Highlighted

ColdFusion JSON parsing failure: Expected '"' at character 2: '&'

LEGEND ,
Aug 17, 2017

Copy link to clipboard

Copied

Hello, all,

I'm trying to convert a project so that the components folder is outside of the webroot.  For the most part, this has been a smooth transition.

Until (dun dun dunnnnnnnn) I get to the parts where I am using AJaX to submit forms.  When the component was in the webroot, it was very simple, very straightforward.  Now that the components exist outside the webroot, cfajaxproxy is giving me fits.

If all I'm submitting is a single form field value, it works.  If I'm submitting an entire form using jQuery.serializeArray(), suddenly there's a problem.

postData = $('#'+formID).serializeArray();

thisComponent = new ERC(); //Component is in F:\webdocs\_com\public\ERC.cfc and components are mapped in application.cfc

thisComponent.setHTTPmethod('POST');

thisComponent.setCallbackHandler(displayResult);

thisComponent.setErrorHandler(displayFail);

thisComponent.dtsSurvey(postData); // Submit the form to the function "dtsSurvey" in ERC.cfc

This results in the error message mentioned in the subject:  JSON parsing failure: Expected '"' at character 2: '&'

The reason why is because ColdFusion sees: {"form":[{"name"...  (The JSON " are being converted to ASCII.)

How can I fix this?  I've Googled for it, and I'm not finding a solution.

V/r,

^ _ ^

Views

1.9K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more

ColdFusion JSON parsing failure: Expected '"' at character 2: '&'

LEGEND ,
Aug 17, 2017

Copy link to clipboard

Copied

Hello, all,

I'm trying to convert a project so that the components folder is outside of the webroot.  For the most part, this has been a smooth transition.

Until (dun dun dunnnnnnnn) I get to the parts where I am using AJaX to submit forms.  When the component was in the webroot, it was very simple, very straightforward.  Now that the components exist outside the webroot, cfajaxproxy is giving me fits.

If all I'm submitting is a single form field value, it works.  If I'm submitting an entire form using jQuery.serializeArray(), suddenly there's a problem.

postData = $('#'+formID).serializeArray();

thisComponent = new ERC(); //Component is in F:\webdocs\_com\public\ERC.cfc and components are mapped in application.cfc

thisComponent.setHTTPmethod('POST');

thisComponent.setCallbackHandler(displayResult);

thisComponent.setErrorHandler(displayFail);

thisComponent.dtsSurvey(postData); // Submit the form to the function "dtsSurvey" in ERC.cfc

This results in the error message mentioned in the subject:  JSON parsing failure: Expected '"' at character 2: '&'

The reason why is because ColdFusion sees: {"form":[{"name"...  (The JSON " are being converted to ASCII.)

How can I fix this?  I've Googled for it, and I'm not finding a solution.

V/r,

^ _ ^

Views

1.9K

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Aug 17, 2017 0
Advocate ,
Aug 17, 2017

Copy link to clipboard

Copied

Are we able to see roughly how dtsSurvey function works.

Assuming the json is correct passing it to that, then something that side maybe changing it.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2017 0
LEGEND ,
Aug 17, 2017

Copy link to clipboard

Copied

Hi, haxtbh,

The JSON isn't even making it to the function.  In the very beginning of the function, I placed a <CFDUMP var="#form#" /><cfabort> (the function doesn't 'return' anything, it outputs.)  I'm not getting that dump, at all.  The error is being triggered in the cfajax.js because CF can't correctly parse it.  I think CFAJAXPROXY is replacing the quotes, but can't be sure - something is.

But my onError() is triggering the error email before my CFTRY/CFCATCH can get it, so I'm not being given a file or line number for the error.

F12 in FireFox Developer Edition is showing that the error is in cfajax.js on multiple lines.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2017 0
LEGEND ,
Aug 17, 2017

Copy link to clipboard

Copied

I think I may have found something.  onRequestStart() is taking both URL and FORM structs and performing a serializeJSON() and HTMLEditFormat() on them before sending them to Portcullis for analysis.

I'm not sure why.  But I don't want to undo them, quite yet, as I don't have oWasp ESAPI involved.  Yet.  (EDIT: Not completely true - I am using canonicalize() on many things.)

I'm open to suggestions.  Remember that I am working for US Dept of Defense, so some suggestions may not be possible.

V/r,

^ _ ^

UPDATE:  Nevermind.. I didn't look at the code close enough.  The lead developer who passed this on to me (he's no longer here) implemented the above described code, but he saved it to a session variable for no (apparent) reason, and still sends the url or form struct, itself, unchanged, to Portcullis.

