My best guess: this is due to a bug. Specifically this bug is hidden in the sajax routine that is being used.
Find *the _sajax file in your deployed project.
Find something that looks similar to this:
else if (sajax_request_type == \"POST\") {
post_data = \"rs=\" + escape(func_name);
post_data += \"&rst=\" + escape(sajax_target_id);
post_data += \"&rsrnd=\" + new Date().getTime();
for (i = 0; i < args.length-1; i++)
post_data = post_data + \"&rsargs[]=\" + escape(args[i]);
There you will see the bug clearly.
This should be:
else if (sajax_request_type == \"POST\") {
post_data = \"rs=\" + escape(func_name);
post_data += \"&rst=\" + escape(sajax_target_id);
post_data += \"&rsrnd=\" + new Date().getTime();
for (i = 0; i < args.length-1; i++){
s=escape(args[i]);
post_data = post_data + \"&rsargs[]=\" + s.replace(\"+\",\"%2B\");
}
I also had to change the *_mutf8.php piece of code from
function NM_utf8_urldecode($str)
{
if (is_array($str))
{
return $str;
}
$aRep = array(
'&' => '&',
'<' => '<',
'>' => '>',
'"' => '"',
"'" => ''',
'+' => ',',
'?' => 'Á',
....
$str = preg_replace("/%u([0-9a-f]{3,4})/i", "&#x\\1;", urldecode($str));
if (isset($_SESSION['scriptcase']['charset']) && 'BIG-5' == $_SESSION['scriptcase']['charset'])
....
to
function NM_utf8_urldecode($str)
{
return rawurldecode($str);
}
function NM_utf8_urldecode2($str)
{
if (is_array($str))
{
return $str;
}
$aRep = array(
'&' => '&',
'<' => '<',
'>' => '>',
'"' => '"',
"'" => ''',
'+' => '+',
'?' => 'Á',
....
$str = preg_replace("/%u([0-9a-f]{3,4})/i", "&#x\\1;", rawurldecode($str));
if (isset($_SESSION['scriptcase']['charset']) && 'BIG-5' == $_SESSION['scriptcase']['charset'])
....
I have reported this before with great detail but it was never fixed. It also causes file uploeads with a + sign in it to go wrong.
Likely this is the same for you.
The bug (never fixed as far as I can see) is clearly shown. A + sign is NOT , but #&43
And the sajax call clearly doesnt escape properly.
If that is your case you probably need to fix similar code.
