1

When attempting to make an ajax post from my angular web page on a mobile device, I receive the following error:

The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.

However, when attempting to make the same post from my desktop, the post works as expected and I receive no error. I have tested this in chrome and IE.

Here is the ajax post if it helps:

$scope.upload = $upload.upload({
url: baseApiAddress + 'mobile/' + customerPhone, //+ $scope.mobileId,
method: 'PUT',
file: file, // or list of files: files for html5 only
contentType: "application/json"
})

I am able to prevent this error by adding the following to my web.config:

<system.webServer>
  <security>
    <requestFiltering allowDoubleEscaping="True"/>
  </security>
</system.webServer>

I'm reading why this may be dangerous here.

Why does this error occur on mobile when it is not present on desktop? Thank you very much for your time. Please let me know if I am being unclear or if you need any additional information from me.

Community
  • 1
  • 1
user95227
  • 1,853
  • 2
  • 18
  • 36
  • 1
    can you console log - (baseApiAddress + 'mobile/' + customerPhone) and show exactly the url that is being applied? – Kyle Jan 27 '16 at 21:56
  • @Kyle I had no way to debug in mobile so I just threw a `alert(baseApiAddress + 'mobile/' + customerPhone)` in there and it quickly revealed the problem. I forgot that I have a function that adds `+1` to the user's number and this causes the URL to end up looking like: `http://fake.base.api/mobile/+15554443333`. When testing in the desktop, I manually entered the URL and did not add the `+1`. This should fix it, thank you for the help. – user95227 Jan 27 '16 at 22:15
  • Great! yea, it seems that the plus sign is the root cause for this specific error message in most cases I could find. – Kyle Jan 27 '16 at 22:38

1 Answers1

0

I made a mistake and forgot about a function that added +1 to the front of user's phone numbers, which were later used in constructing the URL. The + character is what causes IIS to throw the double escaping error (More info here and here). Once I remove this + character, the error no longer shows up. This error wasn't present in the desktop version because I manually entered the URL and did not add a + character when testing.

Community
  • 1
  • 1
user95227
  • 1,853
  • 2
  • 18
  • 36