I experienced this bug when submitting a form via postJSON[1] with
Konqueror 3.4.3. I'm not sure if it's a bug in queryString or
Konqueror's JavaScript implementation, all I know is it doesn't happen
in other browsers and it doesn't happen when submitting a form normally
with Konqueror.
Anyway, data sent with postJSON has '\x00' appended to it, and my
validators weren't catching it. When the null byte got into a database
query (through validators and SQLObject, normally immune to injection
attacks), all hell broke loose and a bunch of data was lost.
I posted to the FormEncode list to see if there's any interest in
stripping null bytes off of input, but I'm posting it here just in case
queryString should be patched to help with this issue.
[1]
var postJSON = function(url, postVars) {
var req = getXMLHttpRequest();
req.open("POST", url, true);
req.setRequestHeader("Content-Type",
"application/x-www-form-urlencoded");
var data = queryString(postVars);
var d = sendXMLHttpRequest(req, data);
return d.addCallback(evalJSONRequest);
}
--
Brian Beck
Adventurer of the First Order
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"MochiKit" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to [EMAIL PROTECTED]
For more options, visit this group at http://groups.google.com/group/mochikit
-~----------~----~----~----~------~----~------~--~---