If you want to allow the request, you need to add requestPathInvalidCharacters and set it to an empty string:
<system.web> <httpRuntime requestPathInvalidCharacters="" /> </system.web>
Change You should leave your original question in place, because now my answer does not make sense.
But in answer to your second question, what is it because% 3f matches '?' which is not allowed in file names in Windows. You can set the relaxedUrlToFileSystemMapping property to true to change this behavior:
<system.web> <httpRuntime requestPathInvalidCharacters="" relaxedUrlToFileSystemMapping="true" /> </system.web>
You can view all the properties of the HttpRuntimeSection class to see if there are others that can be applied.
You can also implement a subclass of the RequestValidator class and configure your web.config to use your subclass (which is supposed to allow all URLs through?). Personally, I would not bother and just let the built-in classes handle it. It is unlikely that a typical user will accidentally enter "% 3f" each way, and why worry about taking a lot of trouble to improve usage for attackers?
This, by the way, is actually a new feature in ASP.NET 4, so Stack does not spit out an error: it works on .NET 3.5.
Dean harding
source share