Customizing "A potentially dangerous Request.Path value was detected" error page

Question

When I call a page with a non authorized character (such as *), i get a yellow page "A potentially dangerous Request.Path value was detected". It looks like it is a 400 error page. My goal is to customize this page and show a clean error page or redirect to home page (i tried both solutions). Here is what i wrote in my web.config:

<system.webServer>
 <httpErrors errorMode="Custom">
  <remove statusCode="400" subStatusCode="-1" />
  <remove statusCode="404" subStatusCode="-1" />
      <error statusCode="400" path="/page-non-trouvee.aspx?status=400" responseMode="ExecuteURL" />
  <error statusCode="404" path="/" responseMode="ExecuteURL" />
 </httpErrors>

I'm using IIS7. The point is my 400 page is still shown as a yellow error page.

There must be a workaround because although the Stack Exchange Data Explorer has this problem with https://data.stackexchange.com/users&nbsp Stack Overflow itself does not: https://stackoverflow.com/users&nbsp

Any ideas?

Answer 1

As gbianchi mentioned, you could do a customErrors redirect like this:

<customErrors mode="On" redirectMode="ResponseRedirect" defaultRedirect="/404" />

However, this would result in an annoying querystring with the original path and segment.

If it's an ASP.NET application, you could overload the Application_Error event in your Global.asax.cs file. Here's a hack-ish way of doing it in MVC:

protected void Application_Error() {
    var exception = Server.GetLastError();
    var httpException = exception as HttpException;
    if (httpException == null) {
        return;
    }

    var statusCode = httpException.GetHttpCode();
    // HACK to get around the Request.Path errors from invalid characters
    if ((statusCode == 404) || ((statusCode == 400) && httpException.Message.Contains("Request.Path"))) {
        Response.Clear();
        Server.ClearError();
        var routeData = new RouteData();
        routeData.Values["controller"] = "Error";
        routeData.Values["exception"] = exception;
        Response.StatusCode = statusCode;
        routeData.Values["action"] = "NotFound";

        // Avoid IIS7 getting in the middle
        Response.TrySkipIisCustomErrors = true;
        IController errorsController = new ErrorController();
        HttpContextWrapper wrapper = new HttpContextWrapper(Context);
        var rc = new RequestContext(wrapper, routeData);
        errorsController.Execute(rc);
    }
}