Use any characters you want in your URLs with ASP.NET 4 and IIS 7!

After spending entirely too much time researching this issue today here is how you can use any characters you want for URLs in ASP.NET 4 and IIS 7. A bit of background: I am writing a web application that has a custom HttpModule and HttpHandler that should handle all requests and not limit the syntax of those requests at all. I could not find the information on how to do this in one place anywhere, and there are a reasonable amount of misleading, unanswered and naive responses on various forums that will likely lead you astray if you have an advanced configuration like mine. There are also a lot of completely out of date posts centered on .NET 1.1 and .NET 2.0.

The first thing I was trying to do was make a POST-ed form value containing a forward slash into something that could be used as a component in a RESTful URL. I tried to accomplish that by implementing a handler for AuthenticateRequest in my HttpModule (you can’t do it in BeginRequest unless you want to read the form data manually because Request.Form is not intialized yet) that would encode the value and call TransferRequest. First that made this happen:

A potentially dangerous Request.Path value was detected from the client (%).

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (%).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below

Stack Trace:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +8815985
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59

Okay. ASP.NET, for security reasons, normally protects your web applications from potentially harmful content being sent to them, which is probably a good thing. But what if we want or need potentially harmful content? Should we be limited? I hoped the answer was “no”, but the almost complete lack of information on the subject sure wasn’t making it seem that way. After some not too helpful reading and some digging with Reflector, I came up with this:

<httpRuntime requestPathInvalidCharacters="" />
<pages validateRequest="false" />

Now no characters are invalid and requests shouldn’t even BE validated right? WRONG. While this did clear up the first exception, I faced a new one. And, while I was not sure if the validateRequest setting would even apply to my case since it is on the pages element, I assure you that for some reason that setting is an integral part of the above and following changes to work properly together. Here was my second roadblock:

Error Summary

HTTP Error 404.11 – Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

Detailed Error Information
Module RequestFilteringModule
Notification BeginRequest
Handler Clear
Error Code 0×00000000
Requested URL http://localhost:80/Clear/search/x%2Fy
Physical Path D:\Development\Clear\Clear\search\x%2Fy
Logon Method Not yet determined
Logon User Not yet determined
Most likely causes:
  • The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
Things you can try:
  • Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.
Links and More Information

This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.View more information »

Great, now it didn’t even look like it was getting from IIS to ASP.NET! However, deciding I “fully understood” the change, this problem was much easier to find a solution to and get past. Once again, it was a simple matter of adding the right magic words to the Web.config:

<requestFiltering allowDoubleEscaping="true" />

Finally my Frankenstein was coming to life and I thought I was in the clear. But, then I realized that when other clients (not form POST-ers who would not realize my HttpModule was secretly processing their inputs) wanted to send me a URL with a forward slash in a path component they would have to double encode or use some other strange method to identify it as a different kind of forward slash then the normal path component delimiter.

So, I decided to add a feature to my framework that would allow a syntax to specify that “the rest” of a URL is a single component and to do that I wanted to use “/*”. Convinced I could use any character I wanted now, I went ahead and ran the debugger with my test path, and to my chagrin ran into this little beauty:

System.ArgumentException occurred
Message=Illegal characters in path.
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)

mscorlib.dll!System.Security.Permissions.FileIOPermission.HasIllegalCharacters(string[] str) + 0x117 bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.AddPathList(System.Security.Permissions.FileIOPermissionAccess access, System.Security.AccessControl.AccessControlActions control, string[] pathListOrig, bool checkForDuplicates, bool needFullPath, bool copyPathList) + 0x4a bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess access, string[] pathList, bool checkForDuplicates, bool needFullPath) + 0x2c bytes
mscorlib.dll!System.IO.Path.GetFullPath(string path) + 0x5c bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath, out bool pathTooLong) + 0x42 bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath) + 0x18 bytes
System.Web.dll!System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(string physicalPath) + 0x9 bytes
System.Web.dll!System.Web.CachedPathData.GetPhysicalPath(System.Web.VirtualPath virtualPath) + 0x77 bytes
System.Web.dll!System.Web.CachedPathData.GetConfigPathData(string configPath) + 0x190 bytes
System.Web.dll!System.Web.CachedPathData.GetVirtualPathData(System.Web.VirtualPath virtualPath, bool permitPathsOutsideApp) + 0x6f bytes
System.Web.dll!System.Web.HttpContext.GetFilePathData() + 0x25 bytes
System.Web.dll!System.Web.HttpContext.GetConfigurationPathData() + 0x1b bytes
System.Web.dll!System.Web.Configuration.RuntimeConfig.GetConfig(System.Web.HttpContext context) + 0x2c bytes
System.Web.dll!System.Web.HttpContext.SetImpersonationEnabled() + 0xd bytes
System.Web.dll!System.Web.HttpApplication.AssignContext(System.Web.HttpContext context) + 0x5c bytes
System.Web.dll!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest wr, System.Web.HttpContext context) + 0x22f bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x1fc bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x29 bytes
[Appdomain Transition]

