3

I am doing a simple jQuery post:

$.post( "script.php", { urls: listOfURLs} );

The post works fine if it contains no URLs, however, if there are URLs included, then I get:

POST script.php 403 (Forbidden)

Is there some way I can sanitize this list of URLs or something to prevent it from 403ing?

Everything involved is on the same domain.

brentonstrine
  • 21,694
  • 25
  • 74
  • 120
  • Is your site online ??? – Tushar Gupta - curioustushar Oct 02 '13 at 05:08
  • give the link of page where you are using this code ? – Tushar Gupta - curioustushar Oct 02 '13 at 05:09
  • I'd rather not at this point in development. – brentonstrine Oct 02 '13 at 05:11
  • What is _listOfURLs_? – Ram Oct 02 '13 at 05:15
  • @undefined just what it sounds like, a list of URLs. It happens to be a javascript array, each array containing a URL string. – brentonstrine Oct 02 '13 at 05:17
  • I don't think that data that you are passing along with POST will make this difference. I tried executing this line of code by replacing `script.php` with my own URL. Every time i got 200 response. There might be some other server side code that is responsible for. – vijayP Oct 06 '13 at 09:19
  • It's probably `script.php` itself sending the 403. Trace it? – sam Oct 11 '13 at 23:08
  • What does `script.php` do upon receiving this url list? Can we see some code? – geomagas Oct 12 '13 at 12:10
  • Did you try [Labib's answer](http://stackoverflow.com/a/19222296/822138)? You just need to look at `script.php` and see how it wants the `urls` parameter, then have jQuery send it that way. – sam Oct 13 '13 at 04:50
  • I faced that problem as well on my server only it is working fine my local the issue I found is very strange I added the url word in the name of the field it works when I remove url keyword from the name of the field it gives me 403. I know its weird but it worked for me still don't know why but it worked. Note my field is array type answers[] not work, answers_url[] worked – Sarim Mar 23 '23 at 20:31

8 Answers8

3

it totally depends on what your listOfURLs is, you just have to keep in mind, that the data part of the post request, should always be a string, so the solutions might be:

  • if ListOfURLs is an array, you should do something like this:

    $.post( "script.php", { 'urls[]': [ "URL1", "URL2" ] } );

  • if it is a form data, you can serialize it to be a json string.

  • if not any of that, try just to make it json like.

and please if this doesn't work, provide us with some additional details about the data itself

Labib Ismaiel
  • 1,240
  • 2
  • 11
  • 21
3

As far as I can see : this "bug" is on the server side.

The object passed as a second argument to the $.post() methods is simply serialized as data in your request.

You can see what is sent to the server by checking your browser's web console (e.g : the "Net" tab of Firebug, or the "Network" tab of Firefox' built-in console, or similar tabs in Chrome or IE). My guess is your request is correctly sent with the data you provided.

What your server does with this data is another matter ; you will need to debug your server configuration and server side code to figure out how your request ultimately triggers a 403.

One possible cause for a 403 is bad file permissions. Check if your files permission allow the web server to access them.

For example, if you are using a standard apache/linux configuration, check if :

  • user www-data has x rights on all code directories
  • user www-data has r rights on all code files
  • user www-data has correct rights on files which should be downloaded or uploaded
  • your site config file removes access from certain directories
  • your .htaccess file(s) remove access from certain directories
  • etc ...
LeGEC
  • 46,477
  • 5
  • 57
  • 104
  • I think he said he gets 403 only when he sends `urls: listOfURLs`. – sam Oct 13 '13 at 04:40
  • Sorry about missing the bounty window... this is what the issue was. Unbeknownst to me, there was some crazy security thing on the server that was marking my POSTs as malicious and blocking them. – brentonstrine Oct 14 '13 at 18:54
1

The 403 tells you that the system tried to access a URL or resource using the object you've tried to send.

I'm not a fan of the short form of this ajax call. Use the long syntax of JQuery if you like more overview in you code. See this for more information.

$.ajax({
    type: "POST",
    url: url,
    data: listofURLs2JSON,
    dataType: "json",
    statusCode: {
        404: function() {
            alert( "List of urls. Nooooo" );
        }
    },
    success: function(data) {
        alert( "This was totally awesome!" );
    },
});

As Labib pointed out you can avoid the 403 using JSON. To deserialize the object use JSON.stringify:

var listofURLs2JSON = JSON.stringify(array/object, callback);

Then you can receive the object as string and use php functions like json_decode to retrieve the data as variable, do whatever you want and send it back via json_encode.

Troy Alford
  • 26,660
  • 10
  • 64
  • 82
Mr.Mountain
  • 863
  • 8
  • 32
1

try url encode for URL in the list and then passing to it

var encodedUrl = encodeURIComponent(url);
rajesh kakawat
  • 10,826
  • 1
  • 21
  • 40
0

There is an error in your code. You should replace this:

$.post( "script.php", { urls: listOfURLs} );

with this

$.post( "script.php", { 'urls[]': listOfURLs} );

because listOfURLs is a javascript array. This may explain why your code works if the list of URLs is empty.

See the 3rd example on the post() documentation page: jQuery.post() |jQuery API

If that does not help I would try using Fiddler2 to look closely at the calls your code is making when it does the post. This program will show you the URL being called and the data being posted. It's very useful for debugging this sort of issue.

Annabel
  • 1,394
  • 14
  • 23
0

Are you using Nginx as your web server? Nginx does not support post requests like this; you can work around this limitation by adding the following to your configuration under server.

    error_page 405 =200 $request_uri;

What is really happening is that Nginx is generating an HTTP response 405 and then tries to access the error document for HTTP 405 and gets a 403 on that which is displayed.

Matthew Salsamendi
  • 294
  • 1
  • 5
  • 14
0

you just append your url with some additional strings like

listURL = "data_url:"+listURL+"";

And pass this data to the ajax. so you get the url data without 403 forbidden error

Karthikeyan Ganesan
  • 1,901
  • 20
  • 23
0

Same issue here with a simple Form POST (submit).

The form is a simple textarea which get stored in a DB. It's a kind of clipboard, or repo of small texts. If the text is a url, it fails with 403. Any other text works.

I tried to encode the url, same result. My workaround: scramble the text in transit to fool the system: I reverse the submitted string (url) and reverse it again before inserting in the DB, e.g. moc.elgoog//:sptth Silly but working. I never understood why the post would disallow an URL in the content.

I tried also CORS with

header("Access-Control-Allow-Origin: *");

in my PHP just in case, but not luck either...

e1000
  • 39
  • 3
  • This does not really answer the question. If you have a different question, you can ask it by clicking [Ask Question](https://stackoverflow.com/questions/ask). To get notified when this question gets new answers, you can [follow this question](https://meta.stackexchange.com/q/345661). Once you have enough [reputation](https://stackoverflow.com/help/whats-reputation), you can also [add a bounty](https://stackoverflow.com/help/privileges/set-bounties) to draw more attention to this question. - [From Review](/review/late-answers/33913867) – Dhaval Purohit Mar 01 '23 at 19:48
  • It's not a full answer I admit, but I propose this workaround of hiding the url, which can be a good help since it worked for me and could be used by others... – e1000 Mar 03 '23 at 09:38