1

I am getting a very strange 403 forbidden error in an ajax call. The data is being sent in a post javascript object of multiple javascript variables after applying JSON.stringify on the object.

One variable in the object is causing problems, which is the text/html fetched from the editor. 403 forbidden is thrown when there are two p tags in the text editor. 'p' or any other tag. When there is only 1 tag in the editor, the ajax call successfully completes.

I thought there is some kind of security for sending html in the ajax call, but the html is encoded like:

"{"description":"<p>coming soon</p><p>coming soon</p>"}"

I tried removing .htaccess, disabling any security features in the SEF component, deactivating the cloudflare securities etc.

Details: Editor TinyMCE, PHP 5.3, Joomla 2.5, JomSocial 2.0, Linux, Apache

Please help

original post as in firebug (firefox)

{"id":"237","this_step":"2","isNew":"0","incent_amounts":["100","200","300"],"incent_rewards":["You'll get yourself a polka dot or a check bow tie.","You'll get yourself 1 of our custom made studded/zip detailed bow ties valued at R350","You will get yourself a designer shirt + a bow tire if you're angentleman. You will get yourself a peplum skirt & a summer scarf if you'rena lady."],"description":"<p>coming soon</p><p>coming soon</p>","summary":"Dream Chasers is a project started by Snorley McLa","passion":"To help the poor live above the bread line & help the parents afford to provide for their family. We'll do this by helping them identify business opportunities within their community & fund their small business.","funds_usage":"-","more_descp":"My project will grow enough in the nearest future so much that we can give high school grade 12 students part time jobs so that they can earn themselves money for college registrations, prome(matric ball) outfits etc because enrolling fees is always an issue after high school,I've had the bitter taste of that too.","help":"I'll do my best to get sponsorships from bread making companies so that meanwhile we're helping the parents to find their feet we can make a descent school lunch for their children every school day.n"}"
Anonymous
  • 835
  • 1
  • 5
  • 21
Sadaqat Ali
  • 11
  • 3
  • Can you post the entire encoded post message? Is there a reason you need to encode everything into json to post it? – datasage Feb 07 '13 at 16:25
  • 1
    check the server error log. it'll probably say WHY the 403 was issued. could be something like SUhosin rejecting the tags as an attempted XSS attack. – Marc B Feb 07 '13 at 16:48
  • error log shows nothing regarding it. NOt sure about suhosin, but there must be some kind of security involved, as the 403 forbidden error is thrown before the control gets into its target i.e. index.php file – Sadaqat Ali Feb 07 '13 at 19:03

0 Answers0