So, in a last desperate attempt to not have to give up, I circled back to a solution that had not worked for any of the other problems I ran into before and to my surprise, it all worked out. Unfortunately, it requires adding a registry value, apparently making your entire server less secure and not an option except for in the most “all access” hosting environments. Anyway, you need to set the following to get the last few “illegal” characters to be allowed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility = 1 (32-bit DWORD)

Before I get accused of hacking my way out of this, this is actually a recommended fix from Microsoft written when this feature was first added as a service pack for .NET 1.1 but it is apparently still in there and for guys like me who like to push the limits, I thank them for trusting us a tiny bit:;EN-US;826437

I did find one posting that sort of talks about this problem (on Scott Hanselman’s blog) but it appears rather than finding a solution they opted to change their URLs to workaround the problem. Yes, maybe that was a better idea, but not nearly as FUN:

Hopefully this will help someone get past the issue themselves without all the forumining and experiments, or at least convince them it’s a bad idea and give up on the special characters. ;)

This entry was posted in Development, Web and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.


  1. Ahmed
    Posted August 31, 2010 at 10:27 am | Permalink

    wow chris…. Do you honestly need +pages to explain how to fix the problem.

    With all due respect, us coders are trying to CODE not read a bloody novel.



  2. Posted August 31, 2010 at 11:37 am | Permalink

    I like to write for people who like to think. Anybody can code. ;) Hope it helped you out, Chris

  3. Posted September 27, 2010 at 10:11 am | Permalink

    Since Ahmed posted something fairly non-productive (and ungrateful), I felt I should balance it out. Thanks for the post – it was very helpful (and a big time saver ). Much appreciated.

  4. Posted September 28, 2010 at 11:19 pm | Permalink

    I think something like this should have a novel! As you noticed, there’s not much info on these obscure topics.

    I had originally wanted to use a : in some of our urls so we could have decent looking urls and still have some meaning to them. ex: search/age:18-23

    I’m glad they’ve finally fixed this in .net 4, most of the way at least… hopefully in the next release, it won’t require the registry change.


  5. Posted September 30, 2010 at 5:28 pm | Permalink

    For now, your trick regarding teh web.config change made my dag – thank you for sharing, and do keep up the good work!

  6. Posted October 19, 2010 at 9:27 am | Permalink

    Thanks. Worked well. This is a common problem with MVC implementations.

  7. Posted October 24, 2010 at 5:13 pm | Permalink

    Take no notice of Ahmed. You’ve done an excellent job researching this and you’ve saved a lot of people a lot of time. Thanks Chris!

  8. Posted January 11, 2011 at 3:58 pm | Permalink

    Awesome article!

  9. Steve McGill
    Posted February 17, 2011 at 12:55 am | Permalink

    Thanks Chris, helped me out too

  10. Uxman
    Posted March 1, 2011 at 9:48 am | Permalink

    Thanks a lot Chris, you saved my rest of the day.

  11. Jordon
    Posted March 8, 2011 at 4:13 am | Permalink

    Thanks Chris, It was very helpful.

    I have one question though, some of your tips would work when we have full access to server, any idea how can i make it work in shared hosting scenario?

    My website is currently using shared hosting and i am trying to get rid of this error.

    Thanks much, appreciate your help.

