Error 403 in Codeigniter when sending text from CKEDITOR trough ajax

Question

I'm using CKEDITOR and ajax to post news in a website I've created.

Everything works just fine, but apparently when I send text containing style="display:none", for example, when posting I get a 403 error. It doesn't happen If I remove that line or change letters like style="misplay:none"

Here is my code

PHP

$title=$this->input->post('title');
$body=$this->input->post('body');
$published=$this->input->post('published');
$tags=$this->input->post('tags');

Ajax call

$.ajax({
    url: '/reviews_aj/addreviews',
    type: 'POST',
    data: {'title':title,'body':body,'published':published,'tags':tags},
    success: function(result){
         ...            

    }
});

The weirdest part is that the addreviews function is actually called but $_POST seems to be empty and a 403 error is returned.

This is what's being sent

id=18&title=asdasdas&body=style%3D%22display%3Anone%22&published=false&tags=

var_dump($_POST); returns an empty array.

I've started to think that the problem is Jquery, somehow converting special chars the wrong way (and messing with the uri rerouting of Codeigniter. But I don't really know

EDIT for @shershams You asked me to try this.

var temp = {'title':title,'body':body,'published':published,'tags':tags}; 
console.log( JSON.stringify(temp, undefined, 4) );

This is the output

{
    "title": "style=\"display:none\"",
    "body": "<p>\n\tasdasd</p>\n",
    "published": false,
    "tags": ""
}

Looks exactly to what I expected

EDIT:

Just noticed that sending it through a simple POST (not ajax, a simple form) wont work either.

EDIT:

style='display:none' with single quotes works, I don't control CKEDITOR's output though, it should work with both double and single quotes

I was encoding the body to see if that solved the problem, and i forgot to delete it from the PHP. Edit: Removed it but the problem is still there. It makes no sense at all, it's driving me crazy lol — Nicolás Torres, Jun 07 '12 at 02:12
POST won't require encoding the content, since it's not really being appended to the URL. Not sure completely why your code wouldn't work. If you're having CSS issue, have you tried `visibility:hidden` instead of `display:none`? — Sherzod, Jun 08 '12 at 18:11
The problem is not that css is not working, the problem is that the whole thing doesnt work as expected when the post contains the text "display:none".It returns a 403 error and $_POST is empty, Which really makes no sense, — Nicolás Torres, Jun 08 '12 at 18:17
if I save "style="visibility:hidden;" it works as it should, change it back to display:none" and crashes — Nicolás Torres, Jun 08 '12 at 18:20
To me, the php and jquery looks fine. My guess is that you have some kind of other plugin which initializes, but fails if you use `display:none;` because it cannot initialize the object to something that is not displayed. With `visibility:hidden;`, the element is displayed (technically), but is hidden, and the plugin now able to initialize the object to the hidden element. I had the same issue when I tried to initialize the SWFUpload. It wouldn't work with `display:none`, but was working fine with `visibility:hidden`. Is there any reason you don't want to use `visibility:hidden`? — Sherzod, Jun 08 '12 at 18:33
So are you getting 403 or 404? they are pretty different errors. — Sherzod, Jun 08 '12 at 18:36
@shershams thank you for your answer. The problem occurs on PHP side when y send the form. It's not a "presentation" problem. $_POST array is empty when y send text containing "display:none". Edit: 403 error. — Nicolás Torres, Jun 08 '12 at 18:36
after unescaping your string that you're passing into php, I got this `id=18&title=asdasdas&body=style="display:none"&published=false&tags=`- is that what you're expecting to pass? — Sherzod, Jun 08 '12 at 18:41
maybe try setting the display to none after the post, if possible? callbacks are handy — SpYk3HH, Jun 08 '12 at 18:45
The whole body variable is the text outputted from CKEDITOR. "style="display:none"" is escaped in the query, so it should give no problem. I've tried style="display:mone", style="misplay:none" and they give no error. It only happens with style="display:none" — Nicolás Torres, Jun 08 '12 at 18:48
Can you try not to escape them? You're not making GET call, it's a POST call, and the content shouldn't be URI escaped from JS side. You could HTML escape it from PHP side if it applies, but not URI escape on JS side. — Sherzod, Jun 08 '12 at 18:50
Not yet, so far I've found out that if the body contains style="display:none" text it fails. I've tried changing one letter, like style="display:nono" or style="sisplay:none" and works. Im really clueless. I'll try it on localhost whenever I can to see if it's some server problem — Nicolás Torres, Jun 08 '12 at 22:57
@shershams now I understand why you asked if they were 404's or 403 errors. My bad, edited the title for better accuracy and changed 404's for 403. Thank you — Nicolás Torres, Jun 08 '12 at 23:19
@Grigor what do you mean? Btw, I've been using this script for a few months and I've only encountered this problem when the text display:none is present. Im not interested in the CSS itself more than I am in solving this issue. I dont want to have it in the future with other things. Thank you Grigor — Nicolás Torres, Jun 08 '12 at 23:25
I mean create a .css file and set the display to none from there, and in jquery when everything is completed and successful, set the display to show or whatever you're trying to do. — Grigor, Jun 08 '12 at 23:25
The problem is sending a variable with the text style="display:none" — Nicolás Torres, Jun 08 '12 at 23:28
@NicolásTorres: could you add this right before the ajax call and see what it prints in the console is what you actually expect to send? `var temp = {'title':title,'body':body,'published':published,'tags':tags}; console.log( JSON.stringify(temp, undefined, 4) );` — Sherzod, Jun 09 '12 at 00:01
Hello, im trying your example in a simple `PHP` Server and using jQuery `1.7.1`, no problem with displaying the webpage, post has display:none and the return paratemeter is retorning exactly what i sent. This is not a javascript error, the most be something wrong at the `codeigniter` library. — KoU_warch, Jun 09 '12 at 00:06
@NicolásTorres: so basically, 403 says that it can reach the server, but the server won't allow to use this API for some reason. And since you're saying it works for different strings, try using the REST clients to test that API for various strings including `display:none`. It would be extremely weird if it returns 403 just because of the string you pass in. 403 might be caused by improper routes or .htaccess file, etc., but would never think it's because of the certain string in the data. — Sherzod, Jun 09 '12 at 00:08
@NicolásTorres: is this API public? mind sharing it for testing? — Sherzod, Jun 09 '12 at 00:11
@EH_warch yeah, something is really wrong in there! Im using codeigniter 2.1.0 — Nicolás Torres, Jun 09 '12 at 00:14
@shershams It's exactly what I think and yet it's happening only with style="display:none;". I've checked the .htaccess and routes and everything seems okay. Im gonna check it on a test server and post the results — Nicolás Torres, Jun 09 '12 at 00:27
have you tried using the `generate_json` function provided from codeingiter library? perhaps they do some magic to have a compatible string passed from javascript to php. — KoU_warch, Jun 09 '12 at 00:32
I've just tried sending it through a simple form (not ajax) and returns a 403 too so it has nothing to do with ajax or jquery. Must be codeigniter — Nicolás Torres, Jun 09 '12 at 00:40
can you by any mean change the double quotes to quotes in `style='display:none'` i know it sound silly but this behavior it's weird as it is — KoU_warch, Jun 09 '12 at 00:44
@NicolásTorres: so it works with single quotes and with double quotes when it's misspelled, and in all other cases it fails... that is my friend super weird! :) — Sherzod, Jun 09 '12 at 02:25
@shershams It is!, the project is enormous and this error is turning me crazy. Im just trying to avoid using display:none ,but that's not the real sollution — Nicolás Torres, Jun 09 '12 at 02:28
I might try just assigning a class that is say called 'no_display' instead of sending the CSS, but Have you tried `htmlentities($str, ENT_QUOTES)`? — MikeCruz13, Jun 09 '12 at 04:19
Please move this discussion to chat. Too many comments on one post is discouraged. — Madara's Ghost, Jun 09 '12 at 08:12

