error when url resource contains ampersand

Question

We have a web api with the following resource url.

http://www.example.com/book/bookid/name/bookname

now there are some books which contains names with ampersand '&' and when a request is made for such names, we are receiving below error

URL used:

http://www.example.com/book/123/name/ban&ban

Error: A potentially dangerous Request.Path value was detected from the client (&)

We tried passing or using encoded value for & i.e. %26 and getting same error.

URL used:

http://www.example.com/book/123/name/ban%26ban

Error: A potentially dangerous Request.Path value was detected from the client (&)

Now, when I added requestPathInvalidCharacters="" property in the web.config in httpruntime element, it started working fine for both the above urls. But, when I read different articles, it is said that it is not a good practice to use requestPathInvalidCharacters="" property.

Also, since there are lot of book names in production with "&" and different special characters, we cannot avoid sending "&" ampersand for book names, is there a good way to handle this?

Answer 1

You should opt into using parameter instead of path in your querystring. For example: http://www.example.com/book/bookid?name=Fizz&bookname=Buzz

Here's some explanation on why this exception is raised: http://www.hanselman.com/blog/ExperimentsInWackinessAllowingPercentsAnglebracketsAndOtherNaughtyThingsInTheASPNETIISRequestURL.aspx