3

I need to be able to allow the "+" sign for certain actions in a controller. I am building a tag filtering engine that allows something like this (ie. stackoverflow) : /Stuff/Tagged/tag-name-1+tag-name-2+other-tag

I know I can set allowDoubleEscaping="true" in the web.config, but it is not best practices for security reasons.

I am guessing there is a way using maybe a custom filer or some other registry in the global.asax?

James Reategui
  • 1,307
  • 2
  • 16
  • 23

3 Answers3

3

StackOverflow is probably treating the + as a whitespace. Most likely they map the route /Stuff/Tagged/{*tags} and call string.split() on the tags. This actually works out great if you don't allow whitespace in your tags.

Wyatt Barnett
  • 15,573
  • 3
  • 34
  • 53
  • That's exactly what I'm doing. But the only way for IIS7 to allow the `+` sign in the url is to allowDoubleEscaping in the web.config which may pose a security risk. – James Reategui Sep 30 '11 at 18:10
  • 1
    Its probably a bit overly paranoid, see http://stackoverflow.com/questions/1453218/is-enabling-double-escaping-dangerous – Wyatt Barnett Sep 30 '11 at 18:13
  • 1
    You're right, it is overly paranoid. For others, the solution Wyatt went over is what I'm currently using and it works great. – James Reategui Dec 03 '11 at 21:09
0

You can use simple replace:

string url = Url.Action("Index", "YourController");
url = url.Replace("%2b", "+");
Tomas Kubes
  • 23,880
  • 18
  • 111
  • 148
0

+ means whitespace in an url. You should URL encode them:

/Stuff/Tagged/tag-name-1%2Btag-name-2%2Bother-tag
Darin Dimitrov
  • 1,023,142
  • 271
  • 3,287
  • 2,928
  • 1
    I'm aware of that... but it is not visually appealing and does not serve the purpose in this case. Nowadays more sites are using the plus sign in the URL for what it means, like Stack Overflow does for its tags. – James Reategui Sep 30 '11 at 17:50
  • 2
    It is not possible, because [W3C](http://www.w3.org/Addressing/URL/5_BNF.html) standards specify + represents space in a URL. – Zasz Sep 30 '11 at 18:03