Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have plain HTML code, without Javascript code in it.
How would you detect if any form of Javascript was injected in the HTML ?
The application generates HTML client side. And needs to validate it once it arrives on the server.
The goal is NOT to remove Javascript, but simply detect the presence of it.
This is what tools like HTML Purifier are for. They break the input into tokens are run them against a white list.
This is safer than trying to find specific ways of inserting scripts into HTML, because there are tricks with malformed tags or non obvious attributes being used. See the XSS Evasion Cheat Sheet for example.
Removing can be easier than detecting - just escape all the HTML etc. you get with htmlspecialchars($string).
Alright, so this is a very interesting challenge:
First, check for all script tags, both capital and lowercase
<SCRIPT> <script> <sCrIPt>
Then, check for event handlers (onclick etc).
For this, we use DOM
$dom = new DOMDocument;
$dom->loadHTML($string);
You can work all sorts of magic with DOM, I recommend reading their documentation. Check for any attributes with "on" in them
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I'm trying to create a webpage version control backup / log. Where if the webpage (including JS and CSS) gets altered it saves a static copy on the drive.
How do I get the CSS and javascript of a webpage? Getting the HTML is easy by simply connecting to the webpage and read the contents and return it. But how do I get the CSS & Javascript of this page too?
The system doesnt have direct access to the webserver(s) so I have to do everything over the network remotely.
My idea is I search the HTML I scraped for .css and '.js' and take everything until the first quote " and directly access the CSS / javascript file as webpage. But I think this might not be very reliable?
Not sure why this is marked as too broad. I'm asking how to get the CSS and javascript of a webpage. I reformed my question, hopefully its better now.
Instead of searching for .js and .css , I'd look for <script> and <link> tags instead and use their src and href properties respectively to perform another network request and retrieve those files for comparison.
This will be more reliable because you won't have to worry about the page's content containing js or css, and you could also use an XML parser to ensure things like single-quotes vs. double aren't an issue.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 7 years ago.
Improve this question
I've searched arround on Google but couldn't find a clear answer on my question. The idea of what I want to do is quite simple:
There's a site called "glws.org" with a bunch of <div>'s and <input>'s on the page. You can add strings to the URL (example: https://glws.org/#S76561198105687636A2280482163D16883436630920468625) and for different strings after the # in the URL, different values are put into the <input>'s. The site reads the string after the # and has a script that converts it into values and puts the values in read-only <input>'s. Because they are <input>'s and not <p>'s for example, I can't just read them by printing out the HTML code.
Is there a way to retrieve the value in the input fields through a Java program? I've tried to read the source code of the page with Sockets but that obviously just prints the <input> tags without the value because it's not like a <p> or something.
Any help is appreciated!
You can use Selenium web driver to do browser actions on the website programatically and wait till some elements appear on the page.
https://code.google.com/p/selenium/wiki/GettingStarted
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
I would like to verify that a string is valid HTML, like the W3C Service does. I specifically don't want any browser corrections (like closing open tags), which precludes options that create DOM elements and read the HTML from them. It will run very frequently, so I really need to run it locally. Libraries are OK, jQuery is OK.
Edit #1: I'm asking about HTML validation, not form or input validation.
Edit #2: What I need is basically a Javascript implementation of the Nu HTML Checker.
Provided you're running node.js or python on the server side you can use a library like html5-lint by Mozilla to do all the heavy lifting for you. And for the java world there is a similar library jtidy and there are countless of similar libraries out there.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Lately, I have been fond of live code editors such as cssdeck and jsFiddle, and I want to replicate my own with one small twist: php code.
The basic elements behind these live code editors are textarea, javascript, and an iframe. You can see the final results either via js script or php form. I went through the js script route, and it works fine for html, css, and js, but not php; the site shows up empty like nothing been entered. When I went the php form route, I got the same results. with php forms, however, I have the ability to create/write php files, which would then display the code correctly, but that would remove the live editing function. I'm wondering if you know any other routes to finish the intended project besides the ones above. Also, I tried
<?php
$codeInput = stripslashes($_POST['code']);
?>
and that turned nothing.
You want to use htmlspecialchars, not stripslashes.
htmlspecialchars is specifically for encoding things like <, as in <?php.
stripslashes only removes backslashes (\).
Be very careful with this, however; directly outputting unfiltered user input can lead to XSS attacks, even if you use htmlspecialchars. Read more here.
As an aside, you probably don't need to roll your own editor for this. You might check out http://ideone.com/ instead, which is basically a jsFiddle for PHP and a large number of other languages.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
I'm having an issue at work with a rather picky client.
We use a rather strange script to deal with something that they require. We're an online assessment company and this script in general applies in our test player, rather than in our question editor, so we can't make change in the html, as you normally would with a text input box.
I know the maxlength attribute can be added through use of jQuery by using something along the lines of
$("input").prop("maxLength", 3)
However, I do not know how I would reference this in the HTML, as it would only be used in a couple of questions that use this script so making it standard for these questions by adding it to the JavaScript used is not an option.
The inputs that you need to apply this to would need to have ID's or Classes.
As you cannot edit the HTML this would only work, if those input's had ID's or Classes already.
If you want to apply it to an element with an Id you would do:
$("#IDGOESHERE").prop("maxLength", 3);
http://api.jquery.com/id-selector/
If it was with a class :
$(".CLASSNAMEHERE").prop("maxLength", 3);
http://api.jquery.com/class-selector/
You could get a little more fancy, by using EQ,
$("input").eq(5).prop("maxLength", 3);
Which would apply the max length to the 5th input on the page.
http://api.jquery.com/eq/