A potentially dangerous Request.Path value was det

I am at a complete loss for why I am getting this error. The typical cause of this error has to do with trying to submit HTML markup into a text string or something similar but I'm not doing anything like that. The page I think this is happening on takes in a simple email address.

Here is my model with validation...

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [RegularExpression(@"^([a-zA-Z0-9_\-\.]+)@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.)|(([a-zA-Z0-9\-]+\.)+))([a-zA-Z]{2,4}|[0-9]{1,3})$", ErrorMessage = "{0} must be a valid email address")]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}

Here are my script references because the error seems to be in the Scripts directory...

<script src="@Url.Content("~/Scripts/jquery-1.5.2.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/jquery.validate.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.validate.unobtrusive.min.js")" type="text/javascript"></script>
<script src="@Url.Content("~/Scripts/jquery.unobtrusive-ajax.min.js")" type="text/javascript"></script>

<script src="@Url.Content("~/Scripts/modernizr-1.7.min.js")" type="text/javascript"></script>

My best guess is that someone is maliciously entering some invalid script into the email address but I'm not seeing any errors in Elmah or CodeSmith Insight that points to any of my code. I can't even figure out where exactly this is happening.

And here are the errors...

A potentially dangerous Request.Path value was detected from the client (:). (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g)

System.Web.HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (:). at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication.PipelineStepManager.ValidateHelper(HttpContext context)

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

Illegal characters in path.

System.ArgumentException: Illegal characters in path. at System.IO.Path.CheckInvalidPathChars(String path) at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path) at System.Web.InternalSecurityPermissions.PathDiscovery(String path) at System.Web.HttpRequest.get_PhysicalPath() at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e) at System.Web.HttpApplication.SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

at System.IO.Path.CheckInvalidPathChars(String path) at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str) at System.Security.Permissions.FileIOPermission.AddPathList(FileIOPermissionAccess access, AccessControlActions control, String[] pathListOrig, Boolean checkForDuplicates, Boolean needFullPath, Boolean copyPathList) at System.Security.Permissions.FileIOPermission..ctor(FileIOPermissionAccess access, String path) at System.Web.InternalSecurityPermissions.PathDiscovery(String path) at System.Web.HttpRequest.get_PhysicalPath() at WebsitePanel.IIsModules.SecureFolders.context_OnEnter(Object sender, EventArgs e) at System.Web.HttpApplication+SyncEventExecutionStep.System.Web.HttpApplication.IExecutionStep.Execute() at System.Web.HttpApplication.ExecuteStep(IExecutionStep step, Boolean& completedSynchronously)

UPDATE - POSSIBLE RESOLVED After racking my brain more on this I saw "WebsitePanel.IIsModules.SecureFolders" in the stack trace and that jarred my memory. I remember seeing something about secure folders on my hosting provider. This feature is buried in their control panel which would make sense based on the method. I emailed them and asked them to disable the module. It hasn't occurred for a few days so I suspect that was it.

回答1:

As the Exception says there is illegal characters in the request path, more specifically the colon character is not ok (:) = "A potentially dangerous Request.Path value was detected from the client (:). "

Your request seems to contain:

"(/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g"

A potentially dangerous Request.Path value was detected from the client (:). (/NewsList/Scripts/,data:c,complete:function(a,b,c){c=a.responseText,a.isResolved()&&(a.done(function(a){c=a}),i.html(g)

at System.Web.HttpRequest.ValidateInputIfRequiredByConfig() at System.Web.HttpApplication+PipelineStepManager.ValidateHelper(HttpContext context)

Illegal characters in path.

回答2:

Looks like you are not validating email address before it is submitted on the client side. You can use the below code to validate email address. At the same time set a maxlength attribute to email input fields.

function validateEmail(email) 
{ 
 var re = /^(([^<>()[\]\\.,;:\s@\"]+(\.[^<>()[\]\\.,;:\s@\"]+)*)|(\
".+\"))@((\[[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\])|(([a-zA
-Z\-0-9]+\.)+[a-zA-Z]{2,}))$/ 
 return email.match(re) 
}

if(!validateEmail($("#emailAddress).val()){
     alert("Invalid email address");
}

回答3:

ASP.NET MVC already have DataType attribute. You can use this instead of Regular Expression

public class Subscriber
{
    [Key]
    [DisplayName("Email Address")]
    [Required(ErrorMessage = "{0} is required")]
    [DataType(DataType.EmailAddress)]
    public string EmailAddress { get; set; }

    public Guid UnsubscribeKey { get; set; }
}