Bad Request in AJAX

The problem is that it’s sending JSON request headers, the old legacy Admin AJAX API doesn’t understand this. As a result these are the cause of the bad request:

            dataType: "json",
            contentType: "application/json"

Your endpoint might be able to handle that input, but WP’s admin AJAX handler can’t, so it never knows which action to fire in the first place.

You have 2 options:

  • Remove these and adjust your AJAX handler accordingly
  • Switch to the modern REST API and get a proper endpoint URL that happily accepts JSON and returns JSON, and even encodes/validates/sanitises for you if told what to expect

Some additional notes:

  • $('body').on( 'change', '.division' is quite a broad event handler, I’d recommend limiting it down from the entire body tag to something more specific
  • There’s no checking of the response to make sure it is what you think it is, the code just goes straight into JSON.parse
  • If no values are found or returned there’s nothing to indicate that’s what happened

But more importantly:

A Major Security Hole In The Code

Building up a HTML string by joining variables up together in JS then appending it is awful for security. It’s one of the worst things code can do in javascript short of eval‘ing code. Use DOM node construction instead and deal with DOM nodes, never HTML strings. Consider this a omgbbq high level priority fix. $( '<option>', { value: key, text: value } ) is what the code should be appending, it’s much faster and safer.

Here’s a secure version, the browser will automatically escape and sanitise the keys and make sure no malicious HTML gets snuck in:

const data = JSON.parse( rss );
const options = data.map( function ( key, value ) {
        return jQuery( '<option>', {
            value: key,
            text: value
        } );
} );
jQuery('.district').append( options );

It’s also a little faster as the browser doesn’t need to parse the HTML, and you don’t have to worry about broken HTML markup either. Notice the data variable, we can now wrap it in an if statement and change behaviour if JSON parsing failed, or it doesn’t contain what we expected it to. Never create HTML by joining up strings and variables, it’s a major security issue, it’s slow, and it’s unnecessary.

Related Posts:

