3

I have the following route:

[Route("konto/validera-epost/{email}/{hash}")]
public ActionResult ValidateEmail(string email, string hash)

This works great util someone uses an email with an "+" in it, like:

http://localhost:53529/konto/validera-epost/niels%2btest1%40bosmainteractive.se/4eac5247b9e6c9ae2a020957a54dd644

Just getting an empty page as a result.

Niels Bosma
  • 11,758
  • 29
  • 89
  • 148
  • Is this an email validation link? I would just send the hash since you can't control what characters are in the email. – Ryan Apr 13 '15 at 18:17

1 Answers1

3

This is most likely due to a security setting in IIS preventing + in url's.

To resolve (or override/disable), either change it in the IIS, or in the web.config like below:

<system.webServer>
  <security>
    <requestFiltering allowDoubleEscaping="true" />
  </security>
</system.webServer>

References:
- http://www.ifinity.com.au/Blog/EntryId/60/404-Error-in-IIS-7-when-using-a-Url-with-a-plus-sign-in-the-path
- https://serverfault.com/questions/76013/iis6-vs-iis7-and-iis7-5-handling-urls-with-plus-sign-in-base-not-querystr

Note: I've seen some security concerns about enabling this option. I'd recommend reading up on this feature more before using in a live environment.

Edit based on @Ryan's comment:

[..] you can apply this at the action level with an attribute [ValidateInput(false)]

Community
  • 1
  • 1
Mackan
  • 6,200
  • 2
  • 25
  • 45
  • 2
    I don't know about the security concerns (probably several), but you can apply this at the action level with an attribute `[ValidateInput(false)]`. – Ryan Apr 13 '15 at 18:19
  • Seems ok in my case to turn off http://stackoverflow.com/questions/1453218/is-enabling-double-escaping-dangerous – Niels Bosma Apr 20 '15 at 17:33