i want to save my website from url injection for that purpose i am using the following line to call another page with an integer id as an parameter here's the code
'<button onclick=window.location.href="admin_leadbox2.php?id=' + alert(typeof(parseInt(data[i].client_id))) + '">VIEW DETAILS</button>';
the alert is showing me that infact the data being passed in the url is a number
now when i get the id from the url and check its type in php it is giving me an string here's the php code
$id=$_REQUEST["id"];
echo "<script>console.log('".gettype($id)."')</script>";
i know that i can convert the string received in the url into integer like i did in javascript to do my work but for my case to prevent url injection i only want to receive an integer type data! what is the problem? thanks in advance
A URL is a string. A URL, or query parameters within it, has no types. Here, this is what your URL looks like:
admin_leadbox2.php?id=42
This is all the information that the computer has too. There's no hidden flag to mark "42" as an integer. It's just the characters 4 and 2. In a string. No different from "42foo", which would quite obviously be a string.
Related
I want to verify the order of a URL that is generated from faceted navigation on a development website.
EG http://EcomWebsite.com/region/s/element1/element2/element3
As part of a different test step I have extracted the strings I needed and I can test these are present in the url. I've been doing this as
assertThat(displayShopPage.getCurrentURL(),containsString(displayShopPage.element1()));
assertThat(displayShopPage.getCurrentURL(),containsString(displayShopPage.element2()));
assertThat(displayShopPage.getCurrentURL(),containsString(displayShopPage.element3()));
but I mention I need to check the order of the URL.
The step in question is
"Then the order in which the values are included in the URL must be same order the values have within the facet"
I'm still rather new and raw to Java, Selenium, and BDD so I thank you for any help you peeps can provide.
EDIT:
I'm trying to avoiding hard coded url's and what I want to check in the URL for several reasons.
Element1 etc come from class's that extract the text from faceted navigation element options.
So if I hard code the URL or the text from the element options if the product data changes and so the faceted navigation it will break the test.
Hence why I'm extracting the string from the elements to compare against the URL rather than just checking for the URL it self.
getCurrentURL() returns a string, right? Why not simply compose the expected URL as a string then compare the strings?
currentUrl = displayShopPage.getCurrentURL()
expectedUrl = "http://EcomWebsite.com/" + displayShopPage.CF_PanelText() + "/s/" + displayShopPage.FacetGroup2OptionPanelText() # compose this from your page source...it isn't clear above what the component order needs to be
assertEquals(currentUrl, expectedUrl) # I made this up, I don't know the proper syntax for comparing strings
I need to pass few values via url the format looks like this
example.com?params=['abc', 'xyz', 123456789]
Now the issue is I have some values that contains ' abc's like for example
example.com?params=['abc's', 'xyz', 123456789]
now if i pass this via url, url thinks abc and s are 2 different value and gives me error as its looking for , after '
url encoding is not a solution tried that because all it makes is %27 for ' and same issues occurs inside function. How can this be done.
I prefer the comma syntax. And usually when you pull from the querystring you do not need to have typing since everything comes as a string.
example.com?params=abc%27s,xyz,123456789
And I am not sure about the function you are using to pull the querystring but do not forget.
decodeURIComponent()
If this does not help which function are you using to pull from the querystring?
I am writing a web application to exchange contact information fast via QR.
I use a QR api wich is formatted like this:
`http://api.qrserver.com/v1/create-qr-code/?data=MyData&size=400x400`
I have json data formatted in a string, example of output:
`http://[myapp-url]/RecieveContact.html?Name=John%20Diggle&Title=IT%20Consultant&Organisation=testcomp&Telwork=0498553311&Telhome=&Gsm=0498553311&Email=testemail#mail.be&Website=www.testwebsite.be&Birthdate=24/04/97&Addresswork=&Addresshome=`
JSON data:
{"Name":"John Diggle",
"Title":"IT Consultant",
"Organisation":"testcomp",
"Telwork":"0498818587",
"Telhome":"",
"Gsm":"0498818587",
"Email":"testemail#mail.be",
"Website":"www.testwebsite.be",
"Birthdate":"24/04/97",
"Addresswork":"",
"Addresshome":""}
The problem is when you put this url in the QR generator it only recognises the Name parameter. I understand why this happens.
The question is is there a way using javascript to convert all this data in a string and convert it back on the recieving end?
Or does anyone know another potential fix for this problem?
You need to URL encode data with special characters you put into a URL:
var url = 'http://[myapp-url]/RecieveContact.html?Name=John%20Diggle&Title=IT%20Consultant&Organisation=testcomp&Telwork=0498553311&Telhome=&Gsm=0498553311&Email=testemail#mail.be&Website=www.testwebsite.be&Birthdate=24/04/97&Addresswork=&Addresshome=';
var query = 'http://.../?data=' + encodeURIComponent(url) + '&size=400x400';
This way you can represent characters like & inside a query string.
#SOLVED
As explained by James M. Lay, I should change my content-type from application/x-www-form-urlencoded to application/json
it implied in an error because it seems that only UrlEnconded types generates POST arrays in server side (at least in PHP). So I had to change the way I receive/deal with the request in my server script
$json = file_get_contents('php://input'); //yes. php://input
if($json) $params = json_decode($json,true);
else $params = $_POST;
I also had to make a few changes in the Javascript code to check the content-type and generate different strings. If it's JSON I just use JSON.stringify
//string to use in the 'send' method
this.getParametersString = function(){
if(this.contentType == 'application/json'){
return JSON.stringify(this.parameters);
}else{}
}
I got a question
I`m building a function that receive parameters to write a list of parameters and send it by POST
The problem is that we can't send special characters, such is +
So I tried to use the function encodeURIComponent to encode them to a URI friendly string.
