How to resolve "potentially dangerous" parameter values?
I have a web API project. One of my endpoints allows for string searches that can contain special characters.
[RoutePrefix("api/Search")]
[ValidateInput(false)] // this is *supposed* to allow us to search using "unsafe" characters, like %, & etc.
public class SearchController : ApiController
{
...
[HttpGet]
[Route("{searchValue}", Name = "GenericSearch")]
public async Task<IHttpActionResult> Search(string searchValue)
{
...
}
}
When I call api/Search/fred
it works as expected.
When I call api/Search/fred%25
I get this error:
[HttpException (0x80004005): A potentially dangerous Request.Path value was found on the client (%).] System.Web.HttpRequest.ValidateInputIfRequiredByConfig () +561 System.Web.PipelineStepManager.ValidateHelper (context + HttpContext)
This even though my controller is decorated [ValidateInput(false)]
and based on other answers I found elsewhere, I added requestValidationMode
to my Web.config:
<system.web>
...
<httpRuntime requestValidationMode="2.0" />
</system.web>
What other secret switch do I need to flip?
source to share