Is Enabling Double Escaping Dangerous?

by

Edit: Added emphasis to relevant sections.

Basically: IIS is being excessively paranoid. You can safely disable this check if you’re not doing anything particularly unwise with the uri decoded data (such as generating local filesystem URI’s via string concatenation).

To disable the check do the following (from here): (see my comment below for what double escaping entails).

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true"/>
    </security>
</system.webServer>

If the plus symbol is a valid character in a search input, you will need to enable “allowDoubleEscaping” to permit IIS to process such input from the URI’s path.

Finally, a very simple, if limited workaround is simply to avoid ‘+’ and use ‘%20’ instead. In any case, using the ‘+’ symbol to encode a space is not valid url encoding, but specific to a limited set of protocols and probably widely supported for backwards-compatibility reasons. If only for canonicalization purposes, you’re better off encoding spaces as ‘%20’ anyhow; and this nicely sidesteps the IIS7 issue (which can still crop up for other sequences, such as %25ab.)

More Related Contents:

  1. Display custom error page when file upload exceeds allowed size in ASP.NET MVC
  2. better way to load 2 dropdown in mvc
  3. How do I use a C# keyword as a property name?
  4. ASP.NET MVC Binding to a dictionary
  5. Dependency Injection in attributes
  6. How to post an array of complex objects with JSON, jQuery to ASP.NET MVC Controller?
  7. How to get the public IP address of a user in C#
  8. Could not find a part of the path … bin\roslyn\csc.exe
  9. How can I get this ASP.NET MVC SelectList to work?
  10. How to get current user, and how to use User class in MVC5?
  11. How to call another controller Action From a controller in Mvc
  12. Web API Put Request generates an Http 405 Method Not Allowed error
  13. When I post back to my controller all values for my model are null
  14. How to update a claim in ASP.NET Identity?
  15. ModelState.IsValid == false, why?
  16. What does it mean for a property to be [Required] and nullable?
  17. How to flatten an ExpandoObject returned via JsonResult in asp.net mvc?
  18. MVCBuildViews not working correctly
  19. ASP.NET Web API : Correct way to return a 401/unauthorised response
  20. Write PDF stream to response stream
  21. Do asynchronous operations in ASP.NET MVC use a thread from ThreadPool on .NET 4
  22. ‘object’ does not contain a definition for ‘X’
  23. How to redirect to Index from another controller?
  24. How to manually validate a model with attributes?
  25. How to retain spaces in DropDownList – ASP.net MVC Razor views
  26. Is the DataTypeAttribute validation working in MVC2?
  27. How can I force a log out of all users for a website?
  28. Streaming large list of data as JSON format using Json.net
  29. Database injection into a validation attribute with ASP MVC and Castle Windsor
  30. Unable to resolve service for type ‘Microsoft.AspNetCore.Identity.UserManager` while attempting to activate ‘AuthController’

Leave a Comment