Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Question mark is replaced by 'jQuery1520046861610282212496_1411972375451'. #1799

Closed
mgol opened this issue Oct 21, 2014 · 7 comments · Fixed by #4754
Closed

Question mark is replaced by 'jQuery1520046861610282212496_1411972375451'. #1799

mgol opened this issue Oct 21, 2014 · 7 comments · Fixed by #4754
Assignees
@mgol
Labels
Ajax
Milestone
4.0.0

Comments

@mgol
Copy link
Member

mgol commented Oct 21, 2014

Originally reported by wjj871125 at: http://bugs.jquery.com/ticket/15249

Code as follows:

var content = document.getElementById("content").value;
jQuery.ajax({
    type:'post',
    url:'add.php',
    data:"content=" + content, // value is '?'
    dataType : "json",
    success:function(response){
        alert('success:'+response.msg);
    },
    error: function(msg){
        alert(msg);
    }
});

Code ends.

When the parameter 'content' value is '?' or '??', its content is replaced by similar content as 'jQuery1520046861610282212496_1411972375451'.

jQuery code

data = data.replace( jsre, replace );

jQuery code end.

These codes maybe need to optimize.

Issue reported for jQuery 1.5.2
@mgol
Copy link
Member Author

mgol commented Oct 21, 2014

Comment author: dmethvin

We should either document this or fix it so that it only does so for the currently-documented case of jsonp.

@dmethvin
Copy link
Member

@jaubourg As I read the docs, we should only be replacing ? in the JSONP case. Is there a reason to do it in other cases?

@jaubourg
Copy link
Member

This is due to the fact $.getJSON is able to perform jsonp requests (has been since before the 1.5 version btw). But there's no argument to trigger this behaviour. As a consequence, the ajax infrastructure has to control the presence of the callback placeholder in the url in case of a json request in order to promote it as a jsonp request.

Fix would be to test the presence of the placeholder in $.getJSON itself and then set the dataType accordingly but it would break the fact you can promote a json request as jsonp by providing a url with placeholder in $.ajax proper.

Not that I think this would be used as much as in the $.getJSON scenario.

@markelog markelog added the Ajax label Nov 2, 2014
@iamnotserious
Copy link

I encountered a similar issue as well. It exists in the latest version of jQuery too.
To those who want an immediate fix, using the "contentType" property to set the content-type seems to fix it.

@timmywil timmywil mentioned this issue May 27, 2015
Closed
@timmywil
Copy link
Member

After further review, I don't think we want to break the ability to promote json requests to jsonp. We may just want to document that you can set contentType to avoid this?

@timmywil timmywil mentioned this issue Jan 25, 2016
Open
@timmywil
Copy link
Member

Opened docs issue: jquery/api.jquery.com#878.

BenKelada pushed a commit to BenKelada/moodle that referenced this issue Mar 2, 2016
MDL-53291 javascript: fix jquery ajax requests when data contains ??
023d6a6 
jQuery ajax requests containing multiple '?' get replaced with a
string similar to jQuery152330039032_1231231, this is because it
is processing a stringified data object as jsonp and thinks its a url.
 workaround is to add contenttype
see jquery/jquery#1799
BenKelada pushed a commit to BenKelada/moodle that referenced this issue Mar 2, 2016
MDL-53291 javascript: fix jquery ajax requests when data contains ??
dc1329f 
jQuery ajax requests containing multiple '?' get replaced with a
string similar to jQuery152330039032_1231231, this is because it
is processing a stringified data object as jsonp and thinks its a url.
 workaround is to add contenttype
see jquery/jquery#1799
BenKelada pushed a commit to BenKelada/moodle that referenced this issue Mar 2, 2016
MDL-53291 javascript: fix jquery ajax requests when data contains ??
438995d 
jQuery ajax requests containing multiple '?' get replaced with a
string similar to jQuery152330039032_1231231, this is because it
is processing a stringified data object as jsonp and thinks its a url.
 workaround is to add contenttype
see jquery/jquery#1799
breville added a commit to code-dot-org/code-dot-org that referenced this issue May 9, 2016
@breville
Prevent milestone report from turning ?? into weird timestamp.
4c52510 
When submitting a LevelGroup solution with "??" (no quotes) in a free response, it was being turned into a weird timestamp by Jquery.

By setting "jsonp: false" explicitly, we disable this behaviour.

References:
jquery/api.jquery.com#878
jquery/jquery#1799
https://bugs.jquery.com/ticket/8417
@breville breville mentioned this issue May 9, 2016
Merged
@dmethvin dmethvin mentioned this issue Nov 28, 2016
Closed
@lock lock bot locked as resolved and limited conversation to collaborators Jun 18, 2018
@mgol
Copy link
Member Author

mgol commented Jul 22, 2020

This will be fixed in jQuery 4 by the removal of the JSON-to-JSONP auto-promotion logic; the replacement will only be triggered if dataType is set to "jsonp". See issue #3376 & PR #4754.

@mgol mgol reopened this Jul 22, 2020
@mgol mgol added this to the 4.0.0 milestone Jul 22, 2020
@mgol mgol self-assigned this Jul 22, 2020
mgol added a commit to mgol/jquery that referenced this issue Jul 22, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
5f93f8e 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes jquerygh-1799
Fixes jquerygh-3376
mgol added a commit that referenced this issue Jul 27, 2020
@mgol
Ajax: Drop the json to jsonp auto-promotion logic
e7b3bc4 
Previously, `jQuery.ajax` with `dataType: 'json'` with a provided callback was
automatically converted to a jsonp request unless one also specified
`jsonp: false`. Today the preferred way of interacting with a cross-domain
backend is CORS which works in all browsers jQuery 4 will support.

Auto-promoting JSON requests to JSONP ones introduces a security issue as the
developer may be unaware they're not just downloading data but executing code
from a remote domain.

This commit disables the auto-promoting logic.

BREAKING CHANGE: to trigger a JSONP request, it's now required to specify
`dataType: "jsonp"`; previously some requests with `dataType: "json"` were
auto-promoted to JSONP.

Fixes gh-1799
Fixes gh-3376
Closes gh-4754
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@mgol mgol

Labels
Ajax
Milestone
4.0.0
Development

Successfully merging a pull request may close this issue.

Ajax: Drop the json to jsonp auto-promotion logic mgol/jquery
6 participants
@dmethvin @jaubourg @timmywil @markelog @mgol @iamnotserious