Getting error 400 / 404 - HttpUtility.UrlEncode not encoding full string?

Question

Why do the following URLs give me the IIS errors below:

A) http://192.168.1.96/cms/View.aspx/Show/Small+test'

A2) http://192.168.1.96/cms/View.aspx/Show/Small%20test' <-- this works, but is not the result from HttpUtility.UrlEncode()

B) http://192.168.1.96/cms/View.aspx/Show/'%26$%23funky**!!~''+page

Error for A:

HTTP Error 404.11 - Not Found
The request filtering module is configured to deny a request that contains a double escape sequence.

Error for B:

HTTP Error 400.0 - Bad Request
ASP.NET detected invalid characters in the URL.

The last part of the URL after /Show/ is the result after the text is being sent through HttpUtility.UrlEncode() so, according to Microsoft it is URL Encoded correctly.

If I user HttpUtility.UrlPathEncode() rather than HttpUtility.UrlEncode() I get the A2 results. But B ends up looking like:

http://192.168.1.96/TVCMS-CVJZ/cms/View.aspx/Show/'&$#funky**!!~''%20page

which is still wrong. Does Microsoft know how to URL Encode at all? Is there a function someone has written up to do it the correct way?

EDIT:

I've written my own encoder:

static public string UrlEncode(string encode)
{
    if (encode == null) return null;
    string encoded = "";

    foreach (char c in encode)
    {
        int val = (int)c;
        if ((val >= 48 && val <= 57) || (val >= 65 && val <= 90) || (val >= 97 && val <= 122))
            encoded += c;
        else
            encoded += "%" + val.ToString("X");
    }

    return encoded;
}

The function works with A2 above just fine the result for B is:

http://192.168.1.96/cms/View.aspx/Show/%27%26%24%23funky%2A%2A%21%21~%27%27%20page

But even though that looks like a nice valid URL IIS still gives me a

HTTP Error 400.0 - Bad Request ASP.NET detected invalid characters in the URL.

Answer 1

OK, answering my own question... hate doing it but I got the answer after much digging.

http://www.lostechies.com/blogs/joshuaflanagan/archive/2009/04/27/asp-net-400-bad-request-with-restricted-characters.aspx

The long and short of it is the Microsoft in all its glory decided not to stick to a international standard, again.

%, &, *, or : can not be in a URL, encoded or decoded before a ? for any reason.

To get around this I've written my own encode and decode:

static public string UrlEncode(string encode)
{
    if (encode == null) return null;
    string encoded = "";

    foreach (char c in encode)
    {
        int val = (int)c;
        if (val == 32 || val == 45 || (val >= 48 && val <= 57) || (val >= 65 && val <= 90) || (val >= 97 && val <= 122))
            encoded += c;
        else
            encoded += "%" + val.ToString("X");
    }

    // Fix MS BS
    encoded = encoded.Replace("%25", "-25").Replace("%2A", "-2A").Replace("%26", "-26").Replace("%3A", "-3A");

    return encoded;
}

static public string UrlDecode(string decode)
{
    if (decode == null) return null;
    // Fix MS BS
    decode = decode.Replace("-25", "%25").Replace("-2A", "%2A").Replace("-26", "%26").Replace("-3A", "%3A");

    return HttpUtility.UrlDecode(decode);
}

Neither of the functions are Unicode friendly at the moment, but for now it works.