score 0 · Answer 1 · answered Jun 09 '12 at 00:48

0

Change double quotes to single quotes :D!

answered Jun 09 '12 at 00:48

KoU_warch

2,160
1
25
46

I dont control CKEDITOR's output though. It should work with both double and single quotes. Good hint +1 – Nicolás Torres Jun 09 '12 at 00:50
that's just mean :'( let's look how to change that output – KoU_warch Jun 09 '12 at 00:53
i dont know why we are complicating so much, is the content of your variables pure html? you could just replace all double quotes with single quotes before sending the data to codeigniter. I understand your point that it should be the same, but somewhere in the codeigniter code someone forgot to prevent code injection, and i think that is off topic :( – KoU_warch Jun 09 '12 at 01:13
The body var is pure html. Of course replacing double quotes with single ones might make it work, altough I dont know if the error will appear later – Nicolás Torres Jun 09 '12 at 01:43
http://stackoverflow.com/questions/5795682/codeigniter-seems-to-break-post-of-character-pound This question seems similar to mine. Im going to contact my administrator – Nicolás Torres Jun 09 '12 at 01:55

score 0 · Answer 2 · answered Jun 09 '12 at 04:41

What about double encode and send through like this?

<?php $string = urlencode(urlencode("style=\"display: none;\"";)) ?>

then send that encoded string through ajax:

$.ajax({
    url: '/reviews_aj/addreviews/$string',
    type: 'POST'
});

On the other end just decode using the segment:

$text = urldecode(urldecode($this->uri->segment(3)));

score 0 · Answer 3 · edited May 23 '17 at 11:49

0

I think you should use site_url(). Not sure what happen with some url like /foo/bar.

Here is a answer for similar question. Give it a try :)

<script type="text/javascript">
    var site_url = '<?php echo site_url(); ?>';
    var url = site_url + '/controller/action/param1/param2';
    // AJAX with url
</script>

If things do not work out, try examining your logs. You probably see which url was actually requested.

edited May 23 '17 at 11:49

Community

1
1

answered Jun 13 '12 at 10:54

Rocco

1,087
12
21

Thank you for your answer. The problem is still there, the url is actually called, the error only occurs when the text style="display:none" is present either on the title, body or other field – Nicolás Torres Jun 13 '12 at 14:17

score 0 · Answer 4 · answered Jun 15 '12 at 07:17

Going by your comment that the problem occurs when "display:none"

When an element is on display none it behaves always strange and unexpected, it won't change posistion, won't return innerHTML in some browsers, etc...

I hypothise it is because the browser then dumps it into the "useless stuff" bin and disconnects all connectors from behaving normally to save memory/cpu space or something.

Try to position absolute "outside" of the viewport("position:absolute;top:-100px;left:-100px;") and check your code then for functionality.

If it's hidden anyway, it doesn't matter where it is on the page.

Thank you for your answer. It's not a display problem, the server returns an error when I try to send through POST the text style="display:none;" — Nicolás Torres, Jun 15 '12 at 17:31

Error 403 in Codeigniter when sending text from CKEDITOR trough ajax

4 Answers4