I am trying to post some data to another php file using ajax. This data is on the link attribute. I am thinking bad guy on the page could inspect the element and change the value of that particular data attribute which i want to stop this from happening using javascript.
for example: <a href='#' data-user_id='25'> Add Friend </a>
How do i let javascript make sure the value of data-user_id still stand the same if a bad guy inspect the page and try to change the value of the attribute ??.
below is my code but its not working the way i want:
<script>
$(document).ready(function(e) {
$(".save").attr("data-user_id").change(function(){
var savefriendbtn = 57;
if($(".save").attr("data-user_id") !== savefriendbtn){
$(".save").attr("data-user_id","57");
}
})
});
</script>
A code example would be much appreciated.
Thank you
Short answer you can't verify the change, even if its doable what prevent the user from inspecting your JavaScript and play or monkey-patch some other code and override your client-side checks,
Client-side checks was never a way to verify valid data, its a way to help but you can't guarantee or depend on it, you should have a back-end validation for this parts of code,
Validate in back-end if this user is not permitted to add this user as a friend, otherwise no issue if he changed the id and add another one as long as he can do that, and you may or may not handle error for this part as actually for me i don't care if an error explode to user if its his fault by hacking.
If I am understanding correctly you need this function to run while the user (or bad guy) browses the page, constantly forcing the id of the element to be 57.
If I am not wrong you wouldn't need jquery.
There are two problems:
var savefriendbtn has a number type, 57, whereas you are setting it as "57", a string.
The problem should be because Document.ready only calls once, i.e. when the page loads for the first time. Hence, you would have set up an event listener or do as follows:
setInterval(function(){document.getElementById('save').data-user_id=57;},1000)
Does it help?
Then and again, the bad guy could simply change the var to another value, preventing the entire mechanism from working. I really hope this helps you.
Related
I'm trying to log into this site. But I can't even fill the textbox with the username.
I tried:
implicit and explicit waits
executing JavaScript
Structure of the textbox
The username is enclosed within a td tag, which can be located using its width attribute. The textbox itself is represented by two input tags. The first one is hidden. Both have style attributes. The first one has an initial value of display: none;, which is changed to display: inline-block; when I click on the textbox. And the style attribute of the second input tag is set to display: none;. Again, both these are toggled once the username textbox loses focus.
Waits
I tried using both implicit and explicit waits. The code implementing explicit wait resulted in a TimeoutException error:
wait = WebDriverWait(driver, 10)
elem_username = wait.until(EC.visibility_of_element_located((By.ID, 'txt_username')))
Executing JavaScript
Both the input tags have onfocus and onchange attributes. I didn't bother about the latter (my goal was to get keystrokes into the textbox first). The onfocus has a value of SetEnd(this). So, I tried to execute that.
The problem I had is that I couldn't find any documentation that could help me executing JavaScript. So I looked at a few related answers here at StackOverflow. I tried this first:
elem_username = driver.find_element_by_id('txt_username')
driver.execute_script('SetEnd(this)')
Of course, I knew it wouldn't work, because I was not referring to the element. So after browsing a few more questions, I learnt that execute_script took arguments. So I modified the code, which raised an error that said something like the script had no function like this:
driver.execute_script('arguments[0].SetEnd(this)', elem_username)
Then, I saw an answer using 'click()' inside the execute_script; so I tried that, too:
driver.execute_script('arguments[0].click()', elem_username)
The 'click()', I guess, is only for buttons. But since I had to "click" in the textbox to bring it in focus, I thought it would work. It didn't.
This is the last line I executed in all of my attempts, which, without an exception, kept raising ElementNotInteractableException error:
elem_username.send_keys('blahblahblah')
Requirements
The Q&As on this site would, of course, be excellent, if I had a bit more experience. For instance, there are several answers demonstrating explicit wait, but most of them were aimed at solving the OP's problem, and hence they included only the relevant parts of code. It was tough for me to understand them.
I want to solve this problem (logging into the site), but I also want to learn working with selenium properly. I haven't worked with it earlier in any other languages such as Java. The official documentation is good, but I couldn't solve this problem using that. So I want a more beginner-friendly tutorial.
This worked for me:
# Force the element to be displayed (noticed style.display = "none")
# Yes, I know you can see it, but selenium thinks it's not displayed.
driver.execute_script('document.getElementsByName("txt_username")[0].style.display="block"')
elem_username.send_keys('your name')
So you've outlined everything well and you seem to have a good understanding of it. The trick is to click the second input first, then send keys to the first input since it is then focused. (I did find that clicking the containing td also worked for Chrome, but browsers are different in that aspect and the intent of this page is that you click on the second input). A simple solution is as follows:
real, readonly = driver.find_elements_by_css_selector("input[onfocus*='SetEnd']")
readonly.click()
real.send_keys('hi')
If you have any questions about that, I can try to help.
I ran in the following problem while implementing show/hide of a div in my html.
This show/hide is governed by a variable say id, which I am storing and retrieving using session objects (using sessionAware in Struts 2).
My problem is following, even though I see that id variable is properly set in Java end, it is not working in JavaScript part.
