Bug Fix: Error 404 when a URL contains a plus symbol (+) with IIS7

Thoughts from the team
By    | September 7, 2011 | Tips & Tricks,

Due to a change in IIS 7’s security model, it is much stricter on what is and what isn’t a valid URL – that includes rejecting URLs that have a plus symbol (+) in the path (not the query string).  I’ve found this problem normally occurs when you are using URL re-writing to turn ugly URLs like ‘default.aspx?my+value’ into pretty, human friendly URLs like ‘/my+value’.

To work around this new feature you can put the following in your web.config:

<system.webServer>
    <security>
        <requestFiltering allowDoubleEscaping="true" />
    </security>
</system.webServer>

Be warned though, you are disabling a security feature so you are opening yourself up to attacks using malicious URLs.  Ensure that you really do need to have + symbols in the URL before doing this.  For example, if the plus sign is coming from have spaces in a string, could you replace the spaces with a hyphen (-)?

More like this