0

When sending input from a multiline textbox with an xhttp request through javascript, chrome blocks out new lines as part of some new exploit prevention. I have tried using encodeURI, which did nothing, and trying to send
also causes this error. I am allowing users to submit html through the textbox.

Edit:

Javascript code:

var taskid = 'task=' + notes;
var cont = '&content=' + po.value;
var head = '&head=' + pp.value;
var comb = taskid+cont+head;
var nlink = 'create.note.php?'+comb;
var encoded = encodeURI(nlink);
xhttp.open('GET', encoded + comb, true);

Chromes response:

[Deprecation] Resource requests whose URLs contained both removed whitespace 
(`\n`, `\r`, `\t`) characters and less-than characters (`<`) are blocked. 
Please remove newlines and encode less-than characters from places like 
element attribute values in order to load these resources. See 
https://www.chromestatus.com/feature/5735596811091968 for more details.
Jacob
  • 45
  • 8
  • 2
    can you share some code? This is not the case universally. – bluetoft Jun 26 '18 at 03:42
  • I'm not sure I fully understand the question without code or anything but you can tell the browser how to read white space by using white-space in your css eg body: { white-space: pre-wrap; } – radlaz Jun 26 '18 at 03:42
  • Added some of the code – Jacob Jun 26 '18 at 03:49
  • 2
    You can't put line breaks in a url... You'll need to POST a request where you put the content of your form in the body of the request – bluetoft Jun 26 '18 at 03:50
  • Yes you can. Mozilla even supports this...
    – Jacob Jun 26 '18 at 03:51
  • Seeing as though this works with Mozilla, it ONLY occurs in chrome, so a GET request is fine – Jacob Jun 26 '18 at 03:55
  • *"Seeing as though this works with Mozilla, it ONLY occurs in chrome, so a GET request is fine"* Only because it "works" doesn't mean it's the right thing to do. POST requests are supposed to be used if you are changing state on the server side (e.g. writing something to the DB). GET vs POST: https://stackoverflow.com/questions/3477333/what-is-the-difference-between-post-and-get – Felix Kling Jun 26 '18 at 04:05
  • I did not ask what the appropriate requests are to use. I asked how to solve the issue. Thank you for your input. – Jacob Jun 26 '18 at 04:06
  • 1
    Using POST solves the issue. – Felix Kling Jun 26 '18 at 04:06
  • No, it actually does the EXACT same thing – Jacob Jun 26 '18 at 04:07
  • 1
    Fair enough, I guess that was too vague: You should be sending the values in the body of the POST request, not the URL. How to make a POST request with `XMLHttpRequest`: https://stackoverflow.com/q/9713058/218196 – Felix Kling Jun 26 '18 at 04:08
  • 2
    Use post when Sending user input (which can contain unknown characters), POST is more robust and secure than GET.so rule of thumb you should probably never send user input using a GET request – radlaz Jun 26 '18 at 04:13
  • So... what's in `encoded + comb`? I don't see your post explaining what's in any of those variables you show, which makes it *really* hard for anyone to guess at what's going wrong. Can you tell JS to `console.log` all of them prior to your xhttp.open, and just copy/pasting (not typing over, and filling in from what you think they should be) what is in them? – Mike 'Pomax' Kamermans Jun 26 '18 at 04:32
  • Changing it to a post request fixed it, I was just being difficult lol – Jacob Jun 26 '18 at 04:48

0 Answers0