tags:

views:

883

answers:

3
Q: 

jQuery Ajax fails when posting data due to keyword in post data

I know why the post fails, but I'm not sure how to resolve it and I can't find any other references to this. I'm taking our references to jEditable to make this simpler, as it happens without the jEditable plugin.

So how the heck do I "escape" the keyword so that it posts correctly? Here's relevant code:

Test 

<script type="text/javascript">
$(function() {
 $('#button').click(function() {
  $.ajax({
   type : 'POST',
   url : 'ajax/post_cms.php',
   dataType : 'html',
   data : {
    id : '1',
    data : '<p>This is a test of the system that shows me an alert !</p>'
   },
   success : function(data) {
    console.log(data);
   },
   error : function(XMLHttpRequest, textStatus, errorThrown) {
    console.log('An Ajax error was thrown.');
    console.log(XMLHttpRequest);
    console.log(textStatus);
    console.log(errorThrown);
   }
  });
 });
});
</script>

<input type="button" name="button" value="button" id="button" />

When it errors out, it's throwing the "error:" callback function, and the "errorThrown" is logged as undefined. I'm positive it's the word "alert" because if I spell it "allert" in the one place it appears, everything posts just fine. If you take out the HTML (so it's just "data : 'This is a test of the system that shows me an alert !'") it works just fine.

XMLHttpRequest = "XMLHttpRequest readyState=4 status=0 multipart=false" textStatus = "error" errorThrown = "undefined"

GAH!! HELP!!

A: 

If it's only the word alert, you could simply change it to something else, like #1234# and then parse it back. It's hacky but a library that crash if you enter "alert" sounds pretty funky to me.

You could also go in the lib code and fix it... or open a ticket and get them to fix it. It sounds to me it's a pretty important issue!

marcgg  2009-08-05 16:46:10
+2  A: 

UPDATE: The problem was a firewall catching the AJAX request as a XSS attack. If you're experiencing problems similar to those exhibited below, make sure to check your environment.

Symptoms:

  1. Post data is failing with an error code of 0
  2. Post data works in other places but not in your environment
  3. Post data works as long as it doesn't contain any javascript functions
  4. Your library doesn't seem like it should be at fault based on documentation
  5. You can't find a bug in your library.

I think there's something else wrong here other than jQuery. Your initial example works fine for me.

See a working example here: http://jsbin.com/ifami

Note: I had to change your the ajax URL to a valid url but otherwise there were no other changes.

That being said, you could try encoding your values as URI components:

