Search (both SearchDestinyPlayer and SearchByGlobalNamePrefix) throw errors when passed valid names that include :

[ChaseMalik]

Player with membershipId 4611686018495392478 (membershipType 3) has a bungieGlobalDisplayName of Lu:na and bungieGlobalDisplayNameCode of 7531

Calling SearchDestinyPlayer for him:
https://www.bungie.net/d1/Platform/Destiny/SearchDestinyPlayer/-1/Lu%3Ana%237531/
Returns a 400 Bad Request (Actually the html for the bad request page, not a json response either)

Similarly calling SearchByGlobalNamePrefix:
https://www.bungie.net/Platform/User/Search/Prefix/Lu%3Ana%237531/0/
Returns the same 400 Bad Request

Note that the calls fail if the : is encoded or not.

[justrealmilk]

Apparently, this also includes names with ?

[mikechambers]

Also seems to include names with ">"

User name: HighImpactArea---->#9462

Memberid:4611686018485467244
platform: 3

with call:
https://www.bungie.net/Platform/Destiny2/SearchDestinyPlayer/-1/HighImpactArea----%3E%239462/

returns a 400: Bad request. Note, when running this in postman, the 400 seems to come from cloudflare. When running in curl, the 400 seems to come from bungie.

[jshaffstall-bng]

Good catches. These look like some broad anti-XSS and anti-SQL-injection counter-measures. Filed as TFS 1036093.

[Achronos-BNG]

Unfortunately, the only way to fix this is probably to alter the search functions so they are POST requests that take the input as post body data. The URL can't have those characters in it without triggering some very important anti-XSS and anti-injection checks. I'll have to consider the best way to go about such a transition.

[mikechambers]

@Achronos-BNG Thank you for the additional info on context. Sounds like this is not a quick / easy fix, and so we should work around it, rather than wait for a fix.

[floatingatoll]

Are the affected users still able to sign in with Bungie into the various third-party apps and view their own inventory and such, i.e. this only affects "search by name" and not "completely locked out of API"?

[mikechambers]

@floatingatoll this impacts any apps that don't rely on oauth (i.e. lots of pvp stats) and use the api to access data (such as redrix). In the case of Redrix, it means some users won't be able to use the app, since we can't fall back to previous access (platform / name).

[rentalhost]

A pretty similar case when use / (slash), but the error is 404. For me, the best solution for now is top using names in URL, but as querystring parameter.

Eg.

https://www.bungie.net/Platform/Destiny2/SearchDestinyPlayer/?bungieName={urlencode('X:Y/Z>W#1234')}

[jshaffstall-bng]

There are new Bungie Name search APIs with POST requests to find names that include special characters.

https://bungie-net.github.io/multi/operation_post_User-SearchByGlobalNamePost.html#operation_post_User-SearchByGlobalNamePost

https://bungie-net.github.io/multi/operation_post_Destiny2-SearchDestinyPlayerByBungieName.html#operation_post_Destiny2-SearchDestinyPlayerByBungieName

Please migrate to these new APIs!