Fixed Accidental AJAX Variable Injection

digitalpoint

Well-known member
In xenforo.js, this:

Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
should be:
Code:
[code]data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));
[/code]

Without it, variables from the URL in the CURRENT page get injected into the AJAX request.

For example from this URL: https://advertising.digitalpoint.com/advertiser?action=ads&site_id=2

Any AJAX request that does not have site_id=2 in it actually gets site_id=2 accidentally injected into the request because of the lack of URL encoding on the _xfRequestUri variable.
 
Fixed your code. :D

You originally had some of the BB Code in it ;) :p



In xenforo.js, this:

Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
should be:
Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));



(Also someone crazy enough to copy & past without looking & so I didn't want anyone making the mistake)

Capture.webp
 
Can someone please confirm what I've just checked and if it's the case, please Jake or Slavik make this post as important !!!
 
-I was wrong :( -Sorry -
Bug is still there.

The last I can do is to put the replacement to do directly in the minify xenforo.js
Search:
Code:
b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+g.location.search)

Replace with:
Code:
b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+escape(g.location.search))
 
Top Bottom