• This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn more.

Fixed Accidental AJAX Variable Injection

digitalpoint

Well-known member
#1
In xenforo.js, this:

Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
should be:
Code:
[code]data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));
[/code]

Without it, variables from the URL in the CURRENT page get injected into the AJAX request.

For example from this URL: https://advertising.digitalpoint.com/advertiser?action=ads&site_id=2

Any AJAX request that does not have site_id=2 in it actually gets site_id=2 accidentally injected into the request because of the lack of URL encoding on the _xfRequestUri variable.
 

Adam Howard

Well-known member
#2
Fixed your code. :D

You originally had some of the BB Code in it ;) :p



In xenforo.js, this:

Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + window.location.search);
should be:
Code:
data = XenForo.ajaxDataPush(data, '_xfRequestUri', window.location.pathname + escape(window.location.search));


(Also someone crazy enough to copy & past without looking & so I didn't want anyone making the mistake)

Capture.PNG
 

cclaerhout

Well-known member
#13
-I was wrong :( -Sorry -
Bug is still there.

The last I can do is to put the replacement to do directly in the minify xenforo.js
Search:
Code:
b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+g.location.search)
Replace with:
Code:
b=XenForo.ajaxDataPush(b,"_xfRequestUri",g.location.pathname+escape(g.location.search))