[RESOLVED]Validation Issues with .NET 4.0 and MVC 2

Hi,

 I receive the following error when I try to access a page link that says
http://localhost:4199/Movie/Hide_%26_Seek
. How do I resolve this issue.

 A potentially dangerous Request.Path value was detected from the client (&).

 

here are the details of the sample code.

I have a main page that lists movies from the database. The name I receive from DB is "Hide & Seek"

in Movies.aspx the movie names are listed as below

<% foreach (var movie in Model) { %>
<div class="item">
<%: Html.RouteLink(movie.name, new { controller = "Movie", action = "Show", name = movie.name.Replace(" ", "_") })%>
</div>
<% } %>

with above code it displays the name correctly as “Hide & Seek”, but the link generated reads as “Hide_%26_Seek”.

First, the link is always shows %26 and not “&”.

Second, Upon clicking the link it shows the following error.

“A potentially dangerous Request.Path value was detected from the client (&).”

 

as per the msdn docs, I have also tried with the following custom validation code

 

namespace Mc.Web.Validation
{
    public class CustomRequest : RequestValidator
    {
        protected override bool IsValidRequestString(System.Web.HttpContext context, string value, RequestValidationSource requestValidationSource, string collectionKey, out int validationFailureIndex)
        {
            validationFailureIndex = -1;  //Set a default value for the out parameter.

            //This application does not use RawUrl directly so you can ignore the check.
            if (requestValidationSource == RequestValidationSource.RawUrl)
                return true;

            //Allow the query-string key data to have a value that is formatted like XML.
            if ((requestValidationSource == RequestValidationSource.QueryString) && (collectionKey == "data"))
            {
                //The querystring value "<example>1234</example>" is allowed.
                if (value.Contains("_&_"))
                {
                    validationFailureIndex = -1;
                    return true;
                }
                return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
            }
            //All other HTTP input checks are left to the base ASP.NET implementation.
            return base.IsValidRequestString(context, value, requestValidationSource, collectionKey, out validationFailureIndex);
        }
    }
}

and added the following line to the web.config

<httpRuntime requestValidationType="Mc.Web.Validation.CustomRequest"/>

But the problem still exists. Any help is appreciated.

 

thanks and regards

Navin

 

 

It is interesting that why you are gettingthis

nkpatro

 A potentially dangerous Request.Path value was detected from the client (&).

instead of Bad Request, & is not allow in URL path

http://www.asp.net/LEARN/whitepapers/aspnet4/#0.2__Toc253429244

<div style="overflow: hidden; position: absolute; left: -10000px; top: 0px; width: 1px; height: 1px;" id="_mcePaste">http://www.asp.net/LEARN/whitepapers/aspnet4/#0.2__Toc253429244</div>

Hi Imran,

Thanks for the link. making the following changes in the web.config resolves the bad request issue.

<httpRuntime requestPathInvalidCharacters="<,>,*,%,:,,?" />

However, this doesn’t resolve the decoding issue yet. my url still shows "%26" and not "&".

Any suggessions please.

 

regards

Navin

this is not a problem man because %26 represent &

Open Google and type & abc then you will find the result some thing

http://www.google.com.pk/search?q=%26+abc

 is you are still getting the error?

imran_ku07

this is not a problem man because %26 represent &

Open Google and type & abc then you will find the result some thing

http://www.google.com.pk/search?q=%26+abc

 is you are still getting the error?

 

 

I don’t get the error now. But how do I get rid of the %26.

I want to display "&" in the url and not "%26".

In fact this works fine with .net framework 3.5 and MVC 2. But doesn’t work with .net framework 4.0

Is there a work around for this??

 

thanks

Navin

 

 Does

<httpRuntime requestValidationMode="2.0"/>

 

do any difference?

Knecke

 Does

<div class=dp-highlighter> <div class=bar> <div class=tools>view plaincopy to clipboardprint?</div></div>

  1. <httpRuntime requestValidationMode="2.0"/>  

</div>

<httpRuntime requestValidationMode="2.0"/>

 

do any difference?

