search

ArcBees / gwtquery

A jQuery clone for GWT, and much more.
MIT License
85 stars 38 forks source link

Ajax request onError exception #283

Closed heyarny closed 8 years ago

heyarny commented 10 years ago

I just switched to Ajax from RequestBuilder and found that Ajax is creating an exception appending the response text which may contain HTML tags and may lead to security issues.

I've modified the com.google.gwt.query.client.plugins.deferred.PromiseReqBuilder to have a clean text-only status-text exception. I'd even suggest to separate the exception and textResponse (if needed at all) and let the client decide which argument is best for his needs.

public void onResponseReceived(Request request, Response response) {
    int status = response.getStatusCode();
    if (status <= 0 || status >= 400) {
      String statusText = status <= 0 ? "Bad CORS" : response.getStatusText();
      onError(request, new RequestException("HTTP ERROR: " + status + " " + statusText));
    } else {
      dfd.resolve(response, request);
    }
  }
heyarny commented 10 years ago

Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.

On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:

The problem is that StatusText normally does not have enough information, just the HTTP error wording.

The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)

— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450 .

jDramaix commented 10 years ago

Hi Arnold,

Could you please open an issue on github for that. We will continue to discuss about this on that issue.

Thanks,

Julien

On Sun, May 11, 2014 at 7:31 PM, Arnold notifications@github.com wrote:

Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.

On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:

The problem is that StatusText normally does not have enough information, just the HTTP error wording.

The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)

— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450> .

— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42777143 .

manolo commented 10 years ago

Julien this is already an issue.

On Mon, May 12, 2014 at 9:44 AM, Julien Dramaix notifications@github.comwrote:

Hi Arnold,

Could you please open an issue on github for that. We will continue to discuss about this on that issue.

Thanks,

Julien

On Sun, May 11, 2014 at 7:31 PM, Arnold notifications@github.com wrote:

Yes, thats why I'd suggest to separate both. Status text and response text. Right now I have no way to find out the status text or get raw response object to create my own style of response.

On Sun, May 11, 2014 at 7:12 PM, Manuel Carrasco notifications@github.comwrote:

The problem is that StatusText normally does not have enough information, just the HTTP error wording.

The security issue is only in the case you show that string in a html element without satinizing the content. Normally you have to use something like SafeHtmlUtils.htmlEscape before showing that text, or to use GQuery.text(htmlstring) instead of GQuery.html(htmlstring)

— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42776450> .

— Reply to this email directly or view it on GitHub< https://github.com/gwtquery/gwtquery/issues/283#issuecomment-42777143> .

— Reply to this email directly or view it on GitHubhttps://github.com/gwtquery/gwtquery/issues/283#issuecomment-42803910 .

jDramaix commented 10 years ago

Ooops sorry :-) I read all my mails after three days off and I thought it was a discussion on the mailing list

olafleur commented 8 years ago

This issue as no activity since more than a year. Feel free to reopen if it is still needed.