In my example, I returned string ID as “Test 01”. The self-link looks like:
http://hongye2dev3/9cfe3174130842d5b5e43761cee4f566/StringPrimaryKeyType('Test%25201')
This url won't work with IIS7 with default settings. As it will blocks double encoding url for security reason.
The impact for this issue is that special characters like space in entity ID will block odata web host scenarios. User has to disable double encoding check to workaround it. So it should be in high impact.
Comments: The problem happens in both self and web host. Web API only single decode the id, so when passing to the action parameter, the string value still contains encoded chars.
http://hongye2dev3/9cfe3174130842d5b5e43761cee4f566/StringPrimaryKeyType('Test%25201')
This url won't work with IIS7 with default settings. As it will blocks double encoding url for security reason.
The impact for this issue is that special characters like space in entity ID will block odata web host scenarios. User has to disable double encoding check to workaround it. So it should be in high impact.
Comments: The problem happens in both self and web host. Web API only single decode the id, so when passing to the action parameter, the string value still contains encoded chars.