Plus (+) in MVC Argument causes 404 on IIS 7.0

Question

I have an MVC route that is giving me hell on a staging server running IIS. I am running Visual Studio 2010's development server locally.

Here is a sample URL that actually works on my dev box:

Root/CPUBoards/Full+Size

Results
Server Error404 - File or directory not found.
The resource you are looking for might have been removed, had its name changed, or is temporarily unavailable.

Here is the complete behaviour I am seeing.

Localhost:

Root/CPUBoards/Full Size - Resolves
Root/CPUBoards/Full%20Size - Resolves
Root/CPUBoards/Full+Size - Resolves

Staging Server with IIS 7.0:

Root/CPUBoards/Full Size - Resolves
Root/CPUBoards/Full%20Size - Resolves
Root/CPUBoards/Full+Size - 404 Not Found Error.

Any ideas? I need to work with the encoded version for several reasons... won't waste your time with them.

HttpUtility.UrlEncode("Full Size") returns the version with the plus sing... Full+Size. This works on my dev box, but not on the staging server. I would prefer to just get it working on the server, since I already have everything else tested and working locally, but I have no idea where to start looking on the server configuration to get it to behave the same way.

Thanks!

Can you build locally using IIS 7 instead of the ASP.NET development environment? — websch01ar, Jul 30 '10 at 22:24

score 23 · Answer 1 · answered Nov 05 '10 at 14:46

23

This is an IIS security setting. There is a standard request filter that rejects URLs containing + (plus) characters.

You can disable it for your web, adding this to your web.config:

<configuration>
   ...
   <system.webServer>
      ...
      <security>
          <requestFiltering allowDoubleEscaping="true" />
      </security>
    </system.webServer>
    ...
</configuration>

answered Nov 05 '10 at 14:46

splattne

102,760
52
202
249

Works for me. More details about 'allowDoubleEscaping' here: http://stackoverflow.com/a/1453287/3678079 – webStuff Nov 09 '15 at 08:48

score 20 · Accepted Answer · answered Jul 30 '10 at 22:35

+ only has the special meaning of being a space in application/x-www-form-urlencoded data such as the query string part of a URL.

In other parts of the URL like path components, + literally means a plus sign. So resolving Full+Size to the unencoded name Full Size should not work anywhere.

The only correct form of a space in a path component is %20. (It still works when you type an actual space because the browser spots the error and corrects it for you.) %20 also works in form-URL-encoded data as well, so it's generally safest to always use that.

Sadly HttpUtility.UrlEncode is misleadingly-named. It produces + in its output instead of %20, so it's really a form-URL-encoder and not a standard URL-encoder. Unfortunately I don't know of an ASP.NET function to “really URL-encode” strings for use in a path, so all I can recommend is doing a string replace of + to %20 after encoding.

Alternatively, avoid using spaces in path parts, eg. by replacing them with -. It's common to ‘slug’ titles being inserted to URLs, reducing them to simple alphanumerics and ‘safe’ punctuation, to avoid filling the URL with ugly %nn sequences.

OK. This is very helpful. These URL "Segments" are coming from a database, and we prefer to allow the data in the database to be natural. We also need the URL to be unique, so replacing a bunch of stuff with '-' is not desireable. For example, we have both underscore and space characters, both of which people like to replace with a dash. I suppose this means we are stuck using "ugliness" like %20 to represent characters accurately, but these are the edge cases, and the compromise is not so bad. I guess I will have to do some manual replacing before URL Encoding stuff. Thanks! — bopapa_1979, Aug 02 '10 at 14:22
Unfortunately you can't *quite* get arbitrary strings into path parts. `%2F` (the encoded form of `/`) is blocked by many web servers—by default in Apache, and unavoidably in IIS. IIS also blocks `%5C`, and all servers block `%00` (other control codes can also cause various difficulties, and of course Unicode in path parts has some gotchas of its own). — bobince, Aug 02 '10 at 15:03

score 4 · Answer 3 · answered Mar 15 '12 at 18:53

4

System.Web.HttpUtility.UrlPathEncode(string str) encodes a + to a %20

answered Mar 15 '12 at 18:53

kendaleiv

5,793
3
28
38

I think the OP has that part figured out - why it's causing the error is more the issue. – Hannele Mar 16 '12 at 15:41

score 0 · Answer 4 · answered Apr 28 '20 at 13:56

Totally agree with @bobince, the problem is in the wrong encoding to %2b instead of %20

Sadly HttpUtility.UrlEncode is misleadingly-named. It produces + in its output instead of %20, so it's really a form-URL-encoder and not a standard URL-encoder. Unfortunately I don't know of an ASP.NET function to “really URL-encode” strings for use in a path, so all I can recommend is doing a string replace of + to %20 after encoding.

this is the important part, which is to replace the + sign with %20

Plus (+) in MVC Argument causes 404 on IIS 7.0

4 Answers4

Linked