URL Routing, Image Handler & "A potentially dangerous Request.Path value"

Asp.Net 4.0+ comes with a very strict built-in request validation, part of it is the potential dangerous characters in the url which may be used in XSS attacks. Here are default invalid characters in the url :

< > * % & : \ ?

You can change this behavior in your config file:

<system.web>    <httpRuntime requestPathInvalidCharacters="<,>,*,%,&,:,\,?" /></system.web>

Or get back to .Net 2.0 validation:

<system.web>    <httpRuntime requestValidationMode="2.0" /></system.web>

A very common invalid character is %, so if by any chance (attack, web-crawlers, or just some non-standard browser) the url is being escaped you get this:

www.amadeupurl.co.uk/ImageHandler.ashx/%3Fi%3D3604

instead of this:

www.amadeupurl.co.uk/ImageHandler.ashx/?i=3604

Note that %3F is the escape character for ?. The character is considered invalid by Asp.Net request validator and throws an exception:

A potentially dangerous Request.Path value was detected from the client (?).

Though in the error message you see the unescaped version of the character (%3F) which is ? again

Here's a good article on Request Validation and how to deal with it

Even I faced this issue but for me, I accidentally typed & instead of the ? in the URL

for example:

example.com/123123&parameter1=value1&paameter2=value2

but in actual it has to be:

example.com/123123?parameter1=value1&paameter2=value2

A super old thread but this works:

return RedirectToAction("MyAction", new { @myParameterName = "MyParameterValue" });

You can also add the controller name after action name if the request is going to a different controller and also add more query string parameters simply by chaining them with commas between.