2

I have a form to save/edit users and passwords into a database. During some tests I discovered that when the user or password text contains the char "<" the ajax call fails with error 500. I googled a lot but I didn't find anything useful to solve the problem. To be honest I'm not very skilled in jQuery and Ajax programming.

This is my ajax code, I use ASP.NET MVC5 and JQuery 3.3.1

        var mydata = $("#FormItem").serialize();
        $.ajax({
            dataType: "text",
            type: "POST",
            url: '@Url.Action("SaveUsPwdInDB", "Computer")',
            data: mydata,
            success: function (result) {
                var jobj = JSON.parse(result);
                if (jobj.isValid == false) {
                    alert("Save Failed: \n\n" + jobj.jserror);
                } else {
                    alert("Save Successful !");
                }
            },
            error: function (result) {
                fnPopupErrors(result);
            }
        });

I tried to change serialization type using .serializeArray() and also dataType from text to Json, but I got always the same 500 error. What I noticed is that when the code reaches the data:mydata row it throws the error, never reaches the execution of code in "SaveUsPwdInDB".

Any idea?

mahatmanich
  • 10,791
  • 5
  • 63
  • 82
Franco Redaelli
  • 21
  • 4
  • 1
    It looks like you're using ASP.Net MVC, as such the request will be rejected if the model binder believes that a HTML injection attack is being attempted. You may need to relax that restriction, https://stackoverflow.com/q/3621272/519413, although this is not ideal for a password field. Check the cause of the 500 error on the server side. – Rory McCrossan Aug 18 '20 at 08:19
  • Have you tried to reach that URL with curl? Do you also get a 500 error? – mahatmanich Aug 18 '20 at 08:20
  • you can escape the special characters which can be potential HTML content before sending it to the server – orangespark Aug 18 '20 at 08:23
  • @mahatmanich the ajax call when there are no "<" characters in the input fields of the searialized form always works. – Franco Redaelli Aug 18 '20 at 08:35
  • Try to encode the payload via: https://www.w3schools.com/jsref/jsref_escape.asp – mahatmanich Aug 18 '20 at 08:51
  • What is in "mydata" when the request fails? It needs to be in key/value pair format for ajax to process it ... – mahatmanich Aug 18 '20 at 09:14
  • @RoryM yes it's ASP.NET MVC5. I think this could really be the issue, I've tryed to check the server side, but when < is present in one of the text fields the ajax call fails without even try to enter the code in the server side. – Franco Redaelli Aug 18 '20 at 09:29
  • @mahatmanich yes it is, the value for the < char is reported as %3C, `mydata = "__RequestVerificationToken=LJ-TPViyqtjAD6wfvumZp2epUbZ9qa5NuESOIYEXorDk_Co34tKIM0coSBIxLpYqTQADFR9CSQ5QqCc7gmdcqE85S8YWtO1fITmUj5o7AZE1&fldSQLInstPdID=1048&fldSQLInstID=1&fldSQLInstUser=TestUser&fldSQLInstPd=Test%3CPassword&fldSQLInstDesc=testdjdkdww"` – Franco Redaelli Aug 18 '20 at 09:42

1 Answers1

0

OK after digging all the comments and suggestion I found a solution, perhaps not the most secure one, but it correct the problem.

Following the link suggested by @RoyMcCrossan (thanks a lot !) stackoverflow.com/q/3621272/519413, I added the [AllowHtml] to the definition in the model, something like this:

    public class BlogEntry {
       public int UserId {get;set;}
       
       [AllowHtml] 
       public string BlogText {get;set;}
    }

and everything started working like a charm !

Many thanks to all contributors !

Franco Redaelli
  • 21
  • 4