Extra underscore in Ajax.Request.parameters

[Arjen Nienhuis]

Hi,

Prototype adds a extra parameter &_= to every GET Ajax.Request done by
any WebKit browser. This is done to fix a bug in an old version of
Safari.

I'd like to see this feature removed for these reasons:

- That version is of Safari is not used any more. (which version was it anyway?)
- It breaks my server side code
- It is not the same for different browsers which makes it harder to test for
- It is not documented

Other solutions could be:

- Document it
- Do a version check for the specific version of Safari and run it
only for that browser
- if its considered harmless it should be enabled for all browsers

I solve it by patching my version of prototype.

Groeten,
Arjen Nienhuis

[kangax]

On Nov 19, 9:39 pm, Arjen Nienhuis <a.g.nienh...@gmail.com> wrote:
> Hi,
>
> Prototype adds a extra parameter &_= to every GET Ajax.Request done by
> any WebKit browser. This is done to fix a bug in an old version of
> Safari.
>
> I'd like to see this feature removed for these reasons:
>
> - That version is of Safari is not used any more. (which version was it anyway?)

So you don't know which version it is, but you know that it's not used
any more? Sorry, I'm not following such logic.

From what I remember, it was Safari 2.x that had problems with empty
POST bodies. We still support Safari 2.0.4 (but not any other lower
version of 2.x), so if 2.0.4 is affected by this bug, we can't just
drop it.

[...]

--
kangax

[Arjen Nienhuis]

You're right: it's POST not GET:

if (params = Object.toQueryString(params)) {
if (this.method == 'get')
this.url += (this.url.include('?') ? '&' : '?') + params;
else if (/Konqueror|Safari|KHTML/.test(navigator.userAgent))
params += '&_=';
}

But it's not empty POST bodies as it's only added if params != "".

I don't know which version of Safari it is because I cannot find any
documentation about it and it's a real pain to install an old version
of safari.

The extra parameter is there to catch garbage that Safari would add to
the end of a POST body. This way the garbage is in the extra parameter
not in the important parameters.

By accident I stored the extra parameter in the database of my webapp.
I have 20000 of them in one table. None of them have a value other
than the empty string(*). That's why I know that the workaround is no
longer needed (or at least not that badly).

Can we add a check for version 2.x of Safari for the workaround?

Should this be documented?

Groeten,
Arjen Nienhuis

(*) Well I loaded and stored the data multiple times and prototypes
adds the underscore even when it's already there so I actually store
things like {'foo': 2, 'bar': 5, '_': ["", "", "", "", ""]}. Yay!

[Mislav Marohnić]

On Tue, Nov 24, 2009 at 00:39, Arjen Nienhuis <a.g.ni...@gmail.com> wrote:

But it's not empty POST bodies as it's only added if params != "".

Safari had this bug with all Ajax POST requests.

 

By accident I stored the extra parameter in the database of my webapp.
I have 20000 of them in one table. None of them have a value other
than the empty string(*). That's why I know that the workaround is no
longer needed (or at least not that badly).

Prototype had this fix for years and you're the first one to report having problems with it. This is because you shouldn't store all top-level parameters as properties in a database. Much better practice is to nest a parameters belonging to a record under a common key:

   user[first_name]=arjen&user[last_name]=nienhius

Every sensible backend will parse this as a nested hash/associative array, then save only attributes found under "user". This allows you to have other parameters in your application that serve for conveying some information, but are not saved to a database. And of course, it would solve your underscore problem.

More simply would just be deleting the parameter from the POST params hash/array.

[Tom Gregory]

Not to quibble (I'll do it anyway), but I don't see how nested arrays make the answer "sensible."

Perhaps we can agree the core problem here is not filtering data received from the user; such data is always suspect.

I had a "problem" with it years ago when I was trying to figure out where the extra parameter was coming from. Once I understood that Prototype was adding it, and why, I was okay with it, and in the one case where it was in the way, I added a line of code to remove if present.

Underlying his query is a good question--where is the documentation showing what the fix was for, so we know when the fix can be removed as the supported browser list evolves?

TAG

--
You received this message because you are subscribed to the Google Groups "Prototype: Core" group.
To post to this group, send email to prototy...@googlegroups.com
To unsubscribe from this group, send email to prototype-cor...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/prototype-core?hl=en

[Arjen Nienhuis]

On Mon, Nov 23, 2009 at 5:51 PM, kangax <kan...@gmail.com> wrote:

> On Nov 19, 9:39 pm, Arjen Nienhuis <a.g.nienh...@gmail.com> wrote:
>> Hi,
>>
>> Prototype adds a extra parameter &_= to every GET Ajax.Request done by
>> any WebKit browser. This is done to fix a bug in an old version of
>> Safari.
>>
>> I'd like to see this feature removed for these reasons:
>>

-snip-

>
> From what I remember, it was Safari 2.x that had problems with empty
> POST bodies. We still support Safari 2.0.4 (but not any other lower
> version of 2.x), so if 2.0.4 is affected by this bug, we can't just
> drop it.
>

The first mention I found is here: http://dev.rubyonrails.org/changeset/2106

Later they need to work around the fix from prototype:
http://dev.rubyonrails.org/ticket/2868

Apple says they fixed it in WebKit before March 2005:
http://lists.apple.com/archives/webcore-dev/2005/Mar/msg00005.html

Safari 2.0.4 was released almost a year later. I think we can asume it
was fixed by then. Does anyone ever test prototype with Safari 2.0.4?

Groeten, Arjen Nienhuis