 

 

I tried that already. that didn’t helped me either.

 

Sorry but i don’t really understand why you want it to appear as & in the url, you are not using that part of the url as some parameter in your action are you? Is it just for displaying some humanreadable url?

<%: Html.RouteLink(movie.name, new { controller = "Movie", action = "Show", name = movie.name.Replace(" ", "_") }).Replace("%26", "&")%>

Knecke

Sorry but i don’t really understand why you want it to appear as & in the url, you are not using that part of the url as some parameter in your action are you? Is it just for displaying some humanreadable url?

 

 

Yes I’m using that part of the url as a parameter in my action. I still get the desired return value with "%26".

However I want to have a human readable url.

 

imran_ku07

<%: Html.RouteLink(movie.name, new { controller = "Movie", action = "Show", name = movie.name.Replace(" ", "_") }).Replace("%26", "&")%>

 

 

I don’t want to replace the character this way, as the database is all German text.

I will have strings like "Geschäftskunden" which will read the url as "Gesch%C3%A4ftskunden"

So, this string must be decoded.

any inputs are appreciated.

 

Regards

Navin

 I think that you may run into a problem this way since & in url is considered a querystring and will be parsed as such by asp.net routing handler.

Unless you can hijack that some way and decode it before the routing is done.

 

I may be wrong about this and maybe it is possible to fix, but ? and & in url’s are quite good to stay away from unless they are querystring parameters.

nkpatro

I don’t want to replace the character this way, as the database is all German text.

I will have strings like "Geschäftskunden" which will read the url as "Gesch%C3%A4ftskunden"

So, this string must be decoded.

any inputs are appreciated.

I am only replacing %26 to &, not encoding complete string.


Knecke

 I think that you may run into a problem this way since & in url is considered a querystring and will be parsed as such by asp.net routing handler.

Unless you can hijack that some way and decode it before the routing is done. 

I may be wrong about this and maybe it is possible to fix, but ? and & in url’s are quite good to stay away from unless they are querystring parameters.

 

The problem is is not just & here. I can get rid of & by replacing with "And". But I am still locked with the decoding issue for the German text in the URL. I’m sure there should be a way out for this otherwise one cannot have  an url other than in english.

In fact my previous posting was just about this issue. That worked well in .net framework 3.5 with MVC 2. but broke again with .net framework 4.0 with MVC 2.

imran_ku07

nkpatro

I don’t want to replace the character this way, as the database is all German text.

I will have strings like "Geschäftskunden" which will read the url as "Gesch%C3%A4ftskunden"

So, this string must be decoded.

any inputs are appreciated.

I am only replacing %26 to &, not encoding complete string.

 

Yes, but the problme is not just replacing %26 to &.

I’m also getting "Gesch%C3%A4ftskunden" in the url instead of
"Geschäftskunden", which is not readable. Replacing %26 to &
would not help me resolve the issue. How do I Decode all the above characters?

Otherwise I will end up writing replacement code for each character such as
%C3%A4
to ä.

 

Replacing

with


resolves the issue.

It looks like the following new feature in .net framework 4.0 doesn't prove to be very useful.

<%: %>

If someone has a better solution, please share with us.

 

thanks

Navin

Honestly i don’t know if you are supposed to use <%: in this case.

I think that syntax is more used when displaying text that user have entered to encode into html for the purpose of secure the site agains xss-attacks and such.

But what are you trying to accompish. Have a url that looks nice OR have a url that actually works? If you want it to look nice you can end up with a lot of strange errors with characters that are not allowed in urls.

But, i’m still not sure that i understand exactly your problem.

nkpatro

HttpUtility.UrlDecode(url

This create very strange result,

For example if you have two query strings then by decoding your query string will not work.

I think this is very important to all of us that why we encode the URL, check

http://www.blooberry.com/indexdot/html/topics/urlencoding.htm

Leave a Reply