13

In ASP.NET, the httpRuntime/@requestPathInvalidCharacters attribute defaults to <,>,*,%,&,:,\. These characters, as I understand, are disallowed in the path portion of a URL (based on the default setting of this attribute), but some of them should be allowed. Out of that list, I struggle to understand why *,&,: are disallowed by default. E.g., the following URLs are valid but would be rejected by default by ASP.NET:

To get a unique person by email: http://myservice.com/People/Email=jim@smith.net

To get a unique locality within a state: http://myservice.com/States/VA/Localities/FIPS=001

I could also swap out the = for : to make ASP.NET reject the URL by default. But these characters/URLs are valid and should/do work fine.

So, does anyone have any insight into why these disallowed characters were chosen?

(Related post/answer: https://stackoverflow.com/a/13500078/374198)

Community
  • 1
  • 1
Josh M.
  • 26,437
  • 24
  • 119
  • 200
  • 1
    +1 Had to find out myself :) Here's the [best explanation](http://stackoverflow.com/a/3342765/304683) I've found so far (at least for colon `:`). Haven't tried this - what about seeing if it works as query string (after `?`) instead of "virtual path" (as mentioned)? – EdSF Feb 26 '16 at 16:06
  • @EdSF I'll take a look at the link, thanks. I want to do some of this stuff in the path in cases where the path identifies a unique entity, rather than querying multiple entities (which as you mentioned should be done in the query string). My examples are bad, admittedly. Will update them. – Josh M. Feb 26 '16 at 16:20
  • Thanks for the link, it helps to uncover one use case, at least. – Josh M. Feb 26 '16 at 16:27

0 Answers0