Use any characters you want in your URLs with ASP.NET 4 and IIS 7!

After spending entirely too much time researching this issue today here is how you can use any characters you want for URLs in ASP.NET 4 and IIS 7. A bit of background: I am writing a web application that has a custom HttpModule and HttpHandler that should handle all requests and not limit the syntax of those requests at all. I could not find the information on how to do this in one place anywhere, and there are a reasonable amount of misleading, unanswered and naive responses on various forums that will likely lead you astray if you have an advanced configuration like mine. There are also a lot of completely out of date posts centered on .NET 1.1 and .NET 2.0.

The first thing I was trying to do was make a POST-ed form value containing a forward slash into something that could be used as a component in a RESTful URL. I tried to accomplish that by implementing a handler for AuthenticateRequest in my HttpModule (you can’t do it in BeginRequest unless you want to read the form data manually because Request.Form is not intialized yet) that would encode the value and call TransferRequest. First that made this happen:

A potentially dangerous Request.Path value was detected from the client (%).

Description: An unhandled exception occurred during the execution of the current web request. Please review the stack trace for more information about the error and where it originated in the code.

Exception Details: System.Web.HttpException: A potentially dangerous Request.Path value was detected from the client (%).

Source Error:

An unhandled exception was generated during the execution of the current web request. Information regarding the origin and location of the exception can be identified using the exception stack trace below

Stack Trace:

[HttpException (0x80004005): A potentially dangerous Request.Path value was detected from the client (%).]
   System.Web.HttpRequest.ValidateInputIfRequiredByConfig() +8815985
   System.Web.PipelineStepManager.ValidateHelper(HttpContext context) +59

Okay. ASP.NET, for security reasons, normally protects your web applications from potentially harmful content being sent to them, which is probably a good thing. But what if we want or need potentially harmful content? Should we be limited? I hoped the answer was “no”, but the almost complete lack of information on the subject sure wasn’t making it seem that way. After some not too helpful reading and some digging with Reflector, I came up with this:

<httpRuntime requestPathInvalidCharacters="" />
<pages validateRequest="false" />

Now no characters are invalid and requests shouldn’t even BE validated right? WRONG. While this did clear up the first exception, I faced a new one. And, while I was not sure if the validateRequest setting would even apply to my case since it is on the pages element, I assure you that for some reason that setting is an integral part of the above and following changes to work properly together. Here was my second roadblock:

Error Summary

HTTP Error 404.11 – Not Found

The request filtering module is configured to deny a request that contains a double escape sequence.

Detailed Error Information
Module RequestFilteringModule
Notification BeginRequest
Handler Clear
Error Code 0x00000000
Requested URL http://localhost:80/Clear/search/x%2Fy
Physical Path D:\Development\Clear\Clear\search\x%2Fy
Logon Method Not yet determined
Logon User Not yet determined
Most likely causes:
  • The request contained a double escape sequence and request filtering is configured on the Web server to deny double escape sequences.
Things you can try:
  • Verify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting in the applicationhost.config or web.confg file.
Links and More Information

This is a security feature. Do not change this feature unless the scope of the change is fully understood. You should take a network trace before changing this value to confirm that the request is not malicious. If double escape sequences are allowed by the server, modify the configuration/system.webServer/security/requestFiltering@allowDoubleEscaping setting. This could be caused by a malformed URL sent to the server by a malicious user.View more information »

Great, now it didn’t even look like it was getting from IIS to ASP.NET! However, deciding I “fully understood” the change, this problem was much easier to find a solution to and get past. Once again, it was a simple matter of adding the right magic words to the Web.config:

<requestFiltering allowDoubleEscaping="true" />

Finally my Frankenstein was coming to life and I thought I was in the clear. But, then I realized that when other clients (not form POST-ers who would not realize my HttpModule was secretly processing their inputs) wanted to send me a URL with a forward slash in a path component they would have to double encode or use some other strange method to identify it as a different kind of forward slash then the normal path component delimiter.