On introducing the alerts around the reading of id variable is script, this works fine.
Can someone help me how to get rid of this problem?
Thanks in Advance!
It look like data load issue.
I assume like when you check for the value data is not loaded, and the check fails.
When you put an alert into it, the page pauses on alert, during that time the data loads and then you get it correctly then.
It is only an assumption based on what you provided.
Please provide some sample code or snipets.
There are a few functions that stop the code from running when they are called. This are called synchronous functions causing a pause in the code until you click OK. alert() is synchronous and so is prompt().
Till that time your data may be loaded, It my just opinion on the base of desc given.
regards,
I've run this code:
Xrm.Page.data.entity.attributes.get("subject").setValue("Beep");;
alert(Xrm.Page.ui.controls.get("subject").setDisabled);
Xrm.Page.ui.controls.get("subject").setDisabled(true);
As expected, I get the text Beep into the field. As expected, the alert tells me the contents of the method (and as far I can tell, they're doing what they're supposed to).
However, the Control itself doesn't get disabled. What am I doing wrong?
I believe that I saw one example of different approach (something more between get and setDisabled but after a few hours of googling, I'm starting to conclude that I must've been halucinating or wish-thinking.
Your code is correct, so it should be working. The syntax used by #Daryl is correct to. Those two lines are equivalent. The shorter one is just syntactic sugar shortening the other. So, you should use his.
Xrm.Page.ui.controls.get("subject").setDisabled(true);
Xrm.Page.getControl("subject).setDisabled(true);
If you're alerting out and getting the contents of the method, it means that you're hitting the right component and the correct method. Yet, so say that despite the call, the control doesn't get disabled. I think you're wrong.
Here's what I think happens. The control gets disabled, then, before you have time to notice it, the form get updated, rendering away your disable operation.
Keep in mind that unlike the field data, the property of being disabled doesn't get stored to the database. If you design a field as protected, it'll stay that way. But if you set such a property from the JavaScript code on the client-side, the appearance is only going to last until a reload of the page is performed.
So, if you need to keep the fields disabled, either make them so from the GUI designer or fire an onLoad method doing it for you.
I use the getControl function and it works fine. should be in the form:
Xrm.Page.getControl(controlId).setDisabled(disabled);
And remember, disabled controls will not be updated unless you set the submit mode to "always".
So I have looked through most of the facebook questions here and it has absolutely confirmed my thoughts. Facebook development may be among some of the worst I've ever used. I'll avoid my rant for now, but as a note to where I'm coming from: tried php sdk, worked decently out of the box, found out I need to put the functionality on a pages tab, can't iframe on pages tab, have to use FBML (which they are retiring in two months, yet I can't start testing the iframe approach yet)
Anyway, I run into FBJS at this point. It works "good enough" for most things, but for some reason I can't get an event registered to an object (a select box in particular interest) by adding a listener (as per FBJS documentation). I am able to add it directly to the html object and have it work, but this is not desirable and I would really like to know what I consider the proper way to do it, which involves seperation of logic and display.
What I want to happen: click on the select box, make a selection, display the text of the selection in an empty div (later on adding Ajax but one step at a time here)
Code:
<script>
var obj = document.getElementById('select-id');
obj.addEventListener('onchange',my_func);
function my_func(evt){
var inner = document.getElementById('div-id');
inner.setTextValue('hey'); // for testing purposes
}
</script>
The above code doesn't do anything when I make a change to the select box. However, this behaves as planned:
<select name="find_state" id="find_state" onchange="my_func();">
I will be grudgingly using this method as I develop, but would really love to know what I might be doing wrong or if anyone else has this issue? And if anyone has any opinions on the matter I would love to know of some form of facebook development recommendations as applications, pages, and tabs all appear to behave totally different from eachother, yet it seems that they all should be doing the same thing to me? Is there any unified way to develop across all three of these things, or am I missing something?
Thanks in advance, as well as for the past help!
I think it should be:
obj.addEventListener('change',my_func);
(instead of onchange)
Straight from Facebook documentation:
The third parameter [to addEventListener], boolean useCapture is required (it does not have a default value)
That means that you should have:
obj.addEventListener('change', my_func, false);
Use the following html and your events attached with .addEventListener() start to work. This seems to be undocumented "feature".
<select name="find_state" id="find_state" onmousedown="return true;">
This also enables the event to fire first time the user changes the value of select. Otherwise it would fire only on second onchange event.
When I use AJAX for part of my page, such as a commentbox, in the reloaded box no JavaScript works. e.g. like cutetime or whatever. So I guess I have to reload the cutetime command (in every reload of the commentbox)
It works, but I think I have the cutetime command twice. If I have a confirm box or anything other, I get the confirm box or the add command twice.
I'll try to describe it in one sentence:
I need a way to get JavaScript working in a reloaded AJAX-Box.
P.S.: I think there is a very easy way because everybody uses it :)
If you replace an element anything attached to it is lost.
When using jQuery, you can avoid this issue by using live events. However, this doesn't work for plugins where you don't attach events. In that case you need to call whatever function enables something on your element again when replacing it.