AJAX, Html Encoding, and hash symbol not working properly (C# and JQuery)

Question

I have a textbox that takes in a vartitle and generates that vartitle into an HTML encoded variable that is passed into my url for ajax.

Here is an example of my string of parameters passed to my ajax call:

 method=savecat&templatename=percentdistribution&dropzone=Column_1&datasetid=31&subjectid=28&varnumber=1155&origin=&codes=1@0@&values=Satisfied%20with%20job%20overall@Not%20satisfied%20with%20job%20overall@&vartitle=%26%23&missingvalues=-3,-7,-9

As you can see at the end, vartitle=%26%23.

For the example above, I typed &# into my textbox. That sequence of &# does something to break my ajax call. If I type anything else, the ajax works perfectly.

What am I missing?

My ajax call is below:

 function SendAjax(webPageName, queryParams, triggerFunction)
 {    


      alert(queryParams); //is the string mentioned above   
      alert(webPageName); //is the valid page name: BGPPS.aspx


     var date = new Date();
     var unique = date.getDay() + date.getHours() + date.getMinutes() + date.getSeconds() + date.getMilliseconds();

     $.ajax(
     {
         type: "POST",
         url: webPageName,
         data: queryParams+'&'+unique,
         success: triggerFunction
    });
}

from the moment that you say that is all ready encoded, I delete my answer. Something have to do with encode... — Aristos, Jul 22 '11 at 17:23
What exactly do you mean by "break"? Does your success function fire? Are you getting an error on the server? — gilly3, Jul 22 '11 at 18:02

score 1 · Answer 1 · edited May 23 '17 at 12:11

1

you need to URLEncode values of parameters if they are taken from user input that could contain these characters, those are special characters in a URL and have control meaning.

See this stack overflow question on how to do that: Encode URL in JavaScript?

edited May 23 '17 at 12:11

Community

1
1

answered Jul 22 '11 at 17:01

pilavdzice

958
8
27

gilly3 · Answer 2 · 2011-07-22T18:50:02.513

Edit: By default, ASP.Net doesn't allow posts that look like they could be XSS attacks. Apparantly ASP.Net thinks &# can be used in XSS attacks. You can disable this behavior for a given page by adding ValidateRequest="false" to your @Page directive:

<%@ Page Language="C#" ... ValidateRequest="false" %>

That should solve it for you.

My original answer:

Don't worry about encoding the arguments. Let jQuery encode your POST arguments by passing it a map of the key value pairs that you want submitted:

$.ajax({
    type: "POST",
    url: webPageName,
    data: {
        method: "savecat",
        templatename: "percentdistribution",
        dropzone: "Column_1",
        datasetid: "31",
        subjectid: "28",
        varnumber: "1155",
        origin: "",
        codes: "1@0@",
        values: "Satisfied with job overall@Not satisfied with job overall@",
        vartitle: "&#",
        missingvalues: "-3,-7,-9"
    },
    success: triggerFunction
});

By the time it gets to this ajax method, it is already encoded. The funny thing is only makes the jquery not find the right url. If I use anything else besides that squence, like &a#a, it works fine. — cdub, Jul 22 '11 at 17:43
@chris - I've got the solution for you. You need to add `ValidateRequest="false"` to your `@Page` directive. I'll update my answer. — gilly3, Jul 22 '11 at 18:44

score 0 · Answer 3 · answered Jul 22 '11 at 17:45

0

I think jQuery will make it for You. Just give it an object.

$.ajax({
  type: "POST",
  url: webPageName,
  data: {var1: 'foo', var2: 'bar'},
  success: triggerFunction
});

answered Jul 22 '11 at 17:45

czerasz

13,682
9
53
63

AJAX, Html Encoding, and hash symbol not working properly (C# and JQuery)

3 Answers3