  12. Posted March 11, 2011 at 2:05 am | Permalink

    Cheers, helped me out. Personally I like novels!

  13. Siva
    Posted March 16, 2011 at 1:25 pm | Permalink

    Thanks this helped me..

  14. Posted April 7, 2011 at 3:08 pm | Permalink

    Like everyone else, many thanks. The “requestPathInvalidCharacters” setting was what I needed. I do wish that MS gave us the ability to disable this in REST-ful WCF on a per-service or even a per-method basis, rather than requiring that we open up our entire site, or even our entire computer, to make these scenarios work.

  15. Rizwan
    Posted August 23, 2011 at 1:50 pm | Permalink

    Cool , is there any solution ( Hack :) even ) for 3.5 , My client has a server with 3.5 framework and he is not interested for 4.0 framework nor am i as it will be time consuming to upgrade and test each functionality .

    any helps in 3.5 framework would help ??

    Best Regards
    Rizwan Bashir

  16. Posted January 1, 2012 at 12:41 pm | Permalink

    Nice post! Thanks for the detailed explanation!

  17. Posted February 2, 2012 at 7:09 am | Permalink

    Awsome Chris. I think you explained the issue extremley well and in the right context. I find it hard when you get coders who think the article shoul dbe written for just themsleves and have total disregards for others. Very disappointing Ahmed for your comments and would like to see the type of articles you right.

    Keep up the awsome work Chris, enjoy your article.


    Bobby Habib

  18. Posted March 3, 2012 at 12:14 pm | Permalink

    Thanks for the post. Very helpful.

  19. Posted May 20, 2012 at 6:59 am | Permalink

    Thanks a lot Christopher!!
    It helps a lot to solve same error in IIS 6 with a webservice RESTFull.
    On IIS6 was not neccesary modify the registry!

  20. Posted September 16, 2012 at 3:44 am | Permalink

    Αppreсiatе the recommendаtiοn.
    Let me try it out.

  21. Mark Rawlingson
    Posted September 18, 2012 at 1:24 pm | Permalink

    requestPathInvalidCharacters=”" is what I was looking for. Thanks a lot, helped to solve an ongoing issue in my application in about 1.5 minutes flat.

  22. Posted December 13, 2012 at 1:07 am | Permalink

    Well written and very helpful post! :D

  23. Posted December 31, 2012 at 1:25 am | Permalink

    It’s really a nice and helpful piece of info. I’m happy that you simply
    shared this helpful information with us. Please stay us up to
    date like this. Thanks for sharing.

  24. Posted January 12, 2013 at 3:37 pm | Permalink
  25. Posted March 9, 2013 at 5:01 pm | Permalink

    Great post! Thanks for taking the time to go through this is great detail.

  26. Posted April 8, 2013 at 3:15 pm | Permalink

    Now I am going away to do my breakfast, when having my breakfast coming over again to
    read additional news.

  27. Posted April 8, 2013 at 5:03 pm | Permalink

    I delight in, lead to I discovered just what I was looking
    for. You’ve ended my four day lengthy hunt! God Bless you man. Have a nice day. Bye

  28. Posted April 9, 2013 at 8:48 pm | Permalink

    With the reproduction Oakley sun shades, you not only carry off a style assertion, but at the similar time also make certain that you do not vacant your cost savings account. Pretend Oakleys or Foakleys as they are popularly called appear in just about every conceivable variety colors and are marked by their own brand name of model. Think it or not, regardless of whether it is the awesome blue fifty percent jacket silver ice or the silver kinds, a ton of difficult perform goes into generating them seem quite genuine. fake oakleys

  29. Posted May 6, 2013 at 1:38 pm | Permalink

    all the time i used to read smaller articles or reviews that also
    clear their motive, and that is also happening with
    this post which I am reading at this place.

  30. Posted May 16, 2013 at 6:01 am | Permalink

    I am curious to find out what blog platform you have
    been working with? I’m experiencing some minor security issues with my latest blog and I would like to find something more risk-free. Do you have any suggestions?

  31. Posted May 17, 2013 at 4:56 pm | Permalink

    Hello there! I know this is somewhat off topic but I was
    wondering if you knew where I could locate a captcha plugin for my comment form?
    I’m using the same blog platform as yours and I’m having
    trouble finding one? Thanks a lot!