So, I decided to add a feature to my framework that would allow a syntax to specify that “the rest” of a URL is a single component and to do that I wanted to use “/*”. Convinced I could use any character I wanted now, I went ahead and ran the debugger with my test path, and to my chagrin ran into this little beauty:

System.ArgumentException occurred
Message=Illegal characters in path.
at System.Security.Permissions.FileIOPermission.HasIllegalCharacters(String[] str)

mscorlib.dll!System.Security.Permissions.FileIOPermission.HasIllegalCharacters(string[] str) + 0x117 bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.AddPathList(System.Security.Permissions.FileIOPermissionAccess access, System.Security.AccessControl.AccessControlActions control, string[] pathListOrig, bool checkForDuplicates, bool needFullPath, bool copyPathList) + 0x4a bytes
mscorlib.dll!System.Security.Permissions.FileIOPermission.FileIOPermission(System.Security.Permissions.FileIOPermissionAccess access, string[] pathList, bool checkForDuplicates, bool needFullPath) + 0x2c bytes
mscorlib.dll!System.IO.Path.GetFullPath(string path) + 0x5c bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath, out bool pathTooLong) + 0x42 bytes
System.Web.dll!System.Web.Util.FileUtil.IsSuspiciousPhysicalPath(string physicalPath) + 0x18 bytes
System.Web.dll!System.Web.Util.FileUtil.CheckSuspiciousPhysicalPath(string physicalPath) + 0x9 bytes
System.Web.dll!System.Web.CachedPathData.GetPhysicalPath(System.Web.VirtualPath virtualPath) + 0x77 bytes
System.Web.dll!System.Web.CachedPathData.GetConfigPathData(string configPath) + 0x190 bytes
System.Web.dll!System.Web.CachedPathData.GetVirtualPathData(System.Web.VirtualPath virtualPath, bool permitPathsOutsideApp) + 0x6f bytes
System.Web.dll!System.Web.HttpContext.GetFilePathData() + 0x25 bytes
System.Web.dll!System.Web.HttpContext.GetConfigurationPathData() + 0x1b bytes
System.Web.dll!System.Web.Configuration.RuntimeConfig.GetConfig(System.Web.HttpContext context) + 0x2c bytes
System.Web.dll!System.Web.HttpContext.SetImpersonationEnabled() + 0xd bytes
System.Web.dll!System.Web.HttpApplication.AssignContext(System.Web.HttpContext context) + 0x5c bytes
System.Web.dll!System.Web.HttpRuntime.ProcessRequestNotificationPrivate(System.Web.Hosting.IIS7WorkerRequest wr, System.Web.HttpContext context) + 0x22f bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotificationHelper(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x1fc bytes
System.Web.dll!System.Web.Hosting.PipelineRuntime.ProcessRequestNotification(System.IntPtr managedHttpContext, System.IntPtr nativeRequestContext, System.IntPtr moduleData, int flags) + 0x29 bytes
[Appdomain Transition]

So, in a last desperate attempt to not have to give up, I circled back to a solution that had not worked for any of the other problems I ran into before and to my surprise, it all worked out. Unfortunately, it requires adding a registry value, apparently making your entire server less secure and not an option except for in the most “all access” hosting environments. Anyway, you need to set the following to get the last few “illegal” characters to be allowed:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ASP.NET\VerificationCompatibility = 1 (32-bit DWORD)

Before I get accused of hacking my way out of this, this is actually a recommended fix from Microsoft written when this feature was first added as a service pack for .NET 1.1 but it is apparently still in there and for guys like me who like to push the limits, I thank them for trusting us a tiny bit:;EN-US;826437

I did find one posting that sort of talks about this problem (on Scott Hanselman’s blog) but it appears rather than finding a solution they opted to change their URLs to workaround the problem. Yes, maybe that was a better idea, but not nearly as FUN:

Hopefully this will help someone get past the issue themselves without all the forumining and experiments, or at least convince them it’s a bad idea and give up on the special characters. 😉

This entry was posted in Development, Web and tagged , , . Bookmark the permalink. Post a comment or leave a trackback: Trackback URL.


  1. Posted July 18, 2016 at 6:03 pm | Permalink

    I absolutely love your website.. Great colors
    & theme. Did you make this amazing site yourself?
    Please reply back as I’m wanting to create my own website and would like to find
    out where you got this from or what the theme is called.

    Thank you!

    Visit my web page; buy here pay here asheville nc

  2. Posted July 18, 2016 at 6:19 pm | Permalink

    Bienvenue à la seule source sur le net offrant GRATUIT Snapchat de travail

    my web page: snapchat Hacked Images

  3. Posted July 18, 2016 at 6:20 pm | Permalink

    Hi, I do believe your blog may be having browser compatibility issues.
    Whenever I look at your site in Safari, it looks fine however when opening in Internet Explorer, it’s got some overlapping issues.
    I simply wanted to give you a quick heads
    up! Aside from that, great site!