  1. How can I run AJAX on a button click event?
  2. How-to implement admin Ajax inside an admin WP_List_Table?
  3. What is nonce and how to use it with Ajax in WordPress? [duplicate]
  4. Empty POST data on server on AJAX request using Angular $http
  5. Using AJAX in FrontEnd with WordPress Plugin Boilerplate (wppb.io)
  6. Build path for a custom portfolio plugin
  7. Using AJAX in a plugin to submit form – REALLY confused
  8. wp_localize_script $handle
  9. Adding callback function for wp_ajax_ has no effect
  10. get all products of one category
  11. Get returned variable from a function to add_shortcode function
  12. How to post form in ajax mode and handle it in wordpress
  13. Using Ajax call in jQuery doesn’t work in widget
  14. WP_LOCALIZE_SCRIPT doesn’t work
  15. Admin-ajax.php appending a status code to ajax response
  16. Ajax in WordPress – path issue
  17. Cannot search post by taxonomy
  18. WordPress Ajax callback function from plugin – OOP
  19. WP AJAX is not working, always returns 0
  20. Frontend Ajax call not working using wp_ajax, wp_enqueue_script and wp_localize_script
  21. Fetching the value of forms in WordPress AJAX
  22. Any problem in using native jquery ajax style instead of using admin-ajax.php?
  23. Slow WP_query due to nested wp_query. Need Suggestions
  24. Show special field when correct shipping is chosen
  25. Woocommerce checkout update totals with datepicker
  26. Including the necessary functions for a custom ajax registration form
  27. How can I rewrite a URL to pass requests to a custom method via AJAX? (I can’t use admin-ajax.php)
  28. How to localize admin.php only once
  29. Dashboard – get status and position of metaboxes and pass them to ajax method
  30. Create a new post using rest api and save featured image using an external image url
  31. wp.template() returns tags in Ajax response
  32. How to get Metabox custom field to show checked if value is updated using post meta query?
  33. Storing data in wordpress database from ajax call from different website
  34. Create custom HTML/JS app inside page
  35. Use just a shortcode from another page
  36. Update Data parameter of a wp_localize_script() call
  37. jquery & ajax sending data to php
  38. wp_localize_script is not adding a global variable for javascript
  39. Can’t get AJAX call working in custom plugin
  40. 400 Bad Request, in wordpress theme development, wp_ajax
  41. Ajax is not working in a loop
  42. ajax recursive calls on wordpress returning answers outsite the function scope
  43. Ajax submit result opens in admin-ajax.php
  44. Are there any security risks when submitting data-attribute data through AJAX?
  45. insert query on a custom table using ajax with jQuery plugin Jeditable
  46. How to get error object returned by wp_create_user
  47. Plugin AJAX Save to Custom Table
  48. Ajax: Populate with content from a post’s ID not working – duplicating current page html instead
  49. Data not insert and update through ajax and jQuery in admin page?
  50. WP ajax requests not stacking?
  51. Issues Updating Post Meta with AJAX (Seems simple but cannot figure it out)
  52. AJAX button with success callback. (Titan Framework)
  53. ajax working when function is on child theme but not in plugin page
  54. AJAX call returns ‘testtest0’ instead of ‘test’ – why?
  55. About a programming language starts with [closed]
  56. add_action wp_ajax_ not loading in plugin file WP Network
  57. Why is the form not updating when I select a new sector from the list?
  58. Workflow for new importer plugin – your advices?
  59. Plugin Form Submitting to admin-ajax.php instead of admin-post.php
  60. Ajax +wordpress onClick link redirect to new page and create html content
  61. Get cat parameter from admin-ajax
  62. WordPress (pagenow link) in ajaxurl change after i change plugin language
  63. How to do admin ajax request in a plugin for rest api
  64. Ajax action has 200 status but response of No response data available for this request
  65. Jquery php request is returning a weird result
  66. WordPress Does not grab the string sends useing AJAX response, wp_ajax hook
  67. Posts form with AJAX request – Plugin development
  68. Bad request 400 using class based files
  69. Forbidden Error in ajax call with wordpress
  70. Trying to run a Ajax request from a checkout form in woocommerce via a custom plugin
  71. “add to cart” links css class “ajax_add_to_cart” doesn’t show in woocommerce in widget sidebar
  72. Does $this context change in an AJAX callback?
  73. 400 Bad Request and illegal invocation in wp_ajax based on processData set to false or true
  74. Rate limiting ajax requests in WordPress
  75. WordPress Ajax not returning Response
  76. ajax-action.php can’t find added action
  77. AJAX call of function containing javascript which is not loaded (Plugin development)
  78. Performing ajax request in wordpress
  79. Inserted data from database does not showing on front-page without referesh page?
  80. ajax multiple Values
  81. How to include files in the loop via ajax
  82. How to handle ajax Request in a complex-structured plugin?
  83. Using JavaScript in WordPress page to call for server data using AJAX
  84. wp_ajax add_action fuction won’t fire on custom jQuery action
  85. Filterable posts using categories
  86. Ajax Response Error | just getting error as the response
  87. How To do Ajax In WordPress Custom Plugin?
  88. PHP includes with AJAX actions
  89. admin-ajax.php returns “No Script Kiddies!” sometimes
  90. WordPress function is not called and ajax return 0
  91. Ajax functionality not being called under wordpress plugin
  92. Array/List Edit in Backend
  93. Ajax not working to insert, query and result data
  94. WP Cron as Fast as WordPress AJAX?
  95. WordPress plugin: admin-ajax.php not passing data to custom function
  96. Ajax url value to pass ‘variable’ to use in query
  97. Ajax functions – no access to wp-admin.php only online
  98. Page reload occurs before request finishes
  99. PHPUnit Ajax Serialization of ‘Closure’ is not allowed
  100. Return custom product in ajax call loop