Problem with escaped characters

Topics: User Forum
Jul 30, 2008 at 11:18 AM

I'm having problems with escaped characters. Hopefully, I'm doing something wrong or I have missunderstood something.

My links look like this:

Which I then rewrite to this:

But, this doesn't work because the escaped characters, in this case the '/' as '%2f' and the '=' as '%3d', are "unescaped" by the filter. In the rewrite log, the above link looks like this:

Obviously, my rewrite rules for dividing querystring variables won't work now. The resulting url looks like this:

All suggestions for solving this are more than welcome. What to do?
Jul 31, 2008 at 11:02 AM
Seems like escaped characters remain escaped if they come after a questionmark, but not before.

This looks ok in the rewrite log:

But this doesn't, it gets decoded:

Is it not possible to have escaped characters in "folder-names" in the URL?
Jul 31, 2008 at 9:31 PM

I'm not sure I get it.

do you want the filter to URL-decode the url before it evaluates rules, or not?

I'm not understanding, sorry.

Currently IIRF does not do any url-decoding on the query string, but the URLs get decoded by IIS. The result is the query string arrives at the filter with the encoding in place.

There is a proposal to modify IIRF to URL-decode, everything before evaluating rules.  This comes out of the realization that if IIRF did not decode URLs before evaluating rules, it would be possible to subvert the filter rules by just encoding a single char in an incoming URL. 


Aug 1, 2008 at 8:47 AM
Edited Aug 1, 2008 at 8:48 AM
Sorry if I was unclear, it was understandable to me ;-).

It is as I suspected then. The URL is decoded by the IIS and the querystring is left alone. The decoding of the URL causes problems for me because I use '/' to divide my querystrings into the URL to make them more readable (this: looks like this: The problem is that my application uses encryption on some of the id:s and therefor it looks like this:, with encrypted variables in the URL. The encryption in this case contains the escaped character '%2f' which is then decrypted by the IIS (because it is in the URL) to '/'. My rules look for the '/' to restore the querystring, so this is no good.

In short, I should not use escaped characters in the URL because they will be decoded by the IIS and my rules will not work correctly.
Aug 1, 2008 at 8:46 PM
Edited Aug 1, 2008 at 8:47 PM

Ok, I think I am catching on.

So you have a %2f in your URL (among other things) but you DON'T want that to be decoded?

YES, I think good URL hygiene practices would call for including a %2f in your URL only if you are intending a '/' (and so on with all other escape sequences).

 Maybe you could use some other divider - like a dash or a ! or something . . .

Aug 4, 2008 at 8:32 AM
I don't want to use another divider, because then the URLs will not be hackable.

Instead, I think I will replace the '%2f' with something else, like '_d_' for instance, and hope that the encryption doesn't contain this by default.

Thanks for your help!