQL Query Without Dbset - Entity Framework Core
Dynamic Where Clause (Or) in Linq to Entities