When we had done security audit of our project, we got broken Link "/a" vulnerability.
After searching for link throughout project we found link in JQuery-1.9.js java-script file that we are using in our project.
small part of code in that JQuery-1.9.js -
// Make sure that URLs aren't manipulated
// (IE normalizes it by default)
hrefNormalized: a.getAttribute("href") === "/a",
As per my understanding this code part helps for making it(JQuery) compatible with IE 6/7/8.
hrefNormalized is used to check that anchor tag is giving href value as full URL or exact href , which is issue in IE version.
The better explanation of this part is given in
https://www.inkling.com/read/jquery-cookbook-cody-lindley-1st/chapter-4/recipe-4-1
I want to remove this vulnerability but i don't want to remove or change code in JQuery js file.
So, My question is why did not JQuery designers used "/#" instead of "/a" .What is the problem of using "/#" in that code.
Earlier same question is asked by someone to JQuery Team,but they told that it not the problem from Jquery.
For reference of that ticket
http://bugs.jquery.com/ticket/10149
Help me to solve Or Is there another solution?
Thank you
This is not a vulnerability but a false positive. The security scanner interprets the "/a" string as a link, which it is not.
Even if jQuery creates the link in the DOM, it's not clickable or visible to the user. Your website does not actually have a real link to /a anywhere.
I would ignore the problem without changing anything.
Maybe, if you want this hrefNormalized: a.getAttribute("href") === "/a", to be transformed into this hrefNormalized: a.getAttribute("href") === "/#", but you don't want to touch the jQuery file.
Put that second one in a script in a an order so that the browser reads your script after reading the jQuery file, so it mashes.
Anyway, I never had issues with jQuery before, check your code first.
If you don't want to have your views with scripts, put it in a js file and link this file to your view after the jQuery file.
Hope it helped you, or at least gave you some ideas to solve your problem. Good luck, let us know how it goes! ;)
EDIT:
<script src="~/JQuery/jquery-2.0.3.js"></script>
<script src="~/Scripts/Fix.js"></script>
If you do something like this, the browser reads first the jQuery, then it reads the Fix.js. Inside the Fix.js, you put the function or paramater you want to change from the jQuery.
So the Browser will get the latest one it reads if they are equal.
For example:
function whatever (){ //This in jQuery file
//things #1
}
function whatever (){ //This in Fix file
//Different things #2
}
This way the browser chooses the Fix.js one, because was the last he read.
Related
I have a plug-in that I made for CKEditor. It works perfectly. I needed another one very similar to it, so I copied/pasted/renamed everything. Then I changed the icon out to something else... same dimensions (16x16), etc. I've gone through it several times to be sure everything is named properly... casing, etc.
But after clearing my cache and reloading the page, the new icon never appears. I've tried several icons, including just re-using the other plug-in's exactly. It never appears. Not even a "blank" appears (which happened during development of the last one).
The docs are pretty worthless in that respect, so I don't know what to do. It seems like this should be a simple fix. I hope it is. Here's the plugin.js:
CKEDITOR.plugins.add('attachfile',{
icons:'attachfile',
init:function(editor){
editor.addCommand('attachfile',new CKEDITOR.dialogCommand('attachfileDialog'));
editor.ui.addButton('attachfile',{
label:'Attach File',
command:'attachFile',
toolbar:'insert'
});
CKEDITOR.dialog.add('attachfileDialog',this.path + 'dialogs/attachfile.js');
}
});
Any ideas? Thanks!!
Yep, it was something simple. I had failed to enter the plug-in name into the "extraPlugins" line in the config.js.
You should use:
CKEDITOR.timestamp='SOMEVALUE';
This is what CKEDITOR uses to control caching of files, so every time you change something you need to give this a new timestamp. If you dont, it will continue to make your browser use cached files.
The problem you might have is that CKEDITOR still loads its old files before it reads your timestamp value. So you must set this before CKEDITOR loads its files. You can try to sett it as the first thing to happen after the ckeditor.js is included. Setting it in the config file, can in some cases be to late, because at that time, many files are already loaded.
<script type="text/javascript" src="/g_adminlib/ckeditor/ckeditor.js"></script>
<script type="text/javascript" >
CKEDITOR.timestamp = 'something_random';
</script>
I would like to use Scratchblocks (a tool for rendering visual Scratch code blocks from a text listing, on GitHub) on my Squarespace website. The problem I am getting is that the scratchblocks are never rendered on the first load - but only after a refresh.
This is in the header (set in the header for that particular blog):
<script src="https://scratchblocks.github.io/js/scratchblocks-v3.1-min.js""></script>
Then I think I need to call this function at the end of the page - I've put it in the footer:
scratchblocks.renderMatching('pre.blocks');
NOTE: When I view the source I sort of see this JavaScript twice at the end of the page. Not sure what is happening there.
Here's an example of it on my website, where it renders the scratchblocks only after a refresh. [UPDATE - following the fix provided below, this now renders first time, every time as far as I can tell.]
