ASP.NET 4 URL limitations: why URL cannot contain any ? characters

Question

http://site.com/page%3fcharacter

This URL will return the following error:

Illegal characters in path.

I\'m alrea

Answer 1

If you want to allow the request through, you need to add requestPathInvalidCharacters and set it to an empty string:

<system.web>
    <httpRuntime requestPathInvalidCharacters="" />
</system.web>

Edit You should leave your original question in place, because now my answer does not make sense.

But in answer to your second question, that it's because %3f corresponds to '?' which is not allowed in file names on Windows. You can set the relaxedUrlToFileSystemMapping property to true to change this behaviour:

<system.web>
    <httpRuntime requestPathInvalidCharacters=""
                 relaxedUrlToFileSystemMapping="true" />
</system.web>

You might want to look through all of the properties in the HttpRuntimeSection class to see if there's any others that might apply.

You can also implement a sub class of RequestValidator and set up your web.config to use your subclass (that will presumably allow all URLs through?). Personally, I wouldn't bother and just let the built-in classes handle it. It's unlikely that a normal user is every going to accidentally type in "%3f" in a path, and why bother going to so much trouble to improve the use-case for malicious users?

This, by the way, is actually a new feature in ASP.NET 4, which is why Stack Overflow doesn't spit out an error: it's running on .NET 3.5.

Answer 2

Here's a nice article by Hanselman explaining all the nooks and crannies related to your issue:

Experiments in Wackiness: Allowing percents, angle-brackets, and other naughty things in the ASP.NET/IIS Request URL

Answer 3

Probably because that looks a lot like a malformed url.

& is used as a separator for the query string parameters i.e. site.com/page?some=20&another=15