  32. Posted June 28, 2013 at 3:15 pm | Permalink

    This is very interesting, You are a very skilled blogger.
    I’ve joined your rss feed and look forward to seeking more of your magnificent post. Also, I have shared your site in my social networks!

  33. Posted July 18, 2013 at 10:20 pm | Permalink

    This is very good article about how you can put any characters you want in your URLs with ASP.NET 4 and IIS 7 development process with the help of proper .net coding.

  34. Posted July 27, 2013 at 2:57 am | Permalink


  35. Posted August 6, 2013 at 8:27 pm | Permalink

    バッグ louis vuitton

  36. Posted August 10, 2013 at 5:10 am | Permalink

    Paul Rone-Clarke is actually the affiliate marketing
    expert and his or her skill with Ultimate Demon
    is superior to anyone else

    Feel free to visit my blog post … search engines

  37. Posted August 10, 2013 at 6:13 am | Permalink

    Paul Rone-Clarke is actually the web marketing expert and his skill with Ultimate Demon is superior to anyone else

    Feel free to surf to my blog :: links

  38. Posted August 11, 2013 at 2:34 pm | Permalink

    Looking at your internet site from an link buildiers
    perspective. It looks like you will have this entire challenge down well.

    I’m wondering you use something such as Ultimate Demon to build most of these links? Never ever really can be this sure, but it appears to be extremely decent to me personally.

  39. Posted August 11, 2013 at 4:44 pm | Permalink

    Protected effective link building is essential these days

    Also visit my web-site search results

  40. Posted August 20, 2013 at 5:50 pm | Permalink

    iwc クロノ

  41. Roji
    Posted January 12, 2014 at 6:16 am | Permalink

    Right, requestPathInvalidCharacters=”" helped me to come out of this issue…

  42. Posted February 16, 2014 at 5:52 am | Permalink

    Very quickly this website will be famous amid all blog users,
    due to it’s nice articles

    Have a look at my site; Vindictus Hacks

  43. Posted February 20, 2014 at 7:08 am | Permalink

    We stumbled over here coming from a different page and thought I might check things out.
    I like what I see so now i am following you. Look
    forward to looking at your web page again.

  44. Posted May 8, 2014 at 7:22 am | Permalink

    If you think you have a mold problem, it is important to take care
    of as quickly as possible, and form can help rebuild society.
    You can take help of mold remediation Charleston SC service providers to get rid of these unwanted guests.
    Leaks in your roof or around windows, plumbing problems and even cracks and crevices in the walls allow moisture
    to seep into your home’s structure.

  45. Posted May 26, 2014 at 7:22 am | Permalink

    Simply want to say your article is as astonishing. The clearness in your
    post is just nice and i could assume you’re an expert on this subject.
    Well with your permission allow me to grab your RSS
    feed to keep updated with forthcoming post. Thanks a million and please carry on the rewarding work.

  46. Posted May 30, 2014 at 11:11 am | Permalink

    Greetings from Colorado! I’m bored to death at work so I decided to check out your blog on my iphone during
    lunch break. I love the knowledge you provide here and can’t wait to take a look when I get
    home. I’m amazed at how quick your blog loaded on my phone ..
    I’m not even using WIFI, just 3G .. Anyhow, amazing

  47. Posted June 21, 2014 at 12:56 am | Permalink

    That is a good tip particularly to those
    new to the blogosphere. Simple but very precise information… Appreciate your sharing this one.
    A must read article!

  48. Posted June 30, 2014 at 1:20 pm | Permalink

    When someone writes an paragraph he/she keeps
    the image of a user in his/her mind that how a user can be
    aware of it. Therefore that’s why this post is outstdanding.

    Feel free to surf to my blog post … Woocommerce themes premium

  49. Posted July 7, 2014 at 11:32 pm | Permalink

    I see a lot of interesting content on your page. You have to spend a lot of time writing,
    i know how to save you a lot of time, there is a tool that creates unique, SEO friendly articles in couple of minutes, just type in google
    - laranita’s free content source

3 Trackbacks

Post a Comment

Your email is never published nor shared. Required fields are marked *


You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>