Thanks for your bug report and patch! I have applied your changes and committed it to our source code repository.
The end user should not be exposed to detailed system generated run time exception messages.
In a production installation the user would not be shown any error detail, only a generic error page would be shown. By default error detail is only shown when running in the context of localhost, this is good in order to help developers understand an error, but it would not happen in production environments. Note that whether error detail is shown or not is controlled by a Web.config setting:
<-- "On" Always display custom (friendly) messages.
"Off" Always display detailed ASP.NET error information.
"RemoteOnly" Display custom (friendly) messages only to users not running on the local
Web server. This setting is recommended for security purposes, so
that you do not display application detail information to remote clients. -->
<customErrors mode="RemoteOnly" defaultRedirect="Error.htm">
<error statusCode="413" redirect="~/NeatUpload/Error413.aspx" />