ColdFusion JSON parsing failure: Expected '"' at character 2: '&'

Hi, haxtbh,

The JSON isn't even making it to the function.  In the very beginning of the function, I placed a <CFDUMP var="#form#" /><cfabort> (the function doesn't 'return' anything, it outputs.)  I'm not getting that dump, at all.  The error is being triggered in the cfajax.js because CF can't correctly parse it.  I think CFAJAXPROXY is replacing the quotes, but can't be sure - something is.

But my onError() is triggering the error email before my CFTRY/CFCATCH can get it, so I'm not being given a file or line number for the error.

F12 in FireFox Developer Edition is showing that the error is in cfajax.js on multiple lines.

V/r,

^ _ ^

I think I may have found something.  onRequestStart() is taking both URL and FORM structs and performing a serializeJSON() and HTMLEditFormat() on them before sending them to Portcullis for analysis.

I'm not sure why.  But I don't want to undo them, quite yet, as I don't have oWasp ESAPI involved.  Yet.  (EDIT: Not completely true - I am using canonicalize() on many things.)

I'm open to suggestions.  Remember that I am working for US Dept of Defense, so some suggestions may not be possible.

V/r,

^ _ ^

UPDATE:  Nevermind.. I didn't look at the code close enough.  The lead developer who passed this on to me (he's no longer here) implemented the above described code, but he saved it to a session variable for no (apparent) reason, and still sends the url or form struct, itself, unchanged, to Portcullis.

The lead developer before me went down many rabbit holes during his time, here.  And I'm the one paying for it.  (smh)

When you say, "still sends the url or form struct, itself, unchanged, to Portcullis", do you mean without serializeJSON() or HTMLEditFormat() having been called on them? In any case, as you say, canonicalize() should solve the character-entity conversion problem.

Wouldn't it improve the design to save the struct in request scope rather than in session scope?

BKBK  wrote When you say, "still sends the url or form struct, itself, unchanged, to Portcullis", do you mean without serializeJSON() or HTMLEditFormat() having been called on them? In any case, as you say, canonicalize() should solve the character-entity conversion problem.

Yup.  I have no idea why the original developer did that, it makes no sense.  But that's what I'm dealing with, even after over two years of him being gone.  And canonicalize() should take care of it, but apparently it isn't.

BKBK  wrote Wouldn't it improve the design to save the struct in request scope rather than in session scope?

Probably. 

V/r,

^ _ ^

WolfShade  wrote   And canonicalize() should take care of it, but apparently it isn't.

Then, chances are, the good man had used xmlFormat().

It's getting past the jQuery.serializeArray() (the alert I placed is alerted).

It's getting to the first part of the post function (another alert works.)

It's NOT getting into the displayResult() function contained within a switch/case.

Hmmmm..

V/r,

^ _ ^

Okay.  I'm not sure where to go, now.

I've got the form submitting, but what the function sees is not the form scope, but an array.  Okay, no big deal, I can iterate the array and manually build the form scope.

But what is confusing, now, is that something is STILL breaking cfajax.js; and that, in turn, is canceling all the JavaScript that is supposed to happen after the submit (ie, display the results, change the captcha, etc.)

???

F12 in FireFox says only that the error is in /CFIDE/scripts/ajax/package/cfajax.js on six different lines.  Things like "this.decode", "$X.processResponse", "$X.callback", and whatnot.  But no actual indication of what is going wrong.

**headdesk**  **headdesk**  **headdesk**  **headdesk**  **headdesk**  **headdesk** 

V/r,

^ _ ^

I don't understand why you are having a ColdFusion problem. Granted, your component, ERC, and the tag, cfajaxproxy, are ColdFusion code. Apart from that, the rest is Javascript. As far as ColdFusion is concerned, this is just text.

I don't understand, either.  It makes no sense.  I'm just sending a JSON string (in proper format).

V/r,

^ _ ^

Perhaps the judo solution is simply to apply the reverse of XMLFormat, for example, XMLUnFormat, at some appropriate place.

XmlFormat() isn't being used.  The replacing of " with &quot; was being done during onRequestStart() via Portcullis.  Moving Portcullis to onRequest() took care of the replacing issue, so it's pushing proper JSON, now.  I just can't figure out what is breaking cfajax.js.

V/r

^ _ ^

WolfShade  wrote Moving Portcullis to onRequest() took care of the replacing issue, so it's pushing proper JSON, now.  I just can't figure out what is breaking cfajax.js.