<script type="text/javascript">
$(function() {
  $('#button').click(function() {
    $.ajax({
      type : 'POST',
      url : 'ajax/post_cms.php',
      dataType : 'html',
      data : {
        id : '1',
        data : encodeURIComponent('<p>This is a test of the system that shows me an alert !</p>')
      },
      success : function(data) {
        console.log(data);
      },
      error : function(XMLHttpRequest, textStatus, errorThrown) {
        console.log('An Ajax error was thrown.');
        console.log(XMLHttpRequest);
        console.log(textStatus);
        console.log(errorThrown);
      }
    });
  });
});
</script>
coderjoe  2009-08-05 18:21:56
What the heck is it then? I'm lost. I changed the URL from the relative path to an absolute path -- no change. I downloaded the latest jQuery library (1.3.2) to ensure I was using that. Headers look the same when I inspect them. Server configuration then?
Nathan Loding  2009-08-05 18:44:10
But if I take my example above and spell "alert" as "allert" it works just fine ......
Nathan Loding  2009-08-05 18:47:59
Does the ajax call support GET? If so, can you try visiting the page manually to see what he output is? Maybe it isn't the input but the output that is causing the error?
coderjoe  2009-08-05 18:58:33
What is the value of XMLHttpRequest.responseText? What is the server actually trying to return?
coderjoe  2009-08-05 19:02:03
@coderjoe: The post_cms.php scripts only has one line: print_r($_POST)The XMLHttpRequest.responseText isn't a valid property. The console dumps what's present in Firebug are at the bottom of the question.
Nathan Loding  2009-08-05 19:12:47
@coderjoe: I'm sorry, I looked in the wrong place. XMLHttpRequest.reponseText is null ("").
Nathan Loding  2009-08-05 19:14:41
Have you tried encoding your post data as a URI component? (see the above change to my answer)
coderjoe  2009-08-05 19:41:55
@coderjoe: I just added the encodeURIComponent() function, and I get the same result. But, I copy and paste my exact code to JSBin and it works just fine. ARGH!
Nathan Loding  2009-08-05 20:04:51
oh, I forgot to mention, try converting your AJAX url to be a full path including http://
coderjoe  2009-08-05 20:14:14
@coderjoe: Did that, still fails, same error. But again -- misspell "alert" and it works.
Nathan Loding  2009-08-05 20:16:51
Try changing the return type to "text". I doubt print_r returns valid HTML.
coderjoe  2009-08-05 20:22:38
@coderjoe: I've tried 'text' and 'json' and neither work. But it's not even getting a response from the server. Firebug doesn't show any response, just the Headers being sent.
Nathan Loding  2009-08-05 20:29:47
Also what do the headers being sent look like? Do they look valid? Check your http access and error logs, are there any hints there as to why there is no response from the server? Is it reaching the server? Is there an error you're not seeing?
coderjoe  2009-08-05 20:35:36
Just to confirm, the php file and the website containing the javascript/html are the same server right? You're not executing this locally right?
coderjoe  2009-08-05 20:38:22
@coderjoe: Here's what I'm seeing on my end (note, the website is not publicly accessible): http://nloding.com/ajax_error_headers.png, http://nloding.com/ajax_error_post.png. These were taken before the encodeURIComponent, but the same errors are generated, just different post data as it's encoded. Nothing in the error.log or access.log files in Apache -- shows test.php being pulled but nothing for the post_cms.php page. It's not even hitting that page.
Nathan Loding  2009-08-05 20:45:36
Is the test.php file globally accessable? Could I give it a try myself?
coderjoe  2009-08-05 20:51:06
@coderjoe: Unfortunately it is not, as this is a secure website with sensitive data. The site is locked down for only internal use. The exact contents of test.php are posted, above though, and post_cms.php only has print_r($_POST) at this point.
Nathan Loding  2009-08-05 20:54:17
I'm not going to lie, I'm completely out of answers and have been for a while. I suggest making sure that you experience the same errors in both IE and Firefox to rule out any bugs browser side. Then I'd suggest making sure it isn't your secure website denying the connection before it even happens or something equally crazy.Best of luck!
coderjoe  2009-08-05 21:01:27
coderjoe  2009-08-05 21:14:22
@coderjoe: Well, you were right, a firewall was grabbing it as XSS. But only during an asynchronous request, which is why it was only that Ajax function that failed. Because I could post other items containing the word 'alert,' I totally didn't think of it as a firewall issue. THANKS A MILLION!!
Nathan Loding  2009-08-06 13:18:34
Glad I could help. You can thank my friend Occam and his ever sharp razor for leading me to that final conclusion. :P I'm going to update my question with the discovered solution so people with similar problems might find it sooner.
coderjoe  2009-08-06 13:51:11
And to finish describing the solution -- our firewalls were grabbing asynchronous requests as dangerous, and then scanning them for keywords, just as 'alert,' 'replace,' 'object,' and 'eval' -- but they were only looking for the words, not the function (ie, not 'alert(' or something). So it was killing my GET/POST request.
Nathan Loding  2009-08-06 23:04:13
A: 

I think maybe your data: parameter needs another set of parenthesis, like so:

 data : ({ id : '1',
           data : '<p>This is a test of the system that shows me an alert !</p>'
           }),
Neil  2009-08-05 19:55:18
@Neil: That was a fantastic idea -- but nope! I tried that with and without the encodeURIComponent and it still fails on my server. But again, only if the word "alert" is present.
Nathan Loding  2009-08-05 20:11:07

related questions

What JavaScript patterns do you use most?
Javascript events
What style do you use for creating an "class" in JavaScript?
Graphing JavaScript Library
What's the difference in closure style
Getting the text from a drop-down box
How to specify javascript to run when ModalPopupExtender is shown
Length of Javascript Associative Array
How Do I Post and then redirect to an external URL from ASP.Net?
How to set up a CSS switcher in ASP.NET
Wrapping lists into columns
Javascript keyboard events primer? (or rather: help me with my custom dropdown)
Http Auth in a Firefox 3 bookmarklet
Best Debugging Tools for JavaScript/xulrunner Development
How can I turn a string of HTML into a DOM object in a Firefox extension?
Call ASP.NET Function From Javascript?
Javascript troubleshooting tools in IE
MAC addresses in JavaScript
Capturing TAB key in text box
CSS Background Color in Javascript
How can I make the browser see CSS and Javascript changes?
Triple Quotes? How do I delimit a databound Javascript string parameter in ASP.NET?
ASP .Net Custom Client-Side Validation
What JavaScript library would you choose for a new project and why?
Detecting font in JavaScript