Missing CI_Output::set_content_type()

[eluser]Unknown[/eluser]
I'm attempting to preform a XSS request. I have two sites dev.blah.com and internal.blah.com both domains sit on the same server.

internal.blah.com - This domain is where I have all the libraries and models that produce JSON objects. Based on the correct controller call I echo correctly formated JSON data to the screen (with content-type: text/html).

dev.blah.com - Is where I'm attempting to preform a jquery $.ajax post to return my well formed JSON object.

Code:

$.ajax({
  type: 'GET',
  url: 'http://internal.lyntron.com/completePart/returnPartObject/'+completePartId+'/JSON',
  dataType: 'jsonp',
  jsonp: false,
  crossDomain: true,
  contentType: "'application/json; charset=utf-8'",
  success: function(partObj) {
    alert("it worked");
  }
});

I've tested my code at internal.blah.com and validated the JSON syntax. My crap is correct! But on the dev site I'm getting a javascript error "uncaught SyntaxError: Unexpected token <".

In all of my research I've found that this is probably due to the fact that I'm returning 'text/html' instead of 'application/json'. So...

CI has an excellent function call set_content_type() that is part of the output class, however when I call it I get a nasty error message.

Code:

Fatal error: Call to undefined method CI_Output::set_content_type() in /usr/local/www/htdocs/blah.com/internal/system/application/controllers/completePart.php on line 48

Are there any ideas out there how I can get around this error and make my XSS dreams come true?

[eluser]InsiteFX[/eluser]
For cross domaains you have to use jsonp! json will not work.

Code:

// If you want to use $.getJSON() you can add the following before the call:
$.ajaxSetup({ scriptCharset: "utf-8" , contentType: "application/json; charset=utf-8"});

contentType : When sending data to the server, use this content-type. Default is "application/x-www-form-urlencoded", which is fine for most cases.

scriptCharset : Only for requests with 'jsonp' or 'script' dataType and GET type. Forces the request to be interpreted as a certain charset. Only needed for charset differences between the remote and local content.

You may need one or both ...

Also the first char of your Controller name is lowercase it should be uppercase!

InsiteFX

[eluser]Phil Sturgeon[/eluser]
InsiteFX: The fact that he is getting an error showing a PHP/Server response shows that he is making a successful AJAX request, so JSONP is clearly irrelevant.

jandk4014: How exactly are you using this? Did you upgrade properly? Seems like you might have forgotten to update the Output class with the latest copy in 2.0.1, as it was only added then.

[eluser]InsiteFX[/eluser]
Then you better read up on jsonp! and how it works with json to do cross domain server requests using a call_back function!

json using cross domains is not safe from xss attacks thats why you use jsonp.

JSONP is a means by which to get JSON data from another domain than the one your page is on. If you try and use Ajax to request data from a different domain than the page, you'll get a security error.

He can use json but I would not because it is not safe. and he should be calling $.getJSON
not get.

InsiteFX

[eluser]Phil Sturgeon[/eluser]
InsiteFX: I am perfectly familiar with the pro's and con's of using JSONP but once again you have focused on a "good coding practice" that does not go anywhere towards actually solving the posters problem. It's like that other topic where you suggested the reason they were having problems loading a model was because there string was using single quotes instead of double quotes...

It is always useful to offer advice in any way you can whether it is just "this won't fix your problem, but you should think about..." but do not offer these coding practice tips as if they were an actual fix for the problem.

Once again, if he is using JSON and getting a PHP error from the server then his AJAX request is clearly working fine and this is a PHP issue. Once he has the PHP issue resolved and JSON is working fine then it would be a great time to explain to him all about JSONP and it's benefits.

[eluser]Unknown[/eluser]
Guys-
Thanks for the information about this topic. I'm interested in your posts about best practices with JSON but I must admit that I got this problem shortly figured out after posted the question. Since I don't want to be one of those guys who don't post what worked for them here you go.

Please review the code and let me know if there is a "better" way of doing it.

The following is the code that happens on my javascript onClick event residing on dev.blah.com. This is the start of the XSS magic!

