MVC WEB API routing fails when url contains encoded ampersand
31,945
Scott Hanselman blogged about this. You might want to check the requestPathInvalidCharacters
property of the <httpRuntime>
node in your web.config.
Personally I would avoid such characters in the uri portion and simply put those values as query string parameters.
Related videos on Youtube
Author by
espvar
Updated on March 22, 2020Comments
-
espvar about 4 years
When i call my webservice witch takes two parameters i get:
A potentially dangerous Request.Path value was detected from the client (&).
Routeconfig:
config.Routes.MapHttpRoute( name: "PropertiesSearch", routeTemplate: "api/property/Search/{category}/{query}", defaults: new { controller = "Property", action = "Search", category = "common", query = string.Empty } );
Controllermethod:
[HttpGet] public SearchResult Search(string category, string query) { }
When i call the api with:
/api/property/search/homes/areaId%3D20339%26areaId%3D20015
A potentially dangerous Request.Path value was detected from the client (&).
Doing this:
/api/property/search/homes/?query=areaId%3D20339%26areaId%3D20015
works fine.
How do i solve the routing decoding problem?
-
Erik Philips over 11 years+1 Personally I would avoid such characters in the uri portion and simply put those values as query string parameters. Can't make it any more bold.
-
espvar over 11 yearsYou're right. We got it to work with the web.config bypass, but ended up forcing it to be set using query string parameters in the end after all. The reason we wanted it to be part of the URL is becasue we're using the auto-generated Help-page to create the API reference. And the
routeTemplate
wouldn't let us include a?
in there, so there was no good way of telling the user to include the{query}
using query parameters -
Josh M. about 8 years@ErikPhilips Why avoid using perfectly valid characters (&, =, etc.) in the path portion of a URI? The ampersand character is only reserved in the query portion of a URI.
-
Erik Philips about 8 years@JoshM because there are very good, legitimate reasons why
requestpathInvalidCharacters
was created... Simply bypassing it on a whim because of a poor requirement is not a good reason to turn it off. -
Josh M. about 8 years@ErikPhilips I'm asking what those reasons are -- do you have a reference to which you can point me? Thanks.
-
Josh M. about 8 years@ErikPhilips Done: stackoverflow.com/questions/35653835/…