ASP.NET 4.5.1 and URI reserved characters

I recently bumped into a strange behavior: a request to a ASP.NET application containing an encoded hash (# – %23) on the path resulted on trimmed URLs. This happen on a server running IIS 8.0 and .NET 4.5 but not in my development machine, running IIS 8.5 and ASP.NET 4.5.1.

It turns out that Microsoft changed the way request URLs are created before being passed into the handlers. In my case, the URL was trimmed because it was unescaped by ASP.NET and then an Uri instance was being used. The Uri considers the hash to be the fragment separator (and this is correct). But the escaped hash character shouldn’t have been unescaped in the first place!

This was fixed with in 4.5.1, but the new behavior seems to also affect plus characters (+) and maybe more. Anyway, it is a possible breaking change. I’ve found this blog post with further details. There is a new appSetting (ouch…) to activate the “legacy” behavior: aspnet:UseLegacyRequestUrlGeneration. Documentation of this and other obscure settings can be found here.