Scribd Logo
Upload

Welcome to Scribd!

  • New Rule For Ajaxcall

    Uploaded by

    Sriraman Gopalan
    6 views3 pages
    The document discusses two ways to call Ajax requests: appending parameters to the URL and passing parameters separately. Appending parameters to the URL is a security risk called Cross Site Request Forgery. To avoid this risk, the parameters should be passed separately as key-value pairs in an object, serialized into a string, and passed as data instead of in the URL. An example is given of building an object with the parameters and passing it to xmlRequest instead of appending to the URL.

    Original Description:

    Original Title

    New Rule for Ajaxcall

    Copyright

    © Attribution Non-Commercial (BY-NC)

    Available Formats

    ODT, PDF, TXT or read online from Scribd

    Did you find this document useful?

    Is this content inappropriate?

    Report this Document
    The document discusses two ways to call Ajax requests: appending parameters to the URL and passing parameters separately. Appending parameters to the URL is a security risk called Cross Site Request Forgery. To avoid this risk, the parameters should be passed separately as key-value pairs in an object, serialized into a string, and passed as data instead of in the URL. An example is given of building an object with the parameters and passing it to xmlRequest instead of appending to the URL.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as ODT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    6 views3 pages

    New Rule For Ajaxcall

    Uploaded by

    Sriraman Gopalan
    The document discusses two ways to call Ajax requests: appending parameters to the URL and passing parameters separately. Appending parameters to the URL is a security risk called Cross Site Request Forgery. To avoid this risk, the parameters should be passed separately as key-value pairs in an object, serialized into a string, and passed as data instead of in the URL. An example is given of building an object with the parameters and passing it to xmlRequest instead of appending to the URL.

    Copyright:

    Attribution Non-Commercial (BY-NC)
    Download as ODT, PDF, TXT or read online from Scribd
    Flag for inappropriate content
    of 3

    How to call Ajax without appending parameter to the url: calling Ajax appending parameter to the url:

    function displayCorrectionMessage() { var correctionval=document.lcoutstandfrm.hidcorrection.value; //alert("hsdhhds"+correctionval); var seqnoval=document.lcoutstandfrm.hidseqno.value; url = '<%=request.getContextPath() %>/app/tradefinance/tradefinance.tfreportbilldue.oncorrectionmsg.ajax.do? hidcorrectionval='+correctionval+'&hidseqnoval='+seqnoval+'&<%=pageToken%>=< %=pageTokenValue%>&<%=sessionToken%>=<%=sessionTokenValue%>'; //alert(url); xmlRequest(url, null, dispCorrectionMsg); }

    In the above screenshot, you can see that the request parameters are appended to the end of the url .With this type of invocation, there is a potential security threat called Cross Site Request Forgery. To ensure that the request parameters do not get appended to the end of the URL, the way we invoke ajax calls needs to be changed as shown below:

    calling Ajax appending parameter to the url: function displayCorrectionMessage() { var correctionval=document.lcoutstandfrm.hidcorrection.value; var seqnoval=document.lcoutstandfrm.hidseqno.value; var params=new Array(); var p=new Array(); var v=new Array(); p[0]="hidcorrectionval"; v[0]=correctionval; p[1]="hidseqnoval"; v[1]=seqnoval; p[2]="pageToken"; v[2]='<%=pageTokenValue%>'; p[3]="sessionToken"; v[3]='<%=sessionTokenValue%>'; for(var i=0;i<4;i++){ var paramObject = new Object(); paramObject[p[i]]= v[i]; var str = $.param(paramObject); params.push(str); } var data = params.join('&'); url= '%=request.getContextPath(%>/app/tradefinance/tradefinance.tfreportbilldue.oncor rectionmsg.ajax.do'; } xmlRequest(url, data, dispCorrectionMsg);

    You might also like