Jquery Ajax XML respond problem

Question

Hi guys, I am a little bit confused on something, see I am doing an Ajax request via Jquery, I send back encoded data in an xml document ( using htmlentities to prevent XSS ) but the thing is when I parse the XML and get the data it seems Jquery automatically decodes the htmlentities and I end up with vulnerable data.

Do you have any idea how to prevent Jquery from decoding the encoded data, or I am missing an option in the ajax request.

Any help is very appreciated as I am stuck at this point.

here is my current ajax options :

$.ajax({
  url: 'ajax_handle.php',
  data: {pg: cpage, rid: rid},
  type: 'POST',
  cache: false,
  error: function(xhr, ajaxOptions, thrownError){
     $( button ).val( 'Error' );
  },
  success: function(xmldata){ /* Parsing here */ }
}

Somehow When I use Jquery find() and get the text, all the data that has been encoded with htmlentities gets decoded.

Example :

Data : <c><cu>Test</cu><cb>&#160;htmlentitiesgez564&lt;script&gt;</cb></c>

Parsed data :

cu : Test
cb :  htmlentitiesgez564<script>;

You can see how dangerous that can be, any idea how to fix this ?

Answer 1

try adding the dataType option to your ajax config object

$.ajax({
  url: 'ajax_handle.php',
  data: {pg: cpage, rid: rid},
  type: 'POST',
  dataType: "text",
  cache: false,
  error: function(xhr, ajaxOptions, thrownError){
     $( button ).val( 'Error' );
  },
  success: function(xmldata){ /* Parsing here */ }
}

This should tell jQuery that the received response is to be interpreted as text

Answer 2

jQuery is automatically decoding the data but as long as you don't eval or inject that data into the DOM nothing will happen. So for example if you wanted to inject this into the DOM you don't have to use the html method but the text method:

$('#someDiv').text('<script>alert("ok");</' + 'script>');