Yep, you're exactly right. I modified the code to filter out any
suspicious characters. I log the filters, and sure enough there it is.
On 3/4/2016 3:37 PM, Galt Barber wrote:
> Hi, David!
>
> The 3x button is padded with some spaces to increase the width.
> When ajax callback sends request it looks like this:
>
>
https://hpcwebapps.cit.nih.gov/eyebrowse/cgi-bin/hgTracks?hgt.out2=%203x%20&hgt.trackImgOnly=1&hgt.ideogramToo=1&hgsid=913392_oET3IYqHdcdFHlBs5TCzhjQFhpsI&_=1457117769646
>
> Which has those spaces correctly html-encoded in the request.
>
> If you go to that URL, you get this:
>
> ERROR: bad input code is 521
>
> But 521 is not a standard http error code.
> I guess you guys made it up.
>
> By they way, changing the URL to remove those %20 encoded
> spaces around the hgt.out2 value will result in a normal response
> instead of an error.
>
> Since we do not see the error here, it must be a change
> made to your web server configuration, and if it started recently,
> then it is because somebody at your site just changed it.
>
> It seems that some sort of defensive mechanism you have on the server is
> objecting to having padded values, even though properly escaped.
> You will have to check your own settings, or talk to your admins.
> The defense mechanism is too sensitive, this is a false-positive.
>
> -Galt
>
> 2016-03-04 9:25 GMT-08:00 David Hoover <
hoov...@helix.nih.gov