[http://www.glennbroadway.com/coding-zone/2017/4/6/simple-collisions-in-scratch]2
Here's an example of someone else using it and it working properly. I've inspected the source and I can't work out how they are doing it.
https://codeclubprojects.org/en-GB/scratch/memory/
I've also tried all the different methods listed elsewhere on stackoverflow for getting javascript to load only after the HTML has finished. I can't get any of them to work - but I think the problem is something to do with Squarespace, I just don't have the knowledge to work out what.
Any help would be greatly appreciated.
In Squarespace, when your custom Javascript only works after a page refresh, it most likely has to do with Squarespace's AJAX loading:
Occasionally, Ajax may conflict with embedded custom code or anchor
links. Ajax can also interfere with site analytics, logging hits on
the first page only.
You may be able to disable AJAX for your template. Or, see the other approaches outlined here: https://stackoverflow.com/a/42604055/5338581 including:
window.addEventListener("mercury:load", function(){
// do stuff
});
In addition, I would generally recommend placing custom code in the "Footer" code injection area unless you have a specific reason to do otherwise.
This is the screenshot of my html page. this commented area is my issue.
Your problem starts with a couple of error's :)
Your Javascript crashes because it looks for a function that doesn't exist "$(...).fancybox()". This means that either you didn't include the fancybox library or that the file where you call in the function fancybox is loaded before the fancybox library is loaded in.
Next problem is that the images that are used in your slider (I assume). Do no longer exist. Try clicking them in the console to see if you can access them in the browser.
Last but not least. You tagged your question as "java". Javascript and java are not the same thing. Your problem involves javascript. Might want to change that tag next time so you can get anwsered faster.
I Hope this helped a bit :)
Good luck!
I'm working on a drupal module (irrelevant) and I'd like to recreate a javascript/jQuery event. If I use chrome and go to event listeners I see the jQuery script is called on line 57, however this doesn't really help as:
The script is minified and unreadable
I'd like to know what line of
the jQuery using scripts called the event (what selector and what
body of it's function), not the jQuery script itself
It's not easy to find the file by just
searching for fit selectors as there are 100's of loaded javascripts
files thanks to drupal and it's installed modules.
The reason is that I'd like to recreate this (ajax probably) call:
So does anyone know of a trick like a chrome plugin or something? It could shave a lot of time for me.
If you are setting a correct breakpoint then you should be getting a Call Stack on the Source Tab, on the right hand side. There you should be able to track down the file which initiated the call.
And as they say, a picture speaks a thousand words..
And to further elaborate on your question,
It is always advisable to use an uncompressed jQuery.js (Or for that matter any .js) during the development, as you might have already figured out.
Steps for someone new.
Inside the compressed file just get the version no.
Download the respective uncompressed version of the jquery from the official website.
If you don't want to change the code just rename the uncompressed file to jQuery.min.js or whatever is currently being loaded, so It will work as a drop in replacement.
Try chrome devtools, for example:
Sources -> Event Listener Breakpoints (to the right) -> Mouse -> click
Im looking for a very general method of providing an alternative site to a Javascript heavy site (a link going to the old static site).
My current implementation is:
//<Some JS/HTML>
$(document).ready(function() {
//<Some JS Code>
$('#error').attr('style','display: none;');
});
//<Some html>
<div id="error">
<span>If you can see this, that means something went very very wrong. Click Here to use the old portal. Please contact some#email.com with this error and provide as much information as possible, thank you :) </span>
</div>
My current problem is that this is visible while the site is loading :(. Is there a better method?
I know i can try and add lots of trys and catchs (theres already several), but the problem is the primary clients are going to be using a mixture of clients between. FF2-FF3, all version in between, and IE5-IE6. The IE5 im just placing a messagebox and redirection if they try to load the site, im not even going to try and make that compatible.
And these old browsers just are not compatible with certain things.... I know i could add in an .onerror, but FF didn't add compatibility until FF6 which is to new for most of the clients. (although strangely, IE5.5 has it)
NOTE: Im just jQuery 1.7.1
The basic flow of the current operation is just when it finishes loading the initial javascript it hides the div.
You can use mainly CSS with a JS helper for this.
Put this JS code as close to the top of the document as you dare, preferibly after the charset declaration. You will need to include jQuery before this line or you can use standard JS (document.getElementByID('html-tag').className='js';, this assumes you've given the html tag an id of html-tag):
$('html').addClass('js');
Then you can write your CSS to take into account the fact that JS may or may not be available:
#error {
display : block;/*if no JavaScript is available then show this element*/
}
.js #error {
display : none;/*if JavaScript is available then hide this element*/
}
Here is a demo: http://jsfiddle.net/x4tjL/ (JSFiddle seems to be having problems right now, here is a JSBin: http://jsbin.com/ahezuc/edit#preview)
Update
Putting the JavaScript code as near the top of the document and not wrapping the code in a document.ready event handler allows you to minimize the "flash" of content that is common when trying to hide/show content based on JS.
A simple solution would be to detect all incompatible browsers and show the message to upgrade their browser or to redirect to non js site, something like:
for IE5 and 6
if ($.browser.msie && $.browser.version <= 6){
//show my message here
}