Friday, November 2, 2012

Is enabling Double Escaping dangerous in ASP.NET?

Let's say we want to use plus sign in URL paths in our ASP.NET application.

For example: http://example.com/news/tag1+tag2/

If we try to request this URL, IIS(in fact, Request Filtering Module) will reject request with 404 error.

The only chance for me to do this was the following section in Web.config:
 <system.webServer>   
  <security>  
    <requestFiltering allowDoubleEscaping="true"/>  
  </security>  
 </system.webServer>  

With this setting everything works fine, except for the fact that we allow double escaping for all URLs in our application. So, is enabling double escaping dangerous?

Allowing double escaping points IIS to forward request to ASP.NET application, even if there is still encoded fragments in URL after first decoding.

Many would say that it's not big deal, but i decided not to risk, so i changed "+" delimiter in URL to "_" and removed section from Web.config.

So, my URLs look like:
http://example.com/news/tag1_tag2/

1 comment: