We have a problem in a specific server. All plus signs posted to the application are replaced with spaces - that's in POST and GET, and on all pages on that site.
As a test case I have this little page (it's an ASP server):
<html>
<body>
<form method="post">
<input type="text" name="Plus" id="Plus" />
<input type="submit" />
</form>
Previous Value: <%= request("Plus") %><br />
Query String: <%= request.querystring %>
</body>
</html>
On every other server this works well, but on one server pluses are replaced with spaces.
Example: for the input "1 2+3
" - request("Plus") is "1 2 3
", and the Query String is "1+2+3
". No good. Other characters seem to be decoding correctly.
It should be said someone had tried to 'harden' this server against attacks, so obscure IIS options may be turned on (though we did remove the ISAPI filter).
Thanks.
UPDATE:
It turns out there's another filter installed, the SQL Injection Filter ISAPIClipSQLInjection.dll from http://www.codeplex.com/IIS6SQLInjection .
The filter is buggy - it replaces valid characters from POST and GET:
- Plus signs are replaced with spaces: "1%2B2" -> "1+2", same as "1 2"
- Semicolons are replaced with Commas: "hello;" -> "hello,"
A newer version of the filter (2.0b) does not fix this, but allows to exclude certain pages. Since it is installed in production we decided not to remove the filter, we used javascript to change all pluses to "+ "
(with space and not a semicolon).
Not the optimal solution, but that's what the boss wanted.