Server Error in '/' Application ... A potentially dangerous Request.Path value was detected ...
When going to pages where the path component of the URL contains any of these special characters ":", "&", "*", "<", ">", "%" or "?", then the server throws the following HttpException which will be logged in the application event log and may be visible in the browser window depending on the configuration of the website:
A potentially dangerous Request.Path value was detected from the client (:). at
When logged in the application event log the full URL which caused the error will also be logged.
When the server processes a URL, breaking it down into a path and a query string, it considers some characters to be illegal as part of the path component. The default configuration treats any of the following characters as illegal in the path:
<, >, *, %, &, :, ?
These are fine (if properly encoded) as part of the URL.
For more information see: HttpRuntimeSection.RequestpathInvalidCharacters Property in MSDN online.
- The best approach is to remove the special characters from the path. These characters should cause no problem if they are passed not as part of the path but as part of the query string. This will necessitate modifying both the web page which is handling the request and those links (or services) which use it.
- If you absolutely need to allow one of these characters then you
can change the configuration to allow it.
The setting to change is the requestPathInvalidCharacters which is
part of the httpRuntime section in the web.config file.
In all likelyhood even if you do have a httpRuntime section in your web.config file then you won't have requestPathInvalidCharacters, so you will need to add it. Be aware that you are using this to specify which characters not to allow, you cannot specify which characters to allow. The default value is:
When setting it you can use the empty string, but it is probably better just to remove those characters which you need. When entering these characters remember to HTML encode them, so given that in my case I needed a colon my web.config file became:
Be aware that any changes will affect your entire site. You cannot configure this on a page by page basis.
Next problem: 404 bad request ... this is because II7 is rejecting the character. See: http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx
These notes are believed to be correct for .NET 4.0, and may apply to other versions as well.
About the author: Brian Cryer is a dedicated software developer and webmaster. For his day job he develops websites and desktop applications as well as providing IT services. He moonlights as a technical author and consultant.