Response title
This is preview!
Move this topic
jequery-te get the source and send it using ajax to server side
in Using jQuery Plugins
•
8 months ago
- I implemented the jquery text editor in my web page.
- I want to get the source and send it to the server side.
- that is what I tried, but it doesn't work.
- it alerts the encoded answer. but it doesnt want to send it to the server.
- if I dont use any editing tool, just simple text. it sends it and I get "ok"
- but if I try to colorize the text or any other editing. the ajax doesnt send it to the server.
- is there a reason?
- $("#postEditor").jqte();
- $('#btnSend').click(function () {
- var answer = encodeURIComponent($(".jqte_editor").html());
- alert(answer);
- var id = $('#msg h3').attr('id').substr(1);
- $.ajax({
- type: "POST",
- url: location.href,
- data: "dt=newAnswer&answer="+answer+"&id="+id
- }).done(function (result) {
- if (result == "ok") {
- alert("ok");
- } else {
- alert("problem");
- }
- });
1
Replies(17)
Or, is it sending it to the server and you aren’t accessing properly?
Did you use the developer tools to see what is being sent to the server?
You should add a .fail callback after the .done. You may have a server error.
JΛ̊KE
Leave a comment on jakecigar's reply
It's rejected by the server.
My question is what can I do more then encoding it.
When I check the alert I see:
dt=newAnswer&answer=%3Cdiv%20style%3D%22direction%3A%20ltr%3B%20color%3A%20rgb(51%2C%2051%2C%2051)%3B%22%3E%3Cspan%20style%3D%22color%3Argb(255%2C0%2C0)%3Bdirection%3A%20ltr%3B%22%3Eaaa%3C%2Fspan%3E%3C%2Fdiv%3E&id=13
but Fiddler tells me the the server got:
dt newAnswer
answer <div style="direction: ltr; color: rgb(51, 51, 51);"><span style="color:rgb(255,0,0);direction: ltr;">aaa</span></div>
id 13
what is the rightway to send html to the server, if I what to save the formatted text of the user?
Leave a comment on elic55's reply
I would send it…
- data: {
- dt:"newAnswer",
- answer:$(".jqte_editor").html(),
- id:id
- },
But it shouldn’t make much of a difference. Your server is rejecting the POST because you have an error on your server.
JΛ̊KE
Leave a comment on jakecigar's reply
Same problem.
I know I dont have a problem in the server because when I send data without html tags it works fine.
but if there are html tags like ">" there is a problem:
Fiddler tells me to look here
There must be a way to save the user format (that's what this editor that I am writing in just now is doing)
Leave a comment on elic55's reply
Fiddler is telling you that you have a server problem. Find a microsoft forum for assistance.
Your javaScript code is pretty much classic old-school stuff. It works.
JΛ̊KE
Leave a comment on jakecigar's reply
what is the rightway to send html to the server, if I what to save the formatted text of the user?
There is no "right way". It's whatever way your server code expects to get.
If it is just the HTML, I would not send it as a URL encoded form, but just as plain text. If there are other bits of data to go along with it, I might encode it as JSON. Either of those assumes you wrote the server code, rather than using existing code that you can't change.
Oh, I see you do have some other data to send with the HTML. I would choose to encode as JSON, because it will encode a bit more efficiently. The important thing though is to agree on an encoding between the Javascript code and the server code.
Did you write the server code? Or is there existing code? If it is existing code, and you can't change it, you need to find out what it expects to receive.
I guess your server code doesn't like HTML tags. Or doesn't like URL encoded characters. Or something else. We can't guess what your server code expects!I know I dont have a problem in the server because when I send data without html tags it works fine.but if there are html tags like ">" there is a problem
Leave a comment on watusiware's reply
The problem is that you did not know that your server converts url encoded input to normal text for you. Almost all do.
It is not normal to play with url encoded strings. jQuery can encode them when you POST and the server decodes it for your server program. Your code added an extra layer of complexity that is not needed. Use my code.
You send some HTML from the browser and the program gets some HTML in your server program.
JΛ̊KE
Leave a comment on jakecigar's reply
- Here is my server code
- protected void Page_Load(object sender, EventArgs e)
- {
- if (!IsPostBack)
- {
- if (!String.IsNullOrEmpty(Request.Form["dt"]))
- {
- if (Request.Form["dt"] == "newAnswer")
- {
- string answer = Request.Form["answer"];
- int qid = Convert.ToInt32(Request.Form["id"]);
- string result= addAnswer(answer, qid)?"ok":"problem";
- Response.Clear();
- Response.Write(result);
- Response.End();
- }
- }
- }
- }
Your server language code might as well be ancient Swahili. Nobody is going to debug or even read your server language code here.
