Vulnerability protection against AngularJS JSON is not removed

I am currently working on an Angular app that communicates with an API. The JSON responses from the API are prefixed with )]}', as recommended in Angular's official documentation.

The issue I am facing is that my browser seems to try decoding the response before Angular does.

While debugging step by step, I noticed that right after the xhr.onload callback is fired, the response turns out to be null.

The specific code snippet causing the problem is this one:

// From angular.js(1.5.9):12122
xhr.onload = function requestLoaded() {
        var statusText = xhr.statusText || '';

        // responseText is the old-school way of retrieving response (supported by IE9)
        // response/responseType properties were introduced in XHR Level2 spec (supported by IE10)
        var response = ('response' in xhr) ? xhr.response : xhr.responseText;

        // normalize IE9 bug (http://bugs.jquery.com/ticket/1450)
        var status = xhr.status === 1223 ? 204 : xhr.status;

        // fix status code when it is 0 (0 status is undocumented).
        // Occurs when accessing file resources or on Android 4.1 stock browser
        // while retrieving files from application cache.
        if (status === 0) {
          status = response ? 200 : urlResolve(url).protocol === 'file' ? 404 : 0;
        }

        completeRequest(callback,
            status,
            response,
            xhr.getAllResponseHeaders(),
            statusText);
      };
}

xhr.response is null even before Angular processes anything (as far as I can tell).

Angular attempts to remove the prefix using the following code:

function defaultHttpResponseTransform(data, headers) {
  if (isString(data)) {
    // Strip json vulnerability protection prefix and trim whitespace
    var tempData = data.replace(JSON_PROTECTION_PREFIX, '').trim();

    if (tempData) {
      var contentType = headers('Content-Type');
      if ((contentType && (contentType.indexOf(APPLICATION_JSON) === 0)) || isJsonLike(tempData)) {
        data = fromJson(tempData);
      }
    }
  }

  return data;
}

However, at this point, the data is never a string because the browser has already attempted to decode it (unsuccessfully).

The format of the API output is as follows:

)]}',
[{"name": "A"}, {"name": "B"}]

If I remove the prefix, everything works fine. I have tested this on Opera 45.0, Firefox 46, and Chrome 58, all of which exhibit similar behavior. Therefore, I believe I might be overlooking something crucial.

The response headers include:

HTTP/1.1 200 OK
Server: nginx/1.11.5
Content-Type: application/json; charset=utf-8
Connection: keep-alive
Cache-Control: no-cache, private
[...]
Content-Length: 1793

Any insights would be greatly appreciated.

Thank you!

javascriptangularjsjsonsecurityxss

Answer №1

In a response on Stack Overflow, Jeff Sheets suggests that the request configuration object could be causing issues if it includes responseType: 'json'. This setting may result in the object being dropped by the browser's XMLHttpRequest implementation before being passed back to the application.

To fix this issue, either remove the responseType property altogether or set it to 'text'.

The MDN documentation explains the responseType attribute by mentioning that:

Setting the responseType to "document" is ignored in a Worker environment. It is crucial for the server to send data compatible with the specified format. If not, the response value will be null. Additionally, setting the responseType for synchronous requests will result in an InvalidAccessError exception.

(emphasis added)

Similar questions

If you have not found the answer to your question or you are interested in this topic, then look at other similar questions below or use the search

Incorporating a JObject into a JArray

Struggling to incorporate a new class "Company" into a Json Array named Companies using C# and Json .net. After attempting several methods, with all data parsed out and ready to be molded together, the challenge lies in finding a way to insert the new comp ...

c#json

Retrieve the index of a v-for loop and then send it as a parameter to a specific function

When working with a select element generated by a v-for loop in Vue, it is important to be able to retrieve the index of the selected option. This way, you can use that index in a function for further processing. However, I have been struggling to achieve ...

javascriptvue.js

Accessing information from a json response using an ajax request

Currently, I am making an ajax call to fetch the longitude and latitude based on a pin code. Here is how I approached it: $(document).ready(function () { $.ajax({ type: "GET", url: "http://maps.googleapis.com/ma ...

javascriptjqueryjsonajaxgoogle-maps

Having trouble with NextJS not updating state upon button click?

