Redirecting Classic ASP based on document.referrer - javascript

I'm trying to redirect the parent window after the pop up is closed. Not a problem, but on one of the pages that calls the pop up, when it redirects it outputs the page into a table.
I know its just my companies horrible design, but to get ride of the bug I thought about just not redirecting IF you're on the problem page.
So, I went ahead and parsed the document.referrer variable and then just have redirect IF the string matches mine. Easy enough right? Nope, syntax is pretty solid, it just doesn't redirect...
<script language="javascript">
var prevPageName = ''
function getPageName()
{
prevPageName = (document.referrer.split('://')[1]).split('/')[2]);
}
function determineRedirect()
{
if(prevPageName === "mysalestasks.asp")
window.opener.document.location.href = "/dashboard";
}
</script>

Related

How to redirect page when javascript return is true?

NOTICE: Not duplicate. The answer given there doesn't work.
I want to warn a user on page reload after filling a form data with a message and then redirect them to the main page. To do so, I am using window.onbeforeunload function. I want to know what if I want to redirect the user after return is true. I know after return any method is unreachable. But, I want an option.
Here is my JavaScript:
<script>
window.onbeforeunload = function() {
return true;
}
</script>
This isn't possible because this would be a pretty big security issue if you could guess or intercept the URL the user is going to (phishing hole) or a UX problem.
You type in a URL, hit enter, get a warning about leaving the page, and all over a sudden you're on some random website or you can't leave, it just keeps bringing you back.
You can try simply this to see it doesn't work even if its the only thing it tries to do.
window.onbeforeunload = function() {
window.location = 'https://google.com'
}

Conceal URL in javascript code ( URL generated by PHP )

I am looking for a solution to the following:
I have a piece of JS code, that performs a redirection to a URL that is constructed with PHP, and that redirection is only done when the user presses a button on a confirmation dialog.
The code is, as follows:
function one() {
window.location.replace("<?php
if($new_redir == "1") {
echo "$new_second_redirect_URL/?token=$hash";
}
else {
echo "$second_redirect_URL/?token=$hash";
}
?>");
}
It works perfectly fine. What I wanna do is conceal the URL that is displayed in the source code when a user opens the page.
What would be the best way to do that?
You're thinking too much into this to be honest.
If they want to avoid the confirmation screen and get the URL from the source, there's not really much you could do.
The best really is possibly performing an AJAX request on confirmation and getting a CSRF token based URL from the response and using that, but that could end up being overkill as well.
You could also make it into an actual <form></form> form with a few hidden fields (again, such as a CSRF token), and perform the post validation onclick. If it a success - redirect them.
UPDATE:
Use robots.txt to stop bots
Build the QS with JS to stop most bots, something like:
var csrftoken='XJIWHEOU324uipHFOFUHR';
var url="http://url.com/page.php?token=";
url=url+csrftoken;
What you could also do, is something like us actually, although for your use case it could be too much.
Log every single page load into the DB, and check if if they're a first time visitor to the page after confirmation.
AJAX call (jQuery example):
$.post( "url_to_backend_page_to_get_url", {hasSubmittedForm:"true"}, function( data ) {
window.location.href = data;
});

On page load redirect to the same page with querystring

Hi so i am getting a cookie passed in from another website which brings in some data i need to put in the query string.. i know how to put it in the query string that's not my questions.
My question is what jquery function can i use onpage load which will redirect to the query string.. now i don't want to page to load twice i want this to happen and look like it has only loaded once. I have tried to use a .one jquery but that's not needed anymore as the if statement will validate if the query string needs to change. Also that function is not working correctly anyway.
$(document).one('load', function() {
if (window.location.pathname == '/items.aspx'){
window.location.replace("items.aspx?item1=a80af972-4f78-de11");
}
});
any ideas would be great.
Thanks
You could use window.location.href="items.aspx?item1=a80af972-4f78-de11"but that will also reload the page. Depending on your users internet connection it could seem like one page load.
Another thing worth noting: You are waiting for $(document).on("load") which gets fired when the page is loaded which is exactly what you don't want.
Try this for speed increase:
$(document).ready(function() {
if (window.location.pathname == '/items.aspx'){
window.location.href = "items.aspx?item1=a80af972-4f78-de11";
}
});
Still - this is a thing to do on the server side. Something in the backend like "if item1 is undefined load item a80af972-4f78-de11" would be best.

