Saturday, September 30, 2017

PHP error spews may lead to bogus data being passed around

Today I was debugging a web page wherein a JavaScript function uploaded data to an API endpoint written in PHP and then received data from that endpoint to use in a page redirection. After adding a feature to the endpoint but making only small changes to the client-side script, I was puzzled to receive this error in the Chrome console:

[Deprecation] Resource requests whose URLs contained both removed whitespace (`\n`, `\r`, `\t`) characters and less-than characters (`<`) are blocked. Please remove newlines and encode less-than characters from places like element attribute values in order to load these resources. See https://www.chromestatus.com/feature/5735596811091968 for more details.

It was logged, as far as I could tell, after the sending of an AJAX request, but I was very confused because the URL that request was POSTed to definitely didn't have any whitespace or less-than characters. When I tried the request in Postman, however, I found that I received some errors from the PHP script that my JavaScript was interpreting as part of the URL to redirect to after the action completed. Sure enough, the HTML tags used to format the notices had less-than characters, and there were newlines in the spew. I had forgotten to step through the callback's setting of window.location.href. Fixing the PHP script led to the return of valid data for a URL fragment, which fixed the problem.

No comments:

Post a Comment