if encoding using escape(data) in javascript, how to decode it in server side?
I use ajax to post encoding data with escape javascript function, how can I decode it at the server side with classic asp
If you are passing arguments in URL (get method), do not use encode().. use encodeURI() function instead. Now, the data (I mean the parameters you pass) comes decoded automatically.
Related
Our application(based on Apache Wicket framework) actively uses Ajax in the form of AjaxButton, AjaxLinks etc. We want to encode the form data request in Base64 format before form submission and later decode it just after form submission. Basically, only the Base 64 encoded text will be a part of request data.
In other applications which uses javascript and java(struts framework), we have applied the encoding logic in javascript before document.form.submit and then on Java/server side , the decoding logic is applied.
Any idea how can we achieve the same in Apache wicket which follows Ajax form submission logic?
We tried AjaxCallListener but could not get hold of the request data. Hence, could not apply the encoding logic on the request
At the server side it should be easy to intercept the parameters' read by extending ServletWebRequest and overriding generatePostParameters() method.
Wicket uses jQuery to make the Ajax calls. But I see no way how to manipulate the data parameter before making the call.
Simple question. I am sending POST request through AJAX:
`myreq=${JSON.stringify({info: "+"})}`
But all what I get in req.body.myreq is:
{"info":" "}
It's empty string or space... How I can send "+" sign??
The URL-encoded form of + is %2B. If you're using Javascript, perhaps use the encodeURI() function on your string, to encode it before sending it in a request. Remember that you'll need to use decodeURI() (or whatever language-specific equivalent) to decode it on the response side of the request, so that you can use it again.
I have a simple web application in which I make a call to a java servlet using ajax from a jsp page (via post). In the servlet I take data from the database and formulate a JSON and retreive in the jsp page . I then use eval function to parse the json and display the data in the division using the innerHTML property . Somehow, this approach seems to be vulnerable to xss attacks . Can someone provide some pointers on how XSS attck can be prevented in this use case?
This sounds like DOM Based XSS. There are a few ways of preventing DOM Based XSS. Either you have to html encode the data on the server or the client. HTML encoding data in the database should always be avoided because it changes the value of the data and will affect how the data is sorted, ect. XSS is an output problem so it should be solved by the code that is building the HTML, which in your case is JavaScript.
Newer browsers support JSON.parse().For older browsers use json2.js.
You should also properly encode the JSON so values cannot break out of quotes etc. Find a decent json encoder and use that on the server side.
I am creating a base64 string. There is also '+' sign in that string. I am sending it through ajax to the database. but ajax removes the + and replace it with white pace. How I can overcome this problem
How are you sending it to your server ?
You must urlEncode what's in the url, or use JSON.stringify for an object you send as json.
This means you must decode it on the server side but most server technologies handle this for you.
This is because you are not url encoding the base64 before sending it.
Run your base64 through javascript's escape() function before sending it.
I'm calling a REST API somebody else created. It supports JSONP to facilitate cross domain access.
The response I get back from the service looks like:
mycallback('{"token": "123456789"}');
Notice the single quotes wrapping the JSON data; Passing it as a string rather than a raw object. JQuery can handle this, but other libraries seem to expect a raw object instead.
mycallback({"token": "123456789"});
The raw object parameter makes more sense to me since it avoids the need to parse the JSON data, but I want to know for sure before asking the maintainer of the API to make the adjustment:
Which is most correct?
Passing a javascript literal (second) as shown here is more correct as it avoids deserializing the string back to a javascript object.
Passing a string is obviously a bad thing - you have two choices (#1 is preferred):
Ask the developer of the JSONP service to send proper JSONp instead of a string
Make your callback function smart so it uses something like payload = JSON.parse(payload); in case payload is a string.