How do I override RequestValidation in ASP.NET WebAPI

Rick Strahl picture Rick Strahl · Mar 14, 2012 · Viewed 8k times · Source

I'm having problems with requests that include 'dangerous characters' as part of a Web API URL. The Url includes an & which is properly Url encoded, but still causes a Request Validation ASP.NET error.

Unlike MVC there appears to be no [ValidateInput(false)] attribute to force and disable this functionality.

Answer

Rick Strahl picture Rick Strahl · Mar 14, 2012

Turns out the answer is to do this in web.config using:

<system.web>
  <httpRuntime requestPathInvalidCharacters="" />  
</system.web>

You can set this globally or at the sub-directory level. You can leverage the <location path=""> element to specify this setting only underneath certain paths. For example, if your Web API route that was affected lived underneath api/images you could do the following:

<location path="api/images">
  <system.web>
    <httpRuntime requestPathInvalidCharacters="" />  
  </system.web>
</location>

More information: https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx