Fixing JS injection

[Johndiology]

Our security team tells us that our Ajax calls are vulnerable to JS injection. They recommended URI encoding our responses. In trying to resolve this I happened on
this.transport.send(this.body);
in prototype.js and figured it could be
this.transport.send(encodeURIComponent(this.body));
But I'm kind of guessing here, as I don't understand a lot of this library. In any case, it didn't work. Or rather, it did URI encode our response parameters but then we have other form inputs that are now all "unnamed_argument_[x]".
I'd like to understand how to resolve this.
Thanks.

[jwestbrook]

That section of code is how the Ajax class sends the request to the server, not the response from the server.

I believe this is more about how the response is handled, so if the headers are Javascript, and the response is from the same origin then the response will be treated as Javascript and evaluated.

You can disable this behavior by setting the evalJS option to false.

For example

new Ajax.Request('/my/ajax/url',{'evalJS':false,'onSuccess':function(result){
    console.log(result.responseText);
});

[Johndiology]

Thanks very much!