Behavior of mailto: and onclick() on same element - javascript

I use some server-side email obfuscation and do not want to put the full email address in a mailto: . Within the element, I call a js function that fetches the email address from the server, and calls (another) mailto: link from without the js function.
I first kept the href empty (and I think it's the same when putting #), but when hoovering over the link, the status bar of the browser shows a link to the current page, and it looks just neater (and expected behavior) to show a mailto: link in the status bar, but just with the firstname of the person, and not with a valid email address.
HTML:
<a href="mailto:johny" onclick= "sendmail('jj'); return false;" title="Send email">
JS:
function sendmail(dest) {
var link = "";
fetch('/returnmailstring.php?dec='+code+'&input='+dest)
.then(function(response) {
response.text()
.then(function(text) {
link = text;
if (link.length > 2) {
if(window.confirm('Send email to \n'+link+' ?')) {
window.location.href = link;
}
}
})
})
}
So my question is whether it is acceptable to have a double/identical functionality, but using two different methods ?
I would have expected that maybe two "new mail" windows would be opened, or some other weird behavior, but everything actually works fine. But I cannot imagine that this is standards compliant, and that it would work fine in all browsers/devices?
A related question is about what should happen when user clicks on the link. I currently implemented a confirmation box, so user can choose OK to actually proceed with sending the email (using the default email client), or just copy the email address from the box (and paste into another mail client, e.g. gmail), and Cancel to return to the page. The alternative would be to skip the confirmation box and directly open the mail client after the click. Are there UX rules / standards to follow, or is it acceptable to use such confirmation box?

Related

New to Python, Trying to create a small python script to extract password from a password generation internal website that uses javascripts and forms

So we have an internal website which generates password for our privileged user. I want to automate that function by using python.
So this is how the website is:
Main Page: Enter your credentials (Site specific) - > Press Login
button
The submit button has j_security_check at the back end.
- loginUrl = 'https://internal.website.local/self/j_security_check'
resLogin = session.post(loginUrl, data = {'j_username': 'myusername' ,'j_password': 'mypassword', 'submitbut': 'Log In','command': 'submit','browserDate': '1576177981845','browserOffset': '240','browserTimeZone_2005': '0:240','browserTimeZone_2006': '0:240','browserTimeZone_2007': '0:240','browserTimeZone_2008': '0:240','browserTimeZone_2009': '0:240','browserTimeZone_2010': '0:240','browserTimeZone_2011': '0:240','browserTimeZone_2012': '0:240','browserTimeZone_2013': '0:240','browserTimeZone_2014': '0:240','browserTimeZone_2015': '0:240'})
I saw in the post request on the website that it takes a huge number of borwserDates & browserTimezone values, however, even if I keep these contant day in and day out things work fine.
At this point login is successful. Have achieved this part
Second Page after Login:
- After login we have a lot of links on the page. We use the page called UseCredential.do
MainCredential = 'https://internal.website.local/self/UseCredential.do'
CredentialDo = session.get(MainCredential, verify=False)
At this point, i have successfully polled the UseCredential.do page.
This page has 2 boxes a search button
Usually we leave the boxes empty and press search button.
This search button submits a form at the backend for which the code is
<input type="button" name="searchButton" value="Search" onclick="return submitForm('UseCredentialForm','search');" onmouseover="onMouseOverButtonHandler(this);" onmouseout="onMouseOutButtonHandler(this);" onblur="onMouseOutButtonHandler(this);" onfocus="onMouseOverButtonHandler(this);" id="searchButton" class="button button-primary " alt="Search">
Furthermore it also a script
<script>
function onKeyPress(e) {
if(e && e.keyCode === 13){
e.preventDefault();
submitForm('UseCredentialForm','search');
}
}
</script>
Looking at the debugs I was able to see that the following is submitted at the time of Search Button press. So executed the script using this
CredentialDo2 = session.post(MainCredential, data = {'searchResourceCondInput':'','searchCredentialCondInput':'','command': 'search','linkRow': ''})
Till this part I am successful and if I print CredentialDo2.text I can see that the search result is there.
--------This is where I cannot proceed further, becuase the post data is only available in CredentialDo2 and I don't know how to proceed further.
---The next steps are:
Click on the result which is always the same name MyUserName2, which has the following code at the back
<div class="tableCellContent" title="MyUserName2">
<a
href="javascript:submitTableLink('UseCredentialForm','selectSharedAccount','a73e0a84_0')"
><span class="pim-credential-name">MyUserName2</span>
<span class=""></span>
</a>
</div>
</td>
OBSERVATION: The value in the javascript a73e0a84_0 at the end changes always. And I can see this value is passed on in the post.
Once we click the MyUserName2, I get the page where I have to type
in the textbox and the press submit.
Once submit, it will send to a new page where I click View Password to get the new password. This ViewPassword button also
executes a javascript. I will need help two get the password. I will share more code once I reach there.
Kindly note that in all this the link above in the address bar does not change from 'https://internal.website.local/self/UseCredential.do'
Any and all help will be much appreciated.
This is my first programming with Python so please bear with me.