  4. Posted July 19, 2016 at 12:12 am | Permalink

    Thanks for sharing your thoughts about sell auto note payoff.

    Here is my blog: bulk auto note buyers

  5. Posted July 19, 2016 at 3:23 am | Permalink

    As the 20th century, the invention of the 60s miniskirt,
    boots (such as go-go boots) plus one piece combination of high waist skirt, gradually became popular, to make up for short skirt legs caused by too much visual
    space. A person will choose them based on what they are needed for and if someone plays a specific sport or not.

    There are a few different kinds of dermal fillers that
    can vary from bovine collagen to hyaluronic acid.

    My page giuseppe zanotti outlet

  6. Posted July 19, 2016 at 7:13 am | Permalink

    I am positive you will enjoy enjoying the sport as a
    lot even in the event you resolve not to hack pixel gun 3d recreation.

  7. Posted July 19, 2016 at 7:18 am | Permalink

    I think this is among the most vital info for me.

    And i am glad reading your article. But should remark
    on some general things, The web site style is perfect, the articles is really excellent :
    D. Good job, cheers

  8. Posted July 19, 2016 at 12:10 pm | Permalink

    Opt for a few demure prints to raise your tailor-made haberdashery look when you give ones suit, activity coat, or perhaps casual outfit greater adaptability and comfort.
    For more information on eco-fashion beyond the green shoes,
    check out Eco-Fashion from Recycled Plastic Bags and Sustianable Eco Fashion from Choolips.
    Not difficult, as long as you know the purpose for their
    use and what to look for.

    Also visit my homepage :: louboutin sneakers men

  9. Posted July 19, 2016 at 1:08 pm | Permalink

    Hello Web Admin, I noticed that your On-Page SEO is is missing a few factors, for one you do not use all three H tags in your post, also I notice that you are not using bold or italics properly in your SEO optimization. On-Page SEO means more now than ever since the new Google update: Panda. No longer are backlinks and simply pinging or sending out a RSS feed the key to getting Google PageRank or Alexa Rankings, You now NEED On-Page SEO. So what is good On-Page SEO?First your keyword must appear in the title.Then it must appear in the URL.You have to optimize your keyword and make sure that it has a nice keyword density of 3-5% in your article with relevant LSI (Latent Semantic Indexing). Then you should spread all H1,H2,H3 tags in your article.Your Keyword should appear in your first paragraph and in the last sentence of the page. You should have relevant usage of Bold and italics of your keyword.There should be one internal link to a page on your blog and you should have one image with an alt tag that has your keyword….wait there’s even more Now what if i told you there was a simple WordPress plugin that does all the On-Page SEO, and automatically for you? That’s right AUTOMATICALLY, just watch this 4minute video for more information at. Seo Plugin

  10. Posted July 19, 2016 at 4:37 pm | Permalink

    Hey There. I discovered your blog the use of msn. This is a very well written article.

    I’ll be sure to bookmark it and return to learn more
    of your helpful information. Thanks for the post. I will definitely comeback.

  11. Posted July 19, 2016 at 6:11 pm | Permalink

    I have not checked in here for a while since I thought it was getting boring, but the last several posts are good quality so I guess I¦ll add you back to my everyday bloglist. You deserve it my friend :)

  12. Posted July 19, 2016 at 8:47 pm | Permalink


  13. Posted July 20, 2016 at 8:52 am | Permalink

    We have learnt that the output of the IC changes state from a logic hi to a logic lo sequentially in the
    influence of rising edges of the clock pulse at its pin 14.

    Also, consider how much money you have to play with and how you want to win. It is guaranteed that players’ transactions are private and secure from hackers and cyberthieves.

  14. Posted July 20, 2016 at 2:26 pm | Permalink

    Hello colleagues, pleasant piece of writing and nice arguments
    commented here, I am actually enjoying by these.

    my webpage –

  15. Posted July 20, 2016 at 10:01 pm | Permalink

    This is a soft graduated bob cut that angle upward
    in a soft manner and will suit rounder face cutting best.
    Heck, the shoes are so splendid they are the main character
    in most footwear fantasies. Gucci Wallets Several kids want to sing
    as well as the ones who do not have exciting listening to their friends-or teasing them.

    my weblog – louboutin men shoes

  16. Posted July 20, 2016 at 10:24 pm | Permalink

    The support staff is highly trained to provide
    only the best when it comes to handling any issue, big or small.
    Hit the terminal as quickly as you can and shut down the
    alarms. Online casino software developers are numerous
    on the web and they each offer a unique operating design.

