Self/Edit link generated by convention model builder will be double encoded


In my example, I returned string ID as “Test 01”. The self-link looks like:
http://hongye2dev3/9cfe3174130842d5b5e43761cee4f566/StringPrimaryKeyType('Test%25201') This url won't work with IIS7 with default settings. As it will blocks double encoding url for security reason.

The impact for this issue is that special characters like space in entity ID will block odata web host scenarios. User has to disable double encoding check to workaround it. So it should be in high impact.

file attachments

Closed Jan 3, 2013 at 12:37 AM by hongyes


hongyes wrote Nov 2, 2012 at 12:59 AM

Can't repro same issue in web api Url.Link, or explicit model builder.
The issue only happens in convention model builder.

hongyes wrote Nov 2, 2012 at 6:46 PM

The problem here is because we parse id as uri literal by ODataUrlBuilder which will encode the string the first time. We will put the encoded string to UrlHelper.Link and it will encode it twice.

hongyes wrote Nov 2, 2012 at 6:48 PM

The problem happens in both self and web host. Web API only single decode the id, so when passing to the action parameter, the string value still contains encoded chars.

youssefm wrote Dec 5, 2012 at 6:52 PM

Looks like the issue is fixed with the latest routing changes:
<link rel="edit" href="http://localhost/Todo('Test%2001')" />
<link rel="self" href="http://localhost/Todo('Test%2001')" />
is single-encoded