Your encoded html is being decoded by your server.
JΛ̊KE
Leave a comment on elic55's reply
For what it’s worth, I coded your page on my server. It works nicely. The only difference was that I don’t use ASP on the server.
JΛ̊KE
Leave a comment on jakecigar's reply
That's the point. the server rejects the data when it contains html tags.
Their is an option to tell the server to accept the data as discussed here
But it might be dangerous.
What I want to know if there is a way to encode the data on client side so there won't be a problem to the server.
what I try to do now is to replace dangerous chars, and to replace them back on the server. I am quite sure there must be a simple way to do it.
If you are editing HTML on this page, it is expected that you send HTML to the server to be "sanitized".
As long as you "sanitize" the HTML on your server, it is not dangerous. And that is a server language issue. Not jQuery.
JΛ̊KE
Leave a comment on elic55's reply
But it might be dangerous.
There are a couple of ways that user input could be "dangerous".
The most common (and apparently the focus of the discussion you linked to) is when user input is used as part of a database query in your server program.
YOU SHOULD NEVER USE USER INPUT AS PART OF A DATABASE QUERY!
Some developers might try to "sanitize" user input to remove any characters that would allow an attacker to essentially "rewrite" the database query to do dastardly deeds. IMO, it's the wrong way. But... if you must... it MUST be done on the server side. Doing it in the browser with Javascript just makes one more easy step for the wily hacker.
The RIGHT way - possible in any decent database SDK - is to separate the SQL from the data by using placeholders in the SQL - e.g. $1, $2, etc., and supplying the user input as parameters. I can't tell you how to do that in Microsoft MVC, though, as I don't use it. (I could tell you how to do it in Ruby with Sequel, but that will do you no good...) Then there is no "sanitization" needed.
NEVER paste together SQL fragments with user input!
Then you are just adding-back the danger! They become dangerous when you paste the text into a database query.what I try to do now is to replace dangerous chars, and to replace them back on the server
---
Another way that user input - specifically in this context - might be "dangerous" is that the user might embed some Javascript in the HTML, and then if the purpose of your site is to then show that HTML to other users, then the Javascript would be run in their browser - unless you sanitize it by removing the Javascript. There can be similar issues with CSS. (They might include CSS that might hide something on your page to some evil end.)
Again, if you have to "sanitize" your HTML for that purpose, you must do it on the server, or you have only placed a minor barrier in front of a hacker by doing it in Javascript in the browser.
But, from the context of your posts, I assume the issue is the first kind of danger I mentioned above.
Leave a comment on watusiware's reply
I am not writing about sanitation for sql code. If you have that problem, your server coding level is too junior.
I mean adding an <audio> , <video>, <object>, <embed> or <script> tag. Or even adding on____ attributes to normally innocent tags.
JΛ̊KE
Leave a comment on jakecigar's reply
I save the user formatted text in a db.
So I understand it is dangerous to use replace.
I understand I have to use the server to sanitize the user data.
And I understand that it is not the right place to ask how to do it.
I will have to learn how to do it.
I just wonder if this is what all the forums (including this one) do.
thanks both:
JΛ̊KE in the sort way.
watusiware in the long way (much better and clearer for me to understand, so your answer is the best for me)
This forum sanitizes on the server. We are not privy to exactly what they do or how they do it.
JΛ̊KE
Leave a comment on elic55's reply
This might be of use:
Letting users type HTML that you will show to other users is fraught with danger! Not much better if you use an editor widget, as the user can (usually) still enter their own HTML. And even if the editor widget prevents the user from typing their own HTML, again, the wily hacker knows how to get around that, because it's happening in the browser.
Markdown would be much safer than HTML!
Markdown is easily converted to HTML for presentation in a browser. Or to a PDF, or to many other formats. You would gain a lot of versatility by storing Markdown in your database instead of HTML.
There are Markdown editor widgets that are similar to the HTML editor widgets.
If it's for the general public, find one that provides a WYSIWYG display (not show user the Markdown). If it's for techies, I'd find one with a toggle to allow to see the Markdown or type it directly, with the buttons only as "helpers".
Leave a comment on watusiware's reply
Change topic type
Link this topic
Provide the permalink of a topic that is related to this topic
Reply to elic55's question
{"z8123945":[14737000007901098,14737000007901103,14737000007901105,14737000007901107,14737000007901111,14737000007901137],"z7664639":[14737000007899079,14737000007906009,14737000007906015],"z2950240":[14737000007903039,14737000007903043,14737000007903045,14737000007903047,14737000007903055,14737000007903087,14737000007903091,14737000007903105,14737000007903115]}