  17. Posted July 21, 2016 at 5:17 am | Permalink

    With havin so much content and articles do you ever run into any problems of plagorism or copyright
    violation? My website has a lot of completely unique content I’ve either authored myself or outsourced but it seems a lot
    of it is popping it up all over the internet without my authorization.
    Do you know any techniques to help reduce content from being stolen? I’d truly appreciate it.

  18. Posted July 21, 2016 at 7:25 am | Permalink

    I have learn several good stuff here. Definitely worth bookmarking for revisiting.
    I wonder how so much attempt you put to create this kind of magnificent informative website.

    My weblog; The Little Giant Ladder System

  19. Posted July 21, 2016 at 2:29 pm | Permalink

    We are a group of volunteers and starting a new scheme in our community.
    Your site provided us with valuable info to work on. You’ve done a formidable activity and our entire community can be thankful to

  20. Posted July 22, 2016 at 1:38 am | Permalink

    I am curious to find out what blog system you have
    been working with? I’m having some small security issues with my latest blog and
    I’d like to find something more secure. Do you have any suggestions?

    Also visit my webpage; Ninja Heroes Hack – Norberto,

  21. Posted July 22, 2016 at 10:55 am | Permalink

    I am sure this piece of writing has touched all the internet viewers,
    its really really good paragraph on building up
    new website.

  22. Posted July 22, 2016 at 2:39 pm | Permalink

    Its like you learn my thoughts! You seem to grasp a lot about this, like you wrote the guide in it or something.
    I think that you could do with a few p.c. to drive the message home a bit, however other
    than that, this is excellent blog. An excellent read.

    I’ll certainly be back.

    Here is my website – phukker

  23. Posted July 22, 2016 at 8:13 pm | Permalink


  24. Posted July 23, 2016 at 2:16 am | Permalink

    Hey I know this is off topic but I was wondering if you knew of any widgets I could add to my blog
    that automatically tweet my newest twitter updates. I’ve been looking for a plug-in like
    this for quite some time and was hoping maybe you would have some experience with something
    like this. Please let me know if you run into anything.

    I truly enjoy reading your blog and I look forward to your new updates.

  25. Posted July 23, 2016 at 1:55 pm | Permalink

    This website was… how do I say it? Relevant!!

    Finally I have found something which helped
    me. Appreciate it!

  26. Posted July 23, 2016 at 3:10 pm | Permalink

    I have to to thank you for this fantastic read!! I absolutely enjoyed every little bit of it.
    I have got got you book marked to think about new facts you post

    Review my web-site – DanelleJCaez

  27. Posted July 23, 2016 at 3:41 pm | Permalink

    Seedmatch is the primary online platform based mostly in Germany that provides crowdfunding for startups.

  28. Posted July 23, 2016 at 8:45 pm | Permalink

    But the next moment finance problems causes helplessness and paralyses your spirits and
    ties your dreams in the shackles of financial problems.

    Whenever you go to a second or third dealership attempting to get approved, the dealer can see the banks and loan businesses
    that you have been sent to currently and have already been turned
    down. This way you know exactly what interest rate you should be paying.

    my web site; webpage (Kendra)

  29. Posted July 24, 2016 at 2:07 am | Permalink

    Gifts ideas for her include an array of unusual items that will appeal
    to the recipients. Lady Gaga was photographed stepping out for
    errands in New York City on Sunday (March 23, 2014). It is in fact a steadfast work in progress,
    yet the payoff is actually spectacular.

    Feel free to surf to my blog post – outlet christian louboutin

  30. Posted July 24, 2016 at 7:51 am | Permalink

    Magnificent web site. Lots of useful info here. I am sending it to a few friends ans additionally
    sharing in delicious. And of course, thank you on your effort!

  31. Posted July 24, 2016 at 1:06 pm | Permalink

    Anyone hoping to buy their first car, or replace an existing
    one can be forgiven for being a little confused about the range
    of credit solutions available to finance the vehicle. However, if a borrower has a higher monthly income, that range can go higher.

    Article Source: a car with adverse credit is not always easy unless
    you find the right company to deal with.

    My web-site :: web site (Mamie)

One Trackback

Post a Comment

Your email is never published nor shared. Required fields are marked *

You may use these HTML tags and attributes <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>