The lead developer before me went down many rabbit holes during his time, here.  And I'm the one paying for it.  (smh)

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 17, 2017 0
Adobe Community Professional ,
Aug 21, 2017

Copy link to clipboard

Copied

When you say, "still sends the url or form struct, itself, unchanged, to Portcullis", do you mean without serializeJSON() or HTMLEditFormat() having been called on them? In any case, as you say, canonicalize() should solve the character-entity conversion problem.

Wouldn't it improve the design to save the struct in request scope rather than in session scope?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 21, 2017 0
LEGEND ,
Aug 22, 2017

Copy link to clipboard

Copied

BKBK  wrote

When you say, "still sends the url or form struct, itself, unchanged, to Portcullis", do you mean without serializeJSON() or HTMLEditFormat() having been called on them? In any case, as you say, canonicalize() should solve the character-entity conversion problem.

Yup.  I have no idea why the original developer did that, it makes no sense.  But that's what I'm dealing with, even after over two years of him being gone.  And canonicalize() should take care of it, but apparently it isn't.

BKBK  wrote

Wouldn't it improve the design to save the struct in request scope rather than in session scope?

Probably. 

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 22, 2017 0
Adobe Community Professional ,
Aug 23, 2017

Copy link to clipboard

Copied

WolfShade  wrote

  And canonicalize() should take care of it, but apparently it isn't.

Then, chances are, the good man had used xmlFormat().

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 23, 2017 0
LEGEND ,
Aug 24, 2017

Copy link to clipboard

Copied

It's getting past the jQuery.serializeArray() (the alert I placed is alerted).

It's getting to the first part of the post function (another alert works.)

It's NOT getting into the displayResult() function contained within a switch/case.

Hmmmm..

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 24, 2017 0
LEGEND ,
Aug 28, 2017

Copy link to clipboard

Copied

Okay.  I'm not sure where to go, now.

I've got the form submitting, but what the function sees is not the form scope, but an array.  Okay, no big deal, I can iterate the array and manually build the form scope.

But what is confusing, now, is that something is STILL breaking cfajax.js; and that, in turn, is canceling all the JavaScript that is supposed to happen after the submit (ie, display the results, change the captcha, etc.)

???

F12 in FireFox says only that the error is in /CFIDE/scripts/ajax/package/cfajax.js on six different lines.  Things like "this.decode", "$X.processResponse", "$X.callback", and whatnot.  But no actual indication of what is going wrong.

**headdesk**  **headdesk**  **headdesk**  **headdesk**  **headdesk**  **headdesk** 

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 28, 2017 0
Adobe Community Professional ,
Aug 29, 2017

Copy link to clipboard

Copied

I don't understand why you are having a ColdFusion problem. Granted, your component, ERC, and the tag, cfajaxproxy, are ColdFusion code. Apart from that, the rest is Javascript. As far as ColdFusion is concerned, this is just text.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 29, 2017 0
LEGEND ,
Aug 29, 2017

Copy link to clipboard

Copied

I don't understand, either.  It makes no sense.  I'm just sending a JSON string (in proper format).

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 29, 2017 0
Adobe Community Professional ,
Aug 30, 2017

Copy link to clipboard

Copied

Perhaps the judo solution is simply to apply the reverse of XMLFormat, for example, XMLUnFormat, at some appropriate place.

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 30, 2017 0
LEGEND ,
Aug 30, 2017

Copy link to clipboard

Copied

XmlFormat() isn't being used.  The replacing of " with &quot; was being done during onRequestStart() via Portcullis.  Moving Portcullis to onRequest() took care of the replacing issue, so it's pushing proper JSON, now.  I just can't figure out what is breaking cfajax.js.

V/r

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 30, 2017 0
Adobe Community Professional ,
Aug 31, 2017

Copy link to clipboard

Copied

WolfShade  wrote

Moving Portcullis to onRequest() took care of the replacing issue, so it's pushing proper JSON, now.  I just can't figure out what is breaking cfajax.js.

A warning in ColdFusion is that you should avoid combining onRequest and AJAX calls. That is probably the cause of the errors.

What about reverting to the original code (without onRequest), and applying XMLUnFormat?

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2017 0
LEGEND ,
Aug 31, 2017

Copy link to clipboard

Copied

BKBK  wrote

A warning in ColdFusion is that you should avoid combining onRequest and AJAX calls. That is probably the cause of the errors.

I don't have any AJaX calls in onRequest(), itself.  The Portcullis and everything else is accessing the components directly.  The AJaX is just for form submission.

V/r,

^ _ ^

Likes

Translate

Translate

Report

Report
Community Guidelines
Be kind and respectful, give credit to the original source of content, and search for duplicates before posting. Learn more
Reply
Loading...
Aug 31, 2017 0