There comes another problem: if the parameter received is an object, I am loop through the attributes, checking if it is another object or a string, if it is an object, loop again, otherwise encode it.
But it is returning an object of encoded strings. I have to make the object become a string to send it, and for that purpose I use JSON.stringify. It decodes the encoded string. So %2B becomes + again and It is not sent to the server via POST.
on the other hand If I use stringify first and the encodeURIComponent it generates signs like " and { } that shouldn't be encoded and the string is not a well written JSON
How do you that? Is that a way without using jQuery? Do I have to build my own stringify function?!
im using the following and i have no issues
encodeURIComponent(JSON.stringify(object_to_be_serialised))
I'm developing a portlet for WebSphere Portal 6.1, with JSP/JSTL, pure javascript, no AJAX frameworks, with a JSP that shows a send feedback form and, when submitted, redirects to another JSP to show the user the success of the operation.
I use javascript to get the values of the form fields by using document.getElementById() function. For example:
var valorAsunto = document.getElementById("asunto").value;
where "asunto" is the ID of a text field in my form. Also my form has the following structure:
<form name="formularioCorreo" id="formularioCorreo" method="post" action="<portlet:renderURL><portlet:param name="nextTask" value="sendFeedback"/></portlet:renderURL>">
That works OK, but I'm having trouble when trying to build the <portlet:renderURL> tag from that javascript values: when I try to concatenate a string for the renderURL and then reassign to form action like this:
var valorAction = '<portlet:renderURL><portlet:param name="nextTask" value="sendFeedback"/><portlet:param name="asunto" value="'+valorAsunto+'"/></portlet:renderURL>';
document.formularioCorreo.action = valorAction;
document.formularioCorreo.submit();
The resulting string, when application is deployed, has the structure:
/wps/myportal/<portletpath>/!ut/p/c5/<a very long random sequence of
numbers and letters>/
So one can't figure out where the parameter values are, but if I print the assigned values it shows something like:
asunto: '+valorAsunto+'
instead of
asunto: this is a sample subject
I've been trying to use some other ways to concatenate the string; for instance with a StringBuffer, as shown on http://www.java2s.com/Tutorial/JavaScript/0120__String/StringBufferbasedonarray.htm
and also javascript functions like encodeURI()/decodeURI(), replace(), etc. but I just can't get either the URL with the right parameter values or the URL encoded in the structure shown above (the one with the long sequence of chars).
Sometimes I manage to get the right parameter values, by manually replacing in the valorAction assignation all the "<" for "<" and all the ">" for ">" before the concatenation, and then doing the following:
var valorAction = valorAction.replace(/</g,"<").replace(/>/g,">");
Then I get the following string:
<portlet:renderURL><portlet:param name="nextTask" value="sendFeedback"/><portlet:param name="asunto" value="this is a sample subject"/></portlet:renderURL>
which is OK, but when it has to redirect to the results page it shows an error like this
Error 404: EJPEI0088E: The resource <portlet:renderURL><portlet:param
name="nextTask" value="sendFeedback"/><portlet:param name="asunto"
value="this is a sample subject"/></portlet:renderURL> could not be
found.
Does someone know how to transform that string to the right format to be rendered?
Does someone know any other way to "inject" that parameter values to the renderURL?
I'd like to know also if it is possible to pass that parameter values from javascript to JSP so I could put that values in a HashMap of parameters to use with the PortletURLHelper.generateSinglePortletRenderURL() method, in case the former is not possible.
Thank you.
Update 1:
In my doView() I use the following, in order to make the redirection:
String targetJsp = "/_Feedback/jsp/html/FeedbackPortletView.jsp";
String nextTask = request.getParameter("nextTask");
//(... I have omitted code to conditionally select targetJsp value, according to nextTask value ...)
PortletRequestDispatcher rd = getPortletContext().getRequestDispatcher(targetJsp);
rd.include(request, response);
This is just a new JSP inside my portlet, not a different portal page. I do use request.getParameter() to get the values for my form fields from my doview():
String subjectFeedback = request.getParameter("asunto");
String bodyFeedback = request.getParameter("mensaje");
String emailFeedback = request.getParameter("emailFeedback");
I don't see the need to include hidden fields if my form has the fields named above. In fact, what I'm trying to do is to pass the values the user entered in these fields as request parameters, but the values I get by this means are the following:
subjectFeedback: "'+valorAsunto+'"
bodyFeedback: "'+valorMensaje+'"
emailFeedback: "'+valorEmailFeedback+'"
I get the above values when using concatenation by "+"; when I use StringBuffer I get the following values:
subjectFeedback: "'); buffer.append(valorAsunto); buffer.append('"
bodyFeedback: "'); buffer.append(valorMensaje); buffer.append('"
emailFeedback: "'); buffer.append(valorEmailFeedback); buffer.append('"
Does someone know any other way to "inject" that parameter values to the renderURL?
There are two IBM guides on that topic.
Portal 6.1 and 7.0 Advanced URL Generation Helper classes
How to create a link to a portlet (Standard API) that passes parameters to that portlet
How are you redirecting to the other page? Is it a different portal page or just a new JSP page inside your portlet?
You don't need to inject any parameters to the render URL. Have a form whose action targets to a renderURL. Now to pass information to your portlet's doView() method, you can have hidden fields in the form ,then populate them using JavaScript and then submit the form. In the doView() method, you can use request.getParameter() to get the parameters.
Well, sometimes the most obvious things happen to be the way to the solutions.
I was too busy trying to find elaborated causes for that situation that I did not checked for this at all:
My form fields were correctly identified by different id, but they weren't set their name properties.
With the help of a work partner we could figure out that, so assigning the same value of id for name on each form field did the trick.
So, I ended up skipping that reassigning action thing, because the field values are being set as request parameters, as it should be.
Thanks for the help.