Invalid JSON after XSS changes

[kb1]

I'm experiencing the following after applying the changes to remedy XSS found in commit 57f9ff7:

If viewing results in non-grid view, clicking on Info causes a "JSON error parsing response: [object Object]" error in the browser, and the web log has the following:

"
ERROR ... elsa/web/lib/View.pm (161) View::catch ...
... Invalid JSON args ...
'q' => '...b.a.s.e.6.4..b.a.s.e.6.4... ...b.a.s.e.6.4..b.a.s.e.6.4.....=='
... invalid character encountered while parsing JSON string, at character offset ...
... at /usr/local/elsa/web/lib/Controller.pm line 1914.
... at /usr/local/elsa/web/lib/Controller.pm line 1916
"

It's breaking at line 1910, within of Controller.pm:
$decode = $self->json->decode(decode_base64($args->{q}));

The base64 encoded sData coming from the browser has a space in it. Running the version of elsa.js before this fix has a plus sign instead.

I was able to solve my problem by adding "$args->{q} =~ s/ /+/g;" near the top of subroutine get_log_info:
sub get_log_info {
my ($self, $args, $cb) = @_;
my $user = $args->{user};
$args->{q} =~ s/ /+/g; ### <----- NEW LINE OF CODE

my $decode;
eval {
    $decode = $self->json->decode(decode_base64($args->{q}));
};

I created a pull request, but I'm not sure if it's the best solution, or place for the solution.

[mcholste]

I finally merged this, hopefully it's better now.

On Sat, Jan 31, 2015 at 11:25 AM, kb notifications@github.com wrote:

I'm experiencing the following after applying the changes to remedy XSS
found in commit 57f9ff7
57f9ff7
:

If viewing results in non-grid view, clicking on Info causes a "JSON error
parsing response: [object Object]" error in the browser, and the web log
has the following:

"
ERROR ... elsa/web/lib/View.pm (161) View::catch ...
... Invalid JSON args ...
'q' => '...b.a.s.e.6.4..b.a.s.e.6.4... ...b.a.s.e.6.4..b.a.s.e.6.4.....=='
... invalid character encountered while parsing JSON string, at character
offset ...
... at /usr/local/elsa/web/lib/Controller.pm line 1914.
... at /usr/local/elsa/web/lib/Controller.pm line 1916

"

It's breaking at line 1910, within of Controller.pm:

$decode = $self->json->decode(decode_base64($args->{q}));

The base64 encoded sData coming from the browser has a space in it.
Running the version of elsa.js before this fix has a plus sign instead.

I was able to solve my problem by adding "$args->{q} =~ s/ /+/g;" near the
top of subroutine get_log_info:
sub get_log_info {
my ($self, $args, $cb) = @_;
my $user = $args->{user};
$args->{q} =~ s/ /+/g; ### <----- NEW LINE OF CODE

my $decode;
eval {
$decode = $self->json->decode(decode_base64($args->{q}));
};

I created a pull request, but I'm not sure if it's the best solution, or
place for the solution.

—
Reply to this email directly or view it on GitHub
#5.