Code:

javascript.js
function buildPartObject(completePartId) {        
  $.ajax({
      type: 'GET',
    url:'http://internal.blah.com/completePart/returnPartObject/abc123/JSON',
    dataType: 'jsonp',  //Required
    jsonp: false,       //Required.  Change to some fct (jsonCallback()) if you want something different
    crossDomain: true,  //Required
    contentType: "'application/json; charset=utf-8'",   //Required
    success: function(partObj) {
        alert('Part Id: ' + partObj._property1); // Part Id: abc123xyz (correct!)
    }
    });
}

Code from internal.blah.com/completePart/returnPartObject/abcd123/JSON

Code:

function returnPartObject($completePartId='', $returnType='DEV'){
        $this->load->library('some_class');
        ....
        if($returnType === 'JSON') {
                $partObj = new $this->some_class($completePartId);
        $partObj = json_encode($partObj);
        $data['partObj'] = $partObj;
        $this->load->view('json', $data);
        }

This is the important part that I found using JSONP. Since the jquery object is expecting back a certain object in a particular manner it had to be in the is format.

Code:

<?php
    echo $_GET['callback'] . '('. $partObj .')';
?>

Explanation
1) Enable the server to accept URI parameters and query strings this is a requirement using JSONP.
The application/config.php needs to be modified to the following for local (non global) funcationality:
$config['enable_query_strings'] = FALSE;
$config['uri_protocol'] = "PATH_INFO";
The important thing to pay attention to is the local constructor in the controller. Add the following:
parse_str($_SERVER['QUERY_STRING'],$_GET);
The following site is where I got the information:
http://www.askaboutphp.com/58/codeignite...rings.html
2) Gather a good amount of knowledge of jquery using $.ajax sending jsonp requests
The following sites are good arenas to build up knowledge:
http://api.jquery.com/jQuery.ajax/ & http://remysharp.com/2007/10/08/what-is-jsonp/
3) Review the declaration of the $.ajax function
Important things to remembe with this technology for it to work are the following
Include the required items up above.
A codeigniter view must be used as middleware. You CAN NOT just echo json to the screen from controller
Properly encode the json object using 'json_encode()' before passing passing to the view
Include the $_GET parameter ($_GET['callback']) of the jsonp callback function.
Remember it is best to not set this value but let jquery dynamically make it for you. I.e 'jsonp: false'
Be sure to include the '(' and ')' around the ecoded Json object.
Remember you're passing back a complete function to the requested domain/browser. Thats how $.ajax is expecting it.
Example of the correct returning string:
echo $_GET['callback'] . '('. $yourPostedData .')';
IMPORTANT ROOKIE MOVE
Last but not least! DO NOT HAVE ANY SPACES BEFORE OR AFTER YOUR &lt;?PHP> TAGS!!!! 2 days lost development due to that! This was my original issue.

I welcome your feedback on this issue.

[eluser]kuakman[/eluser]
[quote author="Phil Sturgeon" date="1300799449"]InsiteFX: I am perfectly familiar with the pro's and con's of using JSONP but once again you have focused on a "good coding practice" that does not go anywhere towards actually solving the posters problem. It's like that other topic where you suggested the reason they were having problems loading a model was because there string was using single quotes instead of double quotes...

It is always useful to offer advice in any way you can whether it is just "this won't fix your problem, but you should think about..." but do not offer these coding practice tips as if they were an actual fix for the problem.

Once again, if he is using JSON and getting a PHP error from the server then his AJAX request is clearly working fine and this is a PHP issue. Once he has the PHP issue resolved and JSON is working fine then it would be a great time to explain to him all about JSONP and it's benefits.[/quote]

Yes, you right... I have the same problem here.

set_content_type() method is missing in the core/Output.php.
I'm trying to figure out why is missing. I don't know if it's part of change between new CI 2.0 releases and olders.
I mean, from now you don't need to specify the output content-type any more.

By the way, you can still use php native function header("Content-type: [mimetype]").
But I think that it's pretty much same if you don't call it...

Regards!

[eluser]Phil Sturgeon[/eluser]
I introduced this method in 2.0.1. Remember that if you are running a copy of CodeIgniter that is not the latest you will be better off looking at the user guide provided in your version.

The user guide on codeigniter.com will always be the most up to date and mention things that may have been added, or not mention things that have been removed.

[eluser]kuakman[/eluser]
Yes, I've been using a previous version of CI and I can see now the addition of set_content_type() in the changelog for the lastest version, wich it matches perfectly with the current documentation.

Thanks a lot, I'll keep that in mind

[eluser]kuakman[/eluser]
I've noticed that you're part of CI research team.
What about a possible ORM solution for future versions of CI?
Actually I'm using a third-party library, and I think it would be great to have features like "table mapping" or "cascading deletion" in the CI core, wich are very helpful.