How to resolve "potentially dangerous" parameter values?

Question

How to resolve "potentially dangerous" parameter values?

I have a web API project. One of my endpoints allows for string searches that can contain special characters.

[RoutePrefix("api/Search")]
[ValidateInput(false)] // this is *supposed* to allow us to search using "unsafe" characters, like %, & etc.
public class SearchController : ApiController
{
    ...
    [HttpGet]
    [Route("{searchValue}", Name = "GenericSearch")]
    public async Task<IHttpActionResult> Search(string searchValue)
    {
        ...
    }
}

When I call api/Search/fred

it works as expected.

When I call api/Search/fred%25

I get this error:

[HttpException (0x80004005): A potentially dangerous Request.Path value was found on the client (%).] System.Web.HttpRequest.ValidateInputIfRequiredByConfig () +561 System.Web.PipelineStepManager.ValidateHelper (context + HttpContext)

This even though my controller is decorated [ValidateInput(false)]

and based on other answers I found elsewhere, I added requestValidationMode

to my Web.config:

<system.web>
  ...
  <httpRuntime requestValidationMode="2.0" />
</system.web>

What other secret switch do I need to flip?

+3

c # asp.net-web-api

Shaul behr May 09 '17 at 11:48

source to share

1 answer

Mark C. · Accepted Answer · 2017-05-09T12:11:49+0000

You are missing the httpRuntime attribute to resolve invalid characters.

<httpRuntime requestPathInvalidCharacters="" requestValidationMode="2.0" />

How to resolve "potentially dangerous" parameter values?

More articles: