How do I get the actual text content of a .php file using javascript without executing it on the server?
Also, I would like to know if there is a way to read the text content of any other file other than .php using javascript.
If you are using a webserver like Apache or Nginx then they will execute the .php file for you. There is no way around this because you shouldn't allow anyone to download your php source code, which is what you're trying to do with Javascript.
If your javascript needs some output then have your .php render the data javascript needs. Then to load this content via Javascript can be as simple as an ajax call, eg: http://api.jquery.com/jquery.ajax/
I realize this is a very very old question. But it has a very simple solution, without re-configuring the php server, assuming,
One wants to look at a few files, either permanently or during short time periods during development.
It is not a security problem if it is viewed by others on the local net or wan, wherever you also view this. (This risk can also be minimized, see the end.)
Your server is already configured to serve .txt files as plain text
Say the file of interest is x.php,
make a symbolic link, with a text file extension
ln -s x.php newname.txt
Now you can view the file at the same site as newname.txt.
Minimizing security risk. If your server is already configured to not allow directory browsing, then by making the newname somewhat long, it is less likely anybody else will easily find the name to view it.
Related
I'm not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way.
Let's assume I'm an idiot (and I'm not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server in a subfolder (let's call it 'danger') of my ASP.NET application, hosted on IIS.
Being that way, anybody can upload a generic example.hml file and access it back at the url mydomain.com/danger/example.html. They can also upload JS files and whatever they want.
Let's forget for a moment the fact they can fill my disk.
Given I prevented ASP execution from files in that folder, what kind of damage can I be subjected to?
Thanks in advance.
Just off the top of my head:
An attacker could upload a corrupted file which would trigger a remote-code execution vulnerability in your antivirus, potentially executing code under the local system account. (I've seen this happen with Windows Defender, and I've seen reports of similar vulnerabilities in other AV products.)
They could upload a file with a mangled name which exploited a bug in IIS to bypass your file-type checks and the "no execute" flag on the folder. (I've seen this reported, albeit in a very old version of IIS.)
If the files can be accessed publicly, they could host their own content on your site, potentially including illegal or malicious content. This could damage your site's reputation, and potentially leave you liable to prosecution.
Well, yes, you do have to be carefull IF YOU allow any kind of preview, or say allow the person to download the file, but when you download, you also attempt some kind of preview on the server.
In fact, this is not a lot different then dropping a simple text box into a form, and then letting the user type in information into that text box, you then say hit submit button, and now re-display the page with what they just typed in.
What happens if they start typing in javascript text into that text box?
Say a multi-line text box in which you can type in a paragrath of comments or text.
So, you type in this:
Hellow how are you
<script>
JavaScript code here
</script>
Now, when you go to re-plot the page - not only are you re-display of what was typed in, but those script code typed in ALSO will run!
In fact, if you drop a text box on a web page, and do this:
Hello, how <script> are you
You notice you get a page exectution error. (becuase asp.net has built in protection to NOT allow this). However, if you adopt some html editor text box (ckEdit, or ajaxtoolkit editior), such controls will have additional security code to prevent end users from typing in script code.
So, a few things you have to be concered about:
If you allow up-loading of files, then ensure that you don't have code that attempts to load/execute that file. So, you might allow users to up-load pdf files, and then maybe a routine that attempt to "open" or use that file. But what happens if they in place of a pdf file up-load a MyTest.exe. In other words, they up-load a exectuable program in place of a pdf? Well, then you mostly ok, but you BETTER NOT have code that attempts to load such files - especially code behind that may use some library or code that in effect launches that pdf or word or exec file. Since that code then might try to load or run what is now a .exe program.
So, this means a few things:
You want to limit the file extensions allowed
You need to ensure that your code does not "execute" that up-load file
If you allow download of that file, then careful how you do this
(again, ensure that you don't open up possibiity to execute that file).
So, for the most part you should be ok, but if up-loaded files are further processed by your server side code, then just be aware of HOW you open or process such up-loaded files.
As noted, say users up-load a simple text file, and after up-loading you take the text from that file, and then display it in some kind of memo or text box in a web page. But, again, you sure it is just text in that file? And if you pull the content from that file and THEN have it render in your browser (because you assumed text), but it now might have browser code injected into that text file.
So, any point in your server side code that opens up-loaded files, pulls the content and THEN say spits out that content for display of data is a caution area.
So, the first simple line of defense?
Limit the types of files. If users are expected to upload only PDF files then ONLY allow say PDF and maybe .zip file extensions - reject anything else.
And as noted, just keep in mind any kind of post-processing code you have that runs AFTER up-loading that file. If your site is taking such up-loaded files, and is to open up the file(s), AND THEN DISPLAY that content back to the end user, then again caution is required, since when you display such content in a browser, that content in theory can have script code - and like anything else your code spits out to the browser (like a web page with HTML etc.) also means that the browser will run that script code.
I mean, a browser simple takes whatever the server sends to that browser, and renders the HTML. However, these days, browsers have MUCH more ability to also run code in that browser. So, that's why now you can say run cool games 100% in a browser, since browsers have become VERY powerful systems, and almost their own computer system in their own right. So, the ability of browsers to run code and give an experience that rivals the desktop in terms of speed and response (and even interactive games) is the result of browsers now being able to run code and do much MORE then just display some simple HTML.
So, under no case should you allow up-loading of files, and then have some software that can "run" or even pull contents of that file and spit it out back to the user in the form of browser display. And the reason is that file content may well have executable code in that file contents.
I'm trying to link this page http://www.bauer.uh.edu/parks/f1471m.htm to my text editor ( text mate) with a mac.
I even copied the code and pasted it into an HTML file, and made a .js file (the one I'm trying to use to practice with) in the same folder and to use the local tag with no success.
I tried using src="http://www.bauer.uh.edu/parks/f1471m.htm" with no luck.
am I doing something wrong?
I'm making a few assumptions here...
From what you're describing, I think you're trying to directly edit the file. Unless you have write access on that server, what you're doing isn't going to work. Some web development software will allow you to do this, but most text editors don't.
Can you work on the file locally (on your computer's file system) and upload it to the server through FTP?
Many browsers give you the ability to save a page locally these days. That would set up the proper structure for you on your own machine. (FireFox can do this using Save Page)
I am working on project for desktop application. I am using Qt controls with visual c++.
I am loading an html file in the QWebView as,
m_pWebView->load(QUrl("../../../demo/index_Splash_Screen.html"));
Now, what i want is, say, I have some .zip files in my location "c:\demo", I want list (or array of file names) of the files present in that directory.
How can i do this through javascript ?
PS: I went through this link, but it didnt match my requirement. I have not worked with of html, javascript and jquery. Please help me.
I'm afraid you cannot access local files or directories using javascript due to security issues.
Edit: I hadn't thought about the file api so thought for a moment this might not be true, but without some user input to give permission, this still cannot be done.
This question has a good response from PhilNicholas:
I'm afraid I may be the bearer of bad news for your design: The action
you are requesting expressly violates the security model as specified
in the File API spec. The client implementation of FileReader() must
make sure that "all files that are being read by FileReader objects
have first been selected by the user." (W3C File API , 13. Security
Considerations: http://www.w3.org/TR/FileAPI/#security-discussion).
It would be a huge security risk of browser scripts could just
arbitrarily open and read any file from a path without any user
interaction. No browser manufacturer would allow unfettered access to
the entire file system like that.
Thinking about it however, if it is all being run locally, you could use ajax to query a server side script that could return the directory you request.
If it is a Windows application then you could access the local filesystem by using ActiveX objects. You might have a look at this link Reading a txt file from Javascript
Note that activeX usage is possible only when using IE as browser/engine; I used to need it a while ago for developing an HTML application (.hta files).
I'm trying to access a text file using javascript code, but I keep receiving a security error message. What I'm trying to do is:
var file = File('path/filename.txt');
The path is relative to the script location. I found that running from local machine could be the reason for that, so I tried to run from my local webserver but the error is still there. Does someone know why? What can I do to load this text file? If possible, considering that it is always under the script path, could it be also loaded from local disk (no web server)?
Thank you.
If you're trying to access a file on the server, you should do it using a server side coding language like PhP.
If you're trying to access a client file (= a file on the computer of your website visitor), it's not possible for obvious security reasons [EDIT] Thanks to Colin DeClue , I discovered this is possible using the HTML5 File API. An article explaining this is available here : http://www.html5rocks.com/en/tutorials/file/dndfiles/
Your snippet will attempt to load the file from your local file system, so can't retrieve a file from a server. You'd need to look at requestFileSystem or FileReader to make something like this work if the file is local.
Alternatively, you could use AJAX to retrieve the file from a server.
I noticed that when I open HTML file locally by double clicking on it, it will not "run" the same as if I had it on a web server and opened it by HTTP GET request.
I need to have a local HTML file a user can open by double clicking on it. This HTML file has several JQuery load calls such as this:
$("#content").load("http://somepage.com/index.html");
I want to update several divs with content from remote sites.
This works fine If I have this file on a web server but not if I double click it under windows explorer... How can I "make" the file "run" as it would on a web server?
I think you pretty much cannot. This has to do with domain-access restrictions, which are there to avoid cross site scripting and the likes.
The files on your hard drive are especially limited - think what the life could be if they were allowed to treat your whole hard-drive as a single domain.
If you want things to work properly you need to be running a server. XAMPP is a pretty good bet as it's easy to install and set up.
Any non-AJAX javascript will work fine as is though, as long as the paths to include any css or js are relative.
You can't do this locally. You have to have it hosted somewhere for this to work. It's done this way for the sake of security.
What are you trying to do that you "need" to have this?