I keep running into this error in my ELMAH logs. The error states,
System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:).
After looking at the stacktrace in the log it appears the error is happening because I am using a
<a href="tel:8888888888">8888888888888</a>
tag.
Is this not a valid HTML5 implementation for a telephone number? How would I be able to fix this?
And what about for "whatsapp:" tags? (see related post)
It looks like you have a dumb browser which is asking the server for a tel:
URI when the anchor is clicked. A tel:
URI should cause the client machine to dial a local telephone device, and the server is properly warning that the URI was instead requested of the server. It may be that this was a historic attack vector.
So, at one level, it is probably an ignorable error.
It could also be that the browser is trying to be "smart" because the telephone number is not properly specified. According to RFC 3966 the telephone number needs to be a valid E.164 address or a properly formed "local address" and 888-888-8888
is neither. If you are referring to a North American phone then the address is properly +1-888-888-8888
(dashes are optional, the plus sign is not and 1
is the country-code). If you are trying to denote a local address, may Turing help you understanding the specification; note, the RFC says local address SHOULD NOT
be used.
If the smart/stupid browser passes back the URI to the server as a novel request if it cannot parse it, it is being too smart/stupid and should just ignore it.
So, at another level, perhaps you should put a +<country code>
in your href. If one browser is broken in this way, another will be. It would be a good idea to walk back in the log to see if the page with the malformed URI is being requested by the same requestor shortly before the tel:
request comes back in to the server. It would also be good if you can get the UserAgent for the requestor. It would be good to see if this is an attempt to penetrate old servers or an innocent action by an end-user with IE 5 or sumptin.