-
- 26 Posts
Hi,
I'm working on a web application (intranet) running on MODx Evo. It is accessed by Web Users not Manager Users. I was just doing a bit of tidying up and my app stopped working. I had restructured the Javascript variable used to hold 'viewstate' to have one overall variable with a nested object for a dialog on display. The viewstate is sent back by AJAX after calling JSON.stringify(viewstate). All looked ok in firebug trace but in logging from app I noticed the appearance of sanitize_seed in the viewstate POST variable!
I've tracked that down to protect.inc.php and the problem just appears to be that due to nesting JSON objects I'm now getting }} in the JSON string and that gets unhelpfully sanitized.
Example JSON string for viewstate:
{"param1":"1","param2":"0","dlgVS1":null,"dlgVS2":{"schoolYearFilter":"5","tGroupIdList":"","studentIdList":""}}
I understand the reason for sanitizing input ... but I have two questions:
1. Is it not better practice to NOT do automatic sanitization of inputs? I've just been reading about magic_quotes_gpc and why that has been deprecated.
2. Is there anything intrinsically wrong with using nested JSON objects to represent data (viewstate or other) POSTed from UI to Server?
Thanks in Advance,
System:
- MODx Evo: 1.0.12
- Apache: 2.2.11
- PHP: 5.3.0
- MySQL: 5.1.36
-
- 1,613 Posts
I'm not a coder, doubt it will help but wrote something about sanitize here:
http://forums.modx.com/index.php/topic,63039.0.html
index.php updated?
http://forums.modx.com/thread/75991/call-to-undefined-function-modx-sanitize-gpc
Ignore if all this is not helping
I'm trying to keep distance of coding stuff
Evolution user, I like the back-end speed and simplicity
-
- 2,877 Posts
As a remedy you can try to escape the calls {\{ or try using ascii & #123 ; & #125;
You are aware that {{ is modx syntax for calling a chunk!?
-
- 26 Posts
Thanks for the replies. Yes, I understand why MODx is sanitizing special brackets like "}}".
My approach has been to
- Javascript: Use encodeURIComponent on any JSON viewstate and data posted via AJAX
- PHP: urldecode POST parameters in AJAX handler before passing on to Controller
It's working again now.
Thanks,