Copied to clipboard

Flag this post as spam?

This post will be reported to the moderators as potential spam to be looked at


  • Christian Bekker Andersen 6 posts 26 karma points
    Dec 21, 2018 @ 15:47
    Christian Bekker Andersen
    0

    UmbracoAuthorizedJsonController adds garbled json to front of all results

    So i recently noticed some plugins throwing errors and finally found out that it seems that calls to controllers using UmbracoAuthorizedJsonController, for some reason gets some garbled json added in front of all responses.

    All responses gets this added: )]}',

    Even on errors, i get results like this: )]}', {"Message":"The requested resource does not support http method 'GET'."}

    Any suggestions? This is an 7.5.13 Umbraco.

  • Nik 1048 posts 4255 karma points MVP 2x c-trib
    Dec 21, 2018 @ 22:35
    Nik
    0

    Hi Christian,

    Normally you see that error message when there are redirects in place, such as stripping of trailing / or forcing lowercase urls.

    These redirects can easily change a Post request to a Get request and then errors get thrown behind the scenes.

    If you have any of these sorts of redirects, I advise excluding the /Umbraco and /App_Plugins paths from them. I think there might be another path to exclude but I can never remember what it is sorry.

    Nik

  • Christian Bekker Andersen 6 posts 26 karma points
    Dec 21, 2018 @ 22:52
    Christian Bekker Andersen
    0

    Just to make it clear. The error is not that im getting a GET error.

    The issue is the ")]}'," that is in front of the response. It's also in front of any returned data when i dont get an error.

    All results get prepended ")]}',"

  • Marc Stöcker 100 posts 541 karma points c-trib
    25 days ago
    Marc Stöcker
    0

    Hey Christian,

    did you ever resolve this?

    This appeared to me today (Umbraco 8.0.2) with all my UmbracoAuthorizedJsonController in a new project, fresh install.

    Thanks, Marc

  • Marc Stöcker 100 posts 541 karma points c-trib
    25 days ago
    Marc Stöcker
    0

    Ok, this seems to be some "JSON Hijacking protection" thing (like prepending "while(1);" and such).

    I though browsers "fixed" that (honestly never looked up how exactly!) vulnerability already.

    Normally I always return JSON with an object on the outside, but I didn't in this case so the "auto protection" kicks in and prepends the JSON.

Please Sign in or register to post replies

Write your reply to:

Draft