2

I have a .NET 4 WCF service running as an IIS website with ASP.NET compatibility mode. Once of the service methods accepts a string parameter and when there is a value which contains a '&' the ASP.NET pipeline raises a validation exception. I've assigned the following config settings:

<system.web>
  <httpRuntime requestValidationMode="2.0"/>
  <pages validateRequest="false"/>
</system.web>

And the error persists. The error occurs regardless of whether the input is encoded. I found a potential solution here which suggests providing a custom implementation of System.Web.Util.RequestValidator, however I was wondering whether there are alternatives that can be done with configuration settings only.

EDIT: I've also found this, however the proposed solution does not fix the problem.

Community
  • 1
  • 1
eulerfx
  • 36,769
  • 7
  • 61
  • 83
  • Just so we're clear: The program calling the wcf service is shoddy and you don't have access to it's code to fix the real issue? Is that about right? – NotMe Jul 11 '11 at 23:34
  • I have access to both the calling code and the service. I wanted to resolve the issue without having to deploy. More importantly, I wanted to know whether there was an accepted way to resolve the issue other than providing a custom validator. I would still like the input to be validated, I just don't want it to error on a string such as 'a & b'. – eulerfx Jul 11 '11 at 23:40
  • 1
    I really think you are better off properly encoding the values you submit instead of lowering the defenses to take things it shouldn't. So, when you say it occurred even when the input was encoded above, how was it encoded? -- there are several ways. – NotMe Jul 11 '11 at 23:50
  • For example, 'a & b' is encoded as 'a%20%26%20b' (without the quotes). – eulerfx Jul 11 '11 at 23:57
  • See my answer below. The encoding to use depends on where the & appears. – NotMe Jul 12 '11 at 00:01

2 Answers2

5

I've found the solution. I set the following configuration setting:

<system.web>
    <httpRuntime requestPathInvalidCharacters=""/>
</system.web>

By default, and ampersand is an invalid path character.

eulerfx
  • 36,769
  • 7
  • 61
  • 83
2

Some links that may help:

summary: MS is stating that you should use %26 if the ampersand appears in the query string.
http://connect.microsoft.com/wcf/feedback/details/527185/wcf-rest-uritemplate-does-not-recognise-or-amp-ampersand-as-same-character

summary: poster is talking about encoding the & in the body of the WCF message using &amp;
XmlReader chopping off whitespace after ampersand entity?

So, if it's in the query string encode it with %26. If it's in the body of the message encode as an html entity: &amp;

Community
  • 1
  • 1
NotMe
  • 87,343
  • 27
  • 171
  • 245
  • I am using the proper encoding scheme, still receiving the same error. Will be investigating further. – eulerfx Jul 12 '11 at 00:14