1

I have a JavaScript page that makes an Ajax call like the code below. The PHP page is inside a corporate intranet and requires authentication in the domain (basic auth is disallowed). I collect the username (u) and password (p) from input fields using jQuery.

var u = $('#user').val();
var p = $('#pass').val();

$.ajax({
    url: "http://mydomain/mypage.php",
    username: u,
    password: p,
    error: function () {
    }
}).done(function(html) {
        //Do Stuff
});

The solution works very well...except when the user has a special character in their password. So far, it seems we're affected by: @ $ +.

It seems to me there is some conflict collecting passwords with symbols that also act as syntax operators in JavaScript...but how do you properly escape them to be submitted as a password?

Thanks!

hanamj
  • 133
  • 1
  • 6
  • 1
    I am quite sure that they are submitted properly. Have a look at the sent HTTP headers. Does your server expect that format? – Bergi Jan 21 '13 at 19:22
  • 2
    You are sending username and password as a get request over http? Yikes, security nightmare. – epascarello Jan 21 '13 at 19:32
  • Yeah, I know. I'd normally never do that, but in this case the data path is secured by another method so I'm not worried. – hanamj Jan 21 '13 at 19:43

1 Answers1

2

You will have to URL encode the parameter. For JavaScript, take a look at encodeURIComponent. Backend framework will understand it, so don't worry about that.

Mirko Adari
  • 5,083
  • 1
  • 15
  • 23