开发者

Jquery Ajax XML respond problem

开发者 https://www.devze.com 2022-12-10 17:20 出处:网络
I am a little bit confused on something, see I am doing an Ajax request via Jquery, I send back encoded data in an xml document ( using htmlentities to prevent XSS ) but the thing is when I parse the

I am a little bit confused on something, see I am doing an Ajax request via Jquery, I send back encoded data in an xml document ( using htmlentities to prevent XSS ) but the thing is when I parse the XML and get the data it seems Jquery automatically decodes the htmlentities and I end up with vulnerable data.

Do you have any idea how to prevent Jquery from decoding the encoded data, or I am missing an option in 开发者_高级运维the ajax request.

Any help is very appreciated as I am stuck at this point.

here is my current ajax options :

$.ajax({
  url: 'ajax_handle.php',
  data: {pg: cpage, rid: rid},
  type: 'POST',
  cache: false,
  error: function(xhr, ajaxOptions, thrownError){
     $( button ).val( 'Error' );
  },
  success: function(xmldata){ /* Parsing here */ }
}

Somehow When I use Jquery find() and get the text, all the data that has been encoded with htmlentities gets decoded.

Example :

Data : <c><cu>Test</cu><cb>&#160;htmlentitiesgez564&lt;script&gt;</cb></c>

Parsed data :

cu : Test
cb :  htmlentitiesgez564<script>;

You can see how dangerous that can be, any idea how to fix this ?


jQuery is automatically decoding the data but as long as you don't eval or inject that data into the DOM nothing will happen. So for example if you wanted to inject this into the DOM you don't have to use the html method but the text method:

$('#someDiv').text('<script>alert("ok");</' + 'script>');


try adding the dataType option to your ajax config object

$.ajax({
  url: 'ajax_handle.php',
  data: {pg: cpage, rid: rid},
  type: 'POST',
  dataType: "text",
  cache: false,
  error: function(xhr, ajaxOptions, thrownError){
     $( button ).val( 'Error' );
  },
  success: function(xmldata){ /* Parsing here */ }
}

This should tell jQuery that the received response is to be interpreted as text

0

精彩评论

暂无评论...
验证码 换一张
取 消