2

I need to allow the user to submit queries as follows;

/search/"my search string"

but it's failing because of request validation, as outlined in the following 2 questions:

How to include quote characters as a route parameter? Getting "Illegal characters in path" message

How to modify request validation?

I'm currently trying to figure out how to disable request validation for the quote character, but i'd like to know the risks before I actually put the site live with this disabled? I will not disable the request validation unless I can only disable it for the quote character, so I do intend to disallow every other character that's currently not allowed.

Community
  • 1
  • 1
DaveDev
  • 41,155
  • 72
  • 223
  • 385
  • Someone's got to ask the dumb question: Why does the search string have to be part of the path and not a URL query parameter (e.g. `/search?q=%22my+search+string%22`)? – Marcelo Cantos Nov 02 '10 at 12:03
  • Here's the dumb answer: because the customer likes it that way. Your suggestion to append it as a query string param is plan b – DaveDev Nov 02 '10 at 12:05
  • OK, here's an even dumber question: Why does the customer care which URL scheme you adopt? (Admittedly, I have found that stupid customers are not only brimming with idiotic ideas, but they are also incurably convinced of the genius of those ideas.) If I were more cynical, I might suggest that you go back with empty hands and say, "Sorry, but we'll just have to go for plan B." But I try not be cynical and I would never recommend lying to your boss, so I won't suggest that. – Marcelo Cantos Nov 02 '10 at 12:12

1 Answers1

3

According to the URI generic syntax specification (RFC 2396), the double-quote character is explicitly excluded and must be escaped (i.e. %22). See section 2.4.3. The reason given in the spec:

The angle-bracket "<" and ">" and double-quote (") characters are excluded because they are often used as the delimiters around URI in text documents and protocol fields.

You can see easily why this is the case -- imagine trying to create a link in HTML to your URL:

<a href="http://somesite/search/"my search string""/>

That would fail HTML parsing (and also breaks SO's syntax highlighting). You also would have trouble doing basic things with the URL like emailing it to someone (the email client wouldn't parse the URL correctly), posting it on a message board, sending it in an instant message, etc.

For what it's worth, spaces are also explicitly excluded (same section of the RFC explains why).

Matt Bridges
  • 48,277
  • 7
  • 47
  • 61