Webapi: DateTimeOffset as query parameter

Created on 27 Jan 2015  ·  3Comments  ·  Source: OData/WebApi

When colon “:” and plus “+” is used with OData V4 request as part of a DateTimeOffset format parameter an OData V4 function, IIS 7.0+ rejects the request terming usage of “:” and “+” as invalid, since they are restricted characters in URL Path.

For example:
http://abkmr1213/abkmrorg/api/data/LocalTimeFromUtcTime(TimeZoneCode=4,UtcTime=2015-01-08T15:08:16.1512974+05:30) will cause parsing failure in IIS.

Also, if we fully encode all : as %3A, and all + as %2B, still IIS 7.0+ will fail while parsing %2B due to the default value of allowDoubleEscaping=false. %2B is double encoding of space, hence the parsing failure in : http://abkmr1213/abkmrorg/api/data/LocalTimeFromUtcTime(TimeZoneCode=4,UtcTime=2015-01-08T15%3A08%3A16.1512974%2B05:30)

As an alternative, it is possible to use function parameters in query options and make the call after fully escaping all ":" and "+" characters:-
http://abkmr1213/abkmrorg/api/data/LocalTimeFromUtcTime(TimeZoneCode=4,UtcTime=@utcTime)?@utcTime=2015-01-08T15%3A08%3A16.1512974%2B05:30

I would request that support be added in odata client libraries to encode DateTimeOffset function parameters as query options with URL encoding. Otherwise enabling the use of ":" and "+" within the URL opens up the IIS server to large security risks.

P2

Most helpful comment

+1

All 3 comments

+1

When will this be implemented? We currently have use for this functionality. :)

@drMerf What do you think to be implemented? Issue at client side https://github.com/OData/odata.net/issues/73?

Was this page helpful?
0 / 5 - 0 ratings