I have an HTML FORM requesting the name of a movie to search for, and a JavaScript function which takes that name passed as a query parameter (after a ?) on a reinvocation of the page URL and compares it against a database (read with AJAX). The problem is that special characters are being translated on input to %nn, so they don't match the names in the database. For example, when I read the user input of "airplane!" with "title = window.location.search" I receive "airplane%21". How can I defeat or correct this behavior, or am I going to have to translate every %nn in my JavaScript routine? Thank you.
(Page reference: https://acb.org/adp/findavideo.html)
Arggh! Not 2 seconds after I posted this, someone sent me an answer offline: "title = decodeURIComponent(title)" does the trick. Hope this helps someone else.
You can try decode the value before use it, for example:
decodeURIComponent('%21'); // "!"
Related
I'm trying to grasp JavaScript DOM-based injection attacks better, so I would appreciate some input on this.
I have this output from Burpsuite as "firm" indicating it should be something here.
So the the main page loads a .js file with the code below.
Data is read from document.location and passed to eval() via the following statements:
var _9f=document.location.toString();
var _a0=_9f.split("?",2);
var _a1=_a0[1];
var _a2=_a1.split("&");
var sp=_a2[x].split("=");
djConfig[opt]=eval(sp[1]);
If I understand this correctly, it gets the content after '?' in the url, then splits the parameters after '=' and then evals the second array of that. So www.domain.tld?first=nothing&second=payload, is that correct?
Given that it's already inside of a js file, I'd assume I don't need the < script > tags in the payload? I really can't get it to fire anything so I'm doing it wrong obviously. Would appreciated some input to understand this better, not just a code snippet but some explanation would be great.
...it gets the content after '?' in the url, then splits the parameters after '=' and then evals the second array of that...
Almost. It gets the part of the string after the first ?, splits that into an array of parameters (by splitting on &), then gets the value of the xth parameter (the one at index x), splits it to get its value, and evals that.
This means the page executes code entered into it via the query string, which means Mary can give Joe a URL with code in it that will then execute within the page when Joe opens it, which is a potential security risk for Joe.
Say x is 2. This URL would show an alert: http://example.com/?a=1&b=2&c=alert(42)
var x = 2;
var _9f="http://example.com/?a=1&b=2&c=alert(42)";
var _a0=_9f.split("?",2);
var _a1=_a0[1];
var _a2=_a1.split("&");
var sp=_a2[x].split("=");
/*djConfig[opt]=*/eval(sp[1]);
Here's an example on JSBin: https://output.jsbin.com/cibusixeqe?a=1&b=2&c=alert(42)
How big a risk it is depends on what page this code is in.
Since the code doesn't use decodeURIComponent there are limits on what the code in the query string can be, though they can probably be worked around...
I sourced the following code that is successfully extracting ids from the URL into form inputs:
function querystring(key) {
var re=new RegExp('(?:\\?|&)'+key+'=(.*?)(?=&|$)','gi');
var r=[], m;
while ((m=re.exec(document.location.search)) != null) r.push(m[1]);
return r;
escape;
}
$('#firstname').val(querystring('FirstName'));
$('#lastname').val(querystring('LastName'));
$('#emailaddress').val(querystring('EmailAddress'));
However, when the email address is fed into a disabled input, the # displays as %40 instead. The form submits fine with this discrepancy, however aesthetically it may lead to customers being confused.
I believe I can use encodeURIComponent() to ensure the # appears correctly in the input, however I do not know how to insert this into my existing code. I understand the basics of Jquery but am not advanced enough to make this change.
Any help would be greatly appreciated.
you must decode URI component by using decodeURIComponent(key);
or you should separate each key from URI and decode separately. I think you should decode your URI first and then pass it into the queryString function.
I would like to get from an URL like these JUST the "test#gmail.com" (or whatever email will be in the URL) :
www.website.com/?email=test#gmail.com
www.website.com/?email=test#gmail.com&name=john
www.website.com/?name=john&email=test#gmail.com
My problem is to solve that all of these 3 cases can happen (so no other data, OR data after the email, OR data before the email).
Unfortunately I have zero Regex-Skills, but was able to get so far together these 2 things:
/email=(.*)/
/email=(.*)\&/
The 1st one works if the email is the ONLY data.
The 2nd one works just if there is another data after my email.
But as mentioned I need to make it work regardless of which of the 3 types above is the case.
Could you help me out please?
Thank you very much!
BTW, I need it for this:
var msg = window.location.href.match(/email=(.*)/);
(I'm searching for an answer for more than 2 hours, used Google, used Regex-Testers, checked out Cheat Sheets and read many StackOverFlow-Questions... But I can't solve it on my own.)
Try this regex: https://regex101.com/r/gMyqDa/1
It matches email patterns not just any characters after email=
if your cases are that simple, then just exclude the ampersand
var urls = [
"www.website.com/?email=test#gmail.com",
"www.website.com/?email=test#gmail.com&name=john",
"www.website.com/?name=john&email=test#gmail.com"
];
for (i in urls) {
var url = urls[i];
console.log(url);
console.log(url.match(/email=[^&]+/)[0]);
}
Basically I created a form in html and when things are input properly it simply goes to google.com. Right now I have completed the first few fields but I am unsure of how I would make it recognize if the input that was put in and did not include an # sign or a . some point after it.
I created a fiddle as I was having trouble getting some of the longer of my lines of code to be in-line.
Click here for the fiddle Example
You have a few options depending on how thorougly you want to validate.
email.indexOf('#') >= 0
checks that there is an # at all in the email. See http://jsfiddle.net/27f1h6ws/ for a version of your fiddle with it added.
A more thorough way would be to check it with regex. You can do it extremely simple just checking the general structure of the email input, or extremely thorough check for all valid characters, depending on how crucial the validation is. See this link or the answers in this question for more information.
You can use HTML5 properties like :
pattern attribute which contains a regexp
set your input type to email
If you want to do it with JavaScript, use a regexp also and use the test() method to verify it.
Add this
var re = /^([\w-]+(?:\.[\w-]+)*)#((?:[\w-]+\.)*\w[\w-]{0,66})\.([a-z]{2,6}(?:\.[a-z]{2})?)$/i;
return re.test(email);
I would like to ask a question regarding a strange behavior I face using the escape Ascii characters for some Swedish chars.
More specifically, in order to support a multilingual site, I have a json file where I have specified all required messages in Swedish, i.e. 'Avancerad sök'.
Then when the page loads the first time, I set this value to an input text and it is displayed properly: 'Avancerad sök'. But when I click a button and set again the value of this input text I get: 'Avancerad sök'.
Does anyone have faced a similar problem?
Thanks a lot!
Code:
q('#keyword').val(qLanguage.qAdvancedHint);
I execute this code both times. qLanguage is an object which I fill it from the json file and qAdvancedHint a specific key.
Don't know have the specific encoding is called. But tested with js's unescape method, but didn't work.
However a solution, a bad/ugly one, could be to ask jQuery to parse it for you then add it as a value property:
var text = $("<span/>").html(qLanguage.qAdvancedHint).text();
q('#keyword').val(text);