1

I have a simple ASP.NET web application with the following javascript that runs on an input's onblur event:

function checkUserName() {
    var request = new XMLHttpRequest();
    if (request == null) {
        alert("Unable to create request.");
    } else {
        var theName = document.getElementById("username").value;
        var userName = encodeURIComponent(theName); 
        var url = "Default.aspx/CheckName?name='" + theName + "'";
        request.onreadystatechange = createStateChangeCallback(request);
        request.open("GET", url, true);
        request.setRequestHeader("Content-Type", "application/json");       
        request.send();
    }
}

The C# method this calls is the following:

[WebMethod]
[ScriptMethod(UseHttpGet = true)]
public static string CheckName(string name)
{
   return name + " modified backstage";
}

The javascript callback for the XMLHttpRequest is the following:

function createStateChangeCallback(request) {
    return function () { 
        if (request.readyState == 4) {
            var parsed = JSON.parse(request.responseText);
            alert(parsed.d);           
        }
    }
}

Although this displays the results of my server-side method, I was wondering about that property "d" I need to access to get the results. I found this only by using Intellisense. Is this property a standard property for accessing the parsed JSON? Should I be going about it some other way? Is "d" arbitrary or is it determined somehow? Is it possible for me to set the name of the property, either client or server -side?

RobC
  • 1,303
  • 3
  • 15
  • 32
  • @adeneo: Yep, it's getting called as expected. – RobC Apr 23 '15 at 18:41
  • Yes, I didn't notice the function returns a function right away, took me a second. – adeneo Apr 23 '15 at 18:42
  • And there's no standard that sets a `d` property on the returned object, must be something else that is adding it ? – adeneo Apr 23 '15 at 18:43
  • Seems like your server is wrapping the payload into `d`. – Joseph Apr 23 '15 at 18:43
  • 1
    Related: [Webmethod can't remove Object { d: “” }](http://stackoverflow.com/questions/20530841/webmethod-cant-remove-object-d) and [What does .d in JSON mean?](http://stackoverflow.com/questions/830112/what-does-d-in-json-mean) – Jonathan Lonowski Apr 23 '15 at 18:57

3 Answers3

1

Regarding the following:

var parsed = JSON.parse(request.responseText);
alert(parsed.d);

d is an actual property from the response object sent from the server via the GET request. It's not a special property created from the JSON.parse() method.

The server is likely wrapping the return data object into d. Thus, the response object looks something like { d: stuff } where stuff is the data that is returned.

--EDIT-- After a little digging on this, ASP.NET and WCF endpoints format the JSON object into the d property to prevent CSRF and XSS attacks. For more info, visit http://haacked.com/archive/2008/11/20/anatomy-of-a-subtle-json-vulnerability.aspx/.

boombox
  • 2,396
  • 2
  • 11
  • 15
1

.d is added by ASP.NET in framework code under the System.Web.Extensions namespace, and it's hardcoded, so no, you can't change it unfortunately. It exists to mitigate XSS attacks. On the plus side, however, you can count on .d always being present.

moarboilerplate
  • 1,633
  • 9
  • 23
  • It is meant to protect against CSRF attacks, not XSS attacks. They sound a bit similar but are different. – boombox Apr 23 '15 at 19:10
  • Thanks for the information. I gave the answer to boombox because he beat you by a few minutes, but you were both helpful. – RobC Apr 23 '15 at 19:39
  • @boombox depends on the attack. From odata.org: "The name of the name/value pair is always “d” and the value is the JSON representation of an OData resource as described by the subsections of this document. This pattern ensures JSON payloads returned from OData services are valid JSON statements, but not valid JavaScript statements. This prevents an OData JSON response from being executed as the result of a cross site scripting (XSS) attack." – moarboilerplate Apr 23 '15 at 19:47
  • @RobC is there any reason you're rolling it all manually? You can save yourself some effort with jQuery and even more if you are cool with using the ScriptManager. – moarboilerplate Apr 23 '15 at 19:50
  • @moarboilerplate: I'm interested in doing this manually just because I want to learn AJAX from the ground up and to understand what's happening behind the scenes. Thanks for the tips, though. – RobC Apr 24 '15 at 13:38
0

Nope. Afraid not the standard xmlhttprequest object is designed for XML/HTML so you will need to parse the json from the raw text I'm afraid.

The new XHR2 spec does handle additional response types though (if your browser supports it mimd).

http://www.html5rocks.com/en/tutorials/file/xhr2/

fwd.london
  • 1
  • 1