What does this script do? Is it malicious?

so I received an obvious phising email today with this js code in it:
<script type="text/javascript" language="Javascript1.1">
<!-- Begin
var bCancel = false;
function validateRegistrationDetails(form) {
hmrc.portal.clearFieldValidationErrors(form);
if (bCancel) {
return true;
} else {
var registrationDetailsPageMessage = new String("<p>ERROR: This page contains one or more errors. See details below.</p>")
var formValidationResult;
formValidationResult = validateRequired(form) & validateMask(form) & validateIdenticalEmailAddresses(form);
if (!formValidationResult){
var formName=form.name;
var ele=document.getElementById('pageError.registrationDetails');
if(ele){
ele.innerHTML = registrationDetailsPageMessage;
ele.style.display = ''; }
}
return (formValidationResult == 1);
}
}
function registrationDetails_required () {
this.a0 = new Array("selectedServices", "<p>ERROR: Please select at least one online service.</p>", new Function ("varName", " return this[varName];"));
}
function registrationDetails_mask () {
}
function registrationDetails_identicalEmailAddresses () {
}
//End -->
</script>
Is it malicious in anyway, what exactly does it do with the form data. I am not that versed in vanilla javascript. Any explanation would be helpful.
Thanks
In all likelihood, whoever sent you this simply lifted a section of HTML and inline JavaScript from the site they were trying to pretend to be. A few lines in the code such as:
hmrc.portal.clearFieldValidationErrors(form);
suggest that they were trying to be HMRC, with the rest of the code being simple validation of the information being entered; I'm going to guess that the content was taken from the 'Registration' section of that site
So you've already established that it's a phishing email.
Typically phishing emails try to make themselves look legitimate by copying large chunks of code from the original website that they're trying to pretend to be (ie your bank's site or whatever). They'll then alter that code so that it sends the relevant data to the phisher rather than to the bank. They may also add fields that weren't in the original, such as asking for your PIN, etc.
However, the main point here is that the bulk of the original code is generally retained, in order to maintain the look and feel of the original site.
Therefore the chances are that the code you're seeing has actually been copied by the phishers from the original site.
There's nothing explicitly malicious about this code in itself -- it has a lot of badly written code, but it isn't trying to do anything wrong in this code.
Where the problem lies for the phishers here is that Javascript code is blocked by most email clients; ie regardless of its intent, the chances are that that this code won't actually work in your mail client.
But I would guess that the phishers have just taken the original form wholesale from the website and dumped it into an email without bothering to take out any javascript that might have been embedded in it.
So the short answer is: Don't worry about this code in particular, but please do delete the email.
As far as I can see, there's nothing malicious with it, unless some script has been included outside of this script itself.

Javascript if document.referrer redirect to another URL

We are having issues getting the document.referrer url in our Javascript. We have a store and we want to prevent people from going from our shopping cart to a specific page. Meaning if they go from the shopping cart, hit the back button on the browser and the page before the shopping cart was a specific URL they need to skip that URL and we need to redirect to another page.
We want to specify the URL for the product/page to skip if the referring URL is the shopping cart.
I have tried doing this but seems not to work. Seems to fire on every single page no just the . I have it in the head of our Root.master page. Here is my code.
$(document).ready(function () {
var pathname = window.location.pathname;
if (pathname = "http://www.mywebstore.com/Page-we-want-to-skip-over.aspx") {
if (document.referrer = "http://www.mywebstore.com/ShoppingCart.aspx") {
window.location = 'http://www.mywebstore.com/Page-we-want-to-go-to-instead.aspx'
}
}
});
or we would like to skip back 2 pages. So we tried this too but it still fires on every single page, no just the page we want to prevent the back button action to.
$(document).ready(function () {
var pathname = window.location.pathname;
if (pathname = "http://www.mywebstore.com/Page-we-want-to-skip-over.aspx") {
if (document.referrer = "http://www.mywebstore.com/ShoppingCart.aspx") {
window.history.back(-2);
}
}
});
Again both of these solutions look correct but they are not working.
Any help is greatly appreciated.
Thanks in advance.
You are using assignment instead of equality
Change = to == in your tests.
Using the back button doesn't change the referer in the way you want. e.g. a page sequence like:
A -> B -> C (backbutton) -> B
does not send 'C' as the referer when the user comes "back" to page B. The referer will be page A. Referers are set for 'forward' actions only, not 'back' actions.
Also, window.location.pathname does not include the domain. So it should be:
if (pathname == "/Page-we-want-to-skip-over.aspx")
See the MDC documentation on window.location.
You should also keep in mind that the referrer is unreliable. Some browsers or firewalls block it, and it can be forged.

Categories