How do I override RequestValidation in ASP.NET WebAPI

asp.net-web-api request-validation
Rick Strahl picture Rick Strahl · Mar 14, 2012 · Viewed 8k times · Source

I'm having problems with requests that include 'dangerous characters' as part of a Web API URL. The Url includes an & which is properly Url encoded, but still causes a Request Validation ASP.NET error.

Unlike MVC there appears to be no [ValidateInput(false)] attribute to force and disable this functionality.

Answer

Rick Strahl picture Rick Strahl · Mar 14, 2012

Turns out the answer is to do this in web.config using:

<system.web>
  <httpRuntime requestPathInvalidCharacters="" />  
</system.web>

You can set this globally or at the sub-directory level. You can leverage the <location path=""> element to specify this setting only underneath certain paths. For example, if your Web API route that was affected lived underneath api/images you could do the following:

<location path="api/images">
  <system.web>
    <httpRuntime requestPathInvalidCharacters="" />  
  </system.web>
</location>

More information: https://msdn.microsoft.com/en-us/library/e1f13641(v=vs.100).aspx

Related questions

How do I get ASP.NET Web API to return JSON instead of XML using Chrome?

Using the newer ASP.NET Web API, in Chrome I am seeing XML - how can I change it to request JSON so I can view it in the browser? I do believe it is just part of the request …

Read More
Using <meta> tags to turn off caching in all browsers?

I read that when you don't have access to the web server's headers you can turn off the cache using: <meta http-equiv="Cache-Control" content="no-store" /> But I also read that this doesn't work in some versions of IE. …

Read More
Refused to display in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'

I am developing a website that is supposed to be responsive so that people can access it from their phones. The site has got some secured parts that can be logged into using Google, Facebook, ...etc (OAuth). The server backend …

Read More