Aspnetcore.docs: Document that [FromRoute] does not unescape %2F
Query string parameters are completely unescaped, but %2F from the route parameters are not unescaped to /. Not sure if this is the correct page, but this definitely needs to be documented somewhere.
Original discussion: aspnet/Mvc#4599
Document Details
⚠Do not edit this section. It is required for docs.microsoft.com ➟ GitHub issue linking.
- ID: 32374077-e02e-d6a6-1cea-05e58447b7cd
- Version Independent ID: 86aeab13-1c25-9fc1-4e56-0390cb40c242
- Content: Routing in ASP.NET Core
- Content Source: aspnetcore/fundamentals/routing.md
- Service: unspecified
- GitHub Login: @ardalis
- Microsoft Alias: riande
gldraphael
All 4 comments
Per @ryanbrandenburg
the guidance would be not to use [FromRoute] on any values which are likely to contain %2f (/)
and instead use [FromQuery] which will give you an entirely URL decoded string
@gldraphael is that your understanding of what should be added?
Rick-Anderson
on 2 May 2018
That's a good recommendation.
I think it's also important to state that %2Fs will not be unescaped to /, because there are other ways to handle it if [FromRoute] is desired.
gldraphael
on 2 May 2018
I think the IIS behaviour must also be documented.
So
[FromRoute]does not decode (or unescape)%2Fto/.- Exception: when the app is hosted in IIS, IIS decodes the
%2Fs.
PS: I haven't tested the IIS behavior.
gldraphael
on 2 May 2018
@gldraphael we'd rather not document the exception.
Rick-Anderson
on 2 May 2018
Related issues
Rick-Anderson
·
3Comments
Raghumu
·
3Comments
AnthonyMastrean
·
3Comments
Mattacks
·
3Comments
wgutierrezr
·
3Comments