javascript:history.back() OR homepage

I would like to add a button that will take a user back a page OR if a user used direct url to get to that page (so, .back() would take them back to google for example) - a user will be redirected to my homepage.
Looks like javascript:history:back() or history.go accept step attributes only (how many pages we can go back) and that is it. Will I have to tap into session or is there a way to do it with history object?
You can check the referrer url with document.referrer, to see what was the previous page where the user come from. It can be empty that means user come from direct link, or clicked the link from other app links skype etc...
In the example I used https://stackoverflow.com as an example, but you can make it more universal if you use with location.origin more info
As #Jonas W. Mentioned in the comments, be sure you check the full domain in the right position in the referrer, because of security reasons.
function go() {
if (document.referrer.indexOf("https://stackoverflow.com/") === 0) {
history.back();
} else {
window.location.href = "https://stackoverflow.com";
}
}
document.querySelector('button').addEventListener('click', go);
<button>back</button>

Setting document.activeElement.value shows value on screen but fails to accept

There is this web page: https://www.comed.com/Pages/default.aspx
with a "Sign In" button in the top right corner. I am displaying this page from a UWP app (this is actually a JavaScript question) in a WebView control, and run a dynamic JavaScript script on this page (via a call to InvokeScriptAsync()) to automatically insert the login or password in the currently selected field. The script that runs is simply this:
document.activeElement.value='" + value + #"';
This works in the sense that the login or password shows correctly on the screen BUT when I click on the "Sign In" button the page is telling me "Username (Email Address) is required." and "Password is required.".
If instead I manually type in the SAME value (or use copy/paste) then I get no errors!
I get the same type of error on the MS Channel 9 login page, but most other login web pages do NOT have that issue.
Use this code $(document.activeElement).trigger('change') after setting the value.
In addition to the above answer, and to support different web pages, I ended up using some Javascript from Correct Way to Programatically Trigger Change Event of ASP.net CascadingDropDown using JavaScript:
if ("createEvent" in document)
{
var evt = document.createEvent("HTMLEvents");
evt.initEvent("change", false, true);
document.activeElement.dispatchEvent(evt);
}
else
{
document.activeElement.fireEvent("onchange");
}

Redirecting to previous page

I have ASP.NET MVC5 page with .NET Framework. 4.5.
I have a page with several labels representing users details and also i have 2 buttons - back button which call JavaScript function onClick="redirectToPreviousPage();" and i have 1 button - Confirm.
Confirm button open up a modal pop-up with few check boxes and from there users can thick them and accept the provided details with another button, called accept.
There are 4 possible pages from where users can navigate to this particular Details page and when they click back it calls "redirectToPreviousPage();" function:
function redirectToPreviousPage() {
debugger;
var previousUrl = document.referrer;
if (previousUrl !== window.location.href) {
window.location.href = previousUrl;
} else {
history.go(-1);
return false;
}
}
If users skip Confirmation and click Back document.referrer works correct and it redirect the users to the page they came from.
The problem is when users click on Confirm button and click Accept on modal dialog window.referrer point to it's self and i want to avoid that. For this purpose i'm using history.go(-1) even (-2) which should work fine, but it's not - even when URL is different than current URL and different from document.referrer URL returning to previous page isn't work.
I also read about this and tried with including return false; but i couldn't help me to.
How can i redirect users to previous page properly ?
why don't you store the previous URL and pass it round in a form post or cookie, and then have a default value for the first visit

Password protected hyper link with target=_blank

I have a hyper link like this :
<A Href=My_Java_Servlet?User_Action=Admin_Download_Records&User_Id=Admin onClick=\"Check_Password();\" target=_blank>Download Records</A>
When a user clicks on it, a password window will open, the user can try 3 times for the right password.
The Javascript looks like this :
<Script Language="JavaScript">
function Check_Password()
{
var testV=1;
var pass1=prompt('Password','');
while (testV<3)
{
if (!pass1) history.go(-1);
if (pass1=="password") { return true; }
testV+=1;
var pass1=prompt('Access Denied - Password Incorrect.','');
}
return "false";
}
</Script>
If user enters the wrong password 3 times, it's supposed to not do anything, but it still opens a new window and displays the protected info, how to fix the javascript or my html hyper link so only the right password will open a new target window, a wrong password will make it do nothing ?
Clientside JavaScript is perhaps the worst possible way to provide "security". Users can just view the source to see all of your passwords, or just disable JavaScript altogether. Do not do this.
Other people have answered your question with the true/false return value but here's some of the problems with the whole idea of checking the password in javascript on the client:
Your javascript source is freely readable by anyone downloading the page - thus showing them the password needed to view the page.
If they don't have javascript enabled then they'll just go straight to the page without getting the javascript prompt.
They could always just copy the link and paste it into their address bar to bypass the password protection. They could also just middle-click the link (which should open it in a new tab/window depending on their browser.)
Even on a private/intranet-only application this would be a laughable security method. :) Please consider re-desinging it so that the password is checked on the server-side portion (like when someone attempts to access the servlet it would render a password box and then post that password back to the server and then allow/deny access.)
You might to try returning false rather than "false"
However, you might be better off doing this kind of thing on the server, as I'd image all but novice users will know how to "copy link address" and paste this into their address bar.
Why are you returning "false" instead of false ?

Categories