I am encountering a problem with my NextJS application. I am attempting to show a loading spinner on a button when it is used for user login. I have tried setting the `loading` state to true before calling the login function and then reverting it to fals ...

javascriptreactjsnext.js

Using VueJS to Bind an Array of Integer Values to Checkbox Models

I encountered a discrepancy between VueJS 1.0 and VueJS 2.0 regarding checkbox behavior. In VueJS 1.0, when binding checkboxes to a list of integers in v-model, the integers do not register as checked attributes. Below is the HTML code snippet: <div i ...

javascriptvue.jsvuejs2

When the in-app API calls fail to connect, Node and Angular will refuse to load

I am currently utilizing a node / angular application generated by yo-angular. While everything runs smoothly when running the application locally, an issue arises when attempting to asynchronously load API calls from an external API endpoint through my pr ...

angularjsnode.jsexpress

A thrilling twist on the classic game of Tic Tac Toe, where X and

I am having trouble with switching between the cross and circle symbols in my Tic Tac Toe game. The code seems to be set up correctly, but it's not functioning as expected. Any suggestions on how to fix this? Here is the JavaScript code: varcode va ...

javascriptcsshtml

Is it necessary to validate input for a login form? Some may argue that it creates unnecessary overhead and introduces concerns about an excess of javascript

While working on input validation for my registration form, the idea of implementing it on my login form also crossed my mind. My login form only requires an email and password. I'm considering validating whether the email entered is a valid email add ...

javascriptjqueryauthenticationvalidation

Warning: ComponentMounts has been renamed. Proceed with caution

I'm encountering a persistent warning in my application and I'm struggling to resolve it. Despite running npx react-codemod rename-unsafe-lifecycles as suggested, the error persists and troubleshooting is proving to be challenging. The specific w ...

javascriptreactjs

What is the best way to show the user profile on a Forum?

I am struggling to figure out how to display the username of a user on my forum page. I currently only have access to the user's ID and need help in extracting their name instead. It seems that I lack knowledge about mongoose and could really benefit ...

javascriptreactjs

Modifying button appearance upon clicking using JavaScript

JavaScript: const buttons = document.getElementsByClassName("togglebtn"); for (let i = 0; i < buttons.length; i++) { buttons[i].onclick = function () { this.classList.toggle("active"); } } html: <md-butt ...

javascripthtmlcssangularjs

Using JavaScript, append a hidden input field in Yii2 and retrieve it from the controller

Seeking assistance as a newcomer to yii2. I'm looking for help in resolving an issue that has arisen. I'm attempting to add a hidden input field to my form using JavaScript (not linked to a model). Subsequently, when I submit the form, I want to ...

javascriptjqueryhtmlyii2yii2-advanced-app

A guide on dragging a box using JavaScript

I recently came across a box similar to the one in the image below: <div id="HelpDoc"> <div id="HelpHeader">Here goes the header</div> <div id="HelpContent">Here goes the content</div> </div> I am looking for a ...

jqueryangularjs

Unable to output value in console using eventListener

Hey everyone, I'm new to JavaScript and trying to deepen my understanding of it. Currently, I am working on an 8 ball project where I want to display the prediction in the console. However, I keep getting an 'undefined' message. const predi ...

javascripthtmlarraysconsole

When # is eliminated from the angularjs portion of a Codeigniter website's URL, reloading the page may result in a 404 error page not being found. Is this the main issue causing the

When I remove the # from the AngularJS with Codeigniter website URL, the HTML is not loading properly in the main ng-view. This causes an error where the page does not reload. What can I do to overcome this issue? var app = angular.module('main-App&a ...

angularjscodeigniter-3

Challenges when replacing the use of localhost with the actual IP address in the ionic service.js file

I'm currently working on deploying my Ionic v1 application. One of the requirements is to change the baseURL from localhost:3000 to myip:3000. Before (works): angular.module('conFusion.services', ['ngResource']) .constant( ...

angularjscordovaionic-framework

Issue: Encounter an Error with Status Code 401 using Axios in React.js

For my login page, I am utilizing a combination of Laravel API and ReactJS frontend. In my ReactJS code, I am using Axios to handle the parsing of the username (email) and password. The login API endpoint is specified as http://127.0.0.1:8000/api/login, wh ...

javascriptreactjsaxios

Transferring Data from Controller to HTML in AngularJS Version 1

Recently, I started working with angularjs on a new project that involves three main HTML files. The first file is index.html, which contains the ng-view directive. The second file is home.html, where various products are displayed from a database. Each pr ...

javascriptjavaangularjs

Using Rails Devise as a backend to validate users in an Ionic application

Is anyone experienced with setting up authentication for an Ionic app connected to a Rails API using Devise? If so, I'd love to hear about your implementation and any helpful tutorials you've used. Please share your insights. ...

ruby-on-railsangularjsdeviseionic-framework

Optimal method for creating a seamless loop of animated elements passing through the viewport

My challenge involves managing a dynamic set of elements arranged next to each other in a row. I envision them moving in an infinite loop across the screen, transitioning seamlessly from one side to the other, as illustrated here: https://i.stack.imgur.com ...

javascriptcssanimationgraphicsgsap