0

I'm trying send an HTML string from the client to the server via ajax. I keep getting "disallowed key characters" error. So I took this $config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-'; and set it to nothing $config['permitted_uri_chars'] = ''; Since CodeIgniter says Leave blank to allow all characters -- but only if you are insane. But I still get Disallowed Key Characters error.

This is how I'm trying to send it:

var content = '<p class="MsoNormal">Hi {$first_name}</p>\n<p class="MsoNormal">My name is Bill, etc etc.</p>';

$.get('/task/preview_template', {content:content}, function(data) {
    console.log(data); //Disallowed Key Characters
});
Farzher
  • 13,934
  • 21
  • 69
  • 100
  • try `json_encode($html)` then send the data, and decode it there – Alex Dec 18 '12 at 17:17
  • @w0rldart The HTML isn't on the server. It's on the client's side, and I'm trying to get it to the server. – Farzher Dec 18 '12 at 17:22
  • Possible duplicate of http://stackoverflow.com/questions/4197976/codeigniter-disallowed-key-characters – Shauna Dec 18 '12 at 17:25
  • @Shauna The answer there is to hack CodeIgniter (the other answers don't apply to me). I'm hoping I can do this without hacking CodeIgniter core... – Farzher Dec 18 '12 at 17:26
  • You mention that you're "trying to get it to the server". How are you trying to do that? Without more information, you're not going to get much help, and without more information, the second answer in the link that I posted is pretty much the most likely, since you've also mentioned that you're going through jQuery when sending. It would probably be a good idea to revise your question to make it more clear and thorough – Shauna Dec 18 '12 at 17:31
  • @Shauna I added the code I'm using to send it. – Farzher Dec 18 '12 at 17:35
  • Please show your controller code as well. Also, is your `$.get` call sending the correct data? – Wesley Murch Dec 18 '12 at 17:41
  • "Disallowed Key Characters" has to do with input keys (like in GET, POST, etc.), not your URL. This is hardcoded in the CI core files and is not configurable. Change your `$config['permitted_uri_chars']` back to the way it was because it's not related. Dissallowed uri characters will show an error like "The URI you submitted has disallowed characters." – Wesley Murch Dec 18 '12 at 17:43
  • @WesleyMurch That's irrelevant, it never gets to the controller because of the "Disallowed Key Characters" error. – Farzher Dec 18 '12 at 17:44
  • @StephenSarcsamKamenar: You're right, but there's nothing here to suggest this error. Try this: get your ajax request ready, then in the first line of index.php put `exit(var_dump($_REQUEST))`, send the ajax request, and post the response you get here. Does the GET url work without AJAX? – Wesley Murch Dec 18 '12 at 17:44
  • You guys are totally right, good job. I was also trying to send an object `merge_fields:merge_fields` The code I'm actually using is a huge mess so I tried to simplify it, assuming the problem was trying to pass HTML. – Farzher Dec 18 '12 at 17:51

1 Answers1

0

_clean_input_keys is your likely culprit for what's throwing the error, and you have a large number of characters that fall outside of the allowed characters of "/^[a-z0-9:_\/-]+$/i".

There are a few ways that I can think of that might handle this:

  1. Modify _clean_input_keys so that it accepts the extra characters. This, of course, is an internal function for a reason and shouldn't be changed unless you know what you're doing. (Alternatively, you may be able to modify it to allow the special characters for HTML encoding and HTML encode the string. This helps mitigate the compromise to security that comes with adding such characters to _clean_input_keys.)

  2. Encode your string before sending it, then decode it on the server side. This is a little more work on both your part, and that of the computers involved, but it keeps _clean_input_keys intact, and should allow you to send your string up, if you can find an encoding that is reliable in both directions and doesn't produce any disallowed characters. Since you're using GET, you may also run into GET input limits on not only the server, but browser-side, as well.

  3. Use POST instead of GET and send your content as a data object. Then just use the $_POST variable on the server, instead of $_GET. While this may work, it is a bit unorthodox and nonstandard usage of the REST verbs.

  4. Store your template content on the server, and reference it by name, instead of storing it in the JavaScript. This, of course, only works if you're not generating your template content on the fly in the JavaScript. If you're using the same template(s) in all of your JavaScript calls, though, then there's really no reason to send that information from JavaScript to begin with.

Shauna
  • 9,495
  • 2
  • 37
  • 54