23

We are sending an HTML encoded string in the Query string. It was working fine on IIS 6 (windows 2003). We have recently moved the website to Windows 2008 (IIS 7.x). Since the move any Query String that contains "+" sign i.e., "%2b" gives error on the server "404 - File or directory not found."

Any help?

Best regards.

Kashif
  • 14,071
  • 18
  • 66
  • 98
  • Found one solution on Serverfault http://serverfault.com/questions/76013/iis6-vs-iis7-and-iis7-5-handling-urls-with-plus-sign-in-base-not-querystri – Kashif Jan 05 '11 at 13:22
  • That solution refers to a plus sign in the base URL not the querystring. Can you clarify whether the + actually refers to a space, or a plus, in the file URL? "+" (encoded) means space. "%2b" means +. – Jamie Treworgy Jan 05 '11 at 13:29
  • "+" refers to Plus and encoded to "%2b" – Kashif Jan 05 '11 at 13:32
  • Oh, OK. What is the %2b getting mapped to? Is it possible there's any url rewriting involved, e.g. http://stackoverflow.com/questions/846934/2b-decoding-to-a-space-instead-of-a-plus – Jamie Treworgy Jan 05 '11 at 13:37
  • Here is an answer! https://serverfault.com/questions/76013/iis6-vs-iis7-and-iis7-5-handling-urls-with-plus-sign-in-base-not-querystri – StefanE Jan 05 '11 at 13:22

2 Answers2

37

The reason why you are facing this error is that IIS7 has introduced new URL filtering rules for security reasons. So '+' sign is blocked by default as part of security reason in URL.

To resolve this issue you have to set allowDoubleEscaping="true" in web.config files. Here is the tag to do that.

<system.webServer>
<security>
  <requestFiltering allowDoubleEscaping="true">
  </requestFiltering>
</security>

1

You can change the + to %20 when encoding to handle this programmatically, assuming that you have control over the code that's producing the urls.

Jamie Treworgy
  • 23,934
  • 8
  • 76
  • 119
  • The encoded `+` is the same as the encoded `%20`, but the unencoded `+` that is encoded as `%2b` is not the same. – Guffa Jan 05 '11 at 13:24
  • 1
    Perhaps I misunderstood the question - I thought the problem was IIS not handling + as a space. If he actually has a plus sign as part of a file URL then it would have to be encoded as %2b (and hence should have worked anyway) since + means space in a query string. – Jamie Treworgy Jan 05 '11 at 13:27