Unable to run script - DOM based attack - javascript

I am trying to create a DOM based attack using a html file.
The file is as follows :
<html>
<head>
<script type="text/javascript">
function fun() {
var val = document.getElementById("mytext").value;
document.getElementById("p1").innerHTML = unescape(val);
}
</script>
</head>
<body>
<p id ="p1">Empty</p>
Give input : <input id="mytext" type="text" value="abcd" >
<input type="button" id="b1" onclick="fun()" value="Change link" >
</body>
</html>
When I pass <script>alert('hello world');</script> inside the text box and click on the button the p tag doesn't run the script. What might be the possible reason? I am learning XSS for testing our website for security.

Try inserting instead. Scripts do not run when inserted into innerHTML.

Related

How to send parameters in javascript function used in HTA

I am trying to pass filepath value to publish.bat.
Can some one please help me parameterize below JavaScript.
<html>
<head>
<HTA:Application id="AppExecute"
ApplicationName="AppExecute"
WindowState="maximize">
<script language="JavaScript"><!--
function myapp(filepath){
var cmd = new ActiveXObject("WScript.Shell");
cmd.run("cmd /K CD C:\\publish & publish.bat C:\\publish\\prop\\lvl.Prop "&filepath)
}
--></script>
</head>
<body>
<font color=Blue><font size=3>Test Publisher
<br>
<Input type="text" name="filepath" title = "Do not change name of property files e.g. l2.ese">
<input type="button" value="CMD" onclick="myapp(filepath)"><br>
</form></center>
</body>
</html>
I am getting Error:
Script Error
Your code has several mistakes...
#Teemu explained some of them in the comment.
Then your buttons aren't properly enclosed within a form element. As I can see, there is only an ending tag for the form element.
After correcting that, you should change onclick event to:
onclick="myapp(this.form.filepath.value)"

How to enable button onClick functions and java script in wordpress post

I am trying to add the below codes to Wordpress, however, wordpress always gives me error 404 whenever I try to update. I'm new to coding. So would appreciate some help.
<!DOCTYPE html>
<!--
To change this license header, choose License Headers in Project Properties.
To change this template file, choose Tools | Templates
and open the template in the editor.
-->
<html>
<head>
<meta charset="UTF-8">
<title></title>
</head>
</head>
<body>
Code 1: <input type="text" id="code1">
<br>
<p id="code1ans"></p>
Code 2: <input type="text" id="code2">
<br>
<p id="code2ans"></p>
Code 3: <input type="text" id="code3">
<br>
<p id="code3ans"></p>
Code 4: <input type="text" id="code4">
<br>
<p id="code4ans"></p>
<button onclick="myFunction()">Submit</button>
<script>
function myFunction() {
var code1 = document.getElementById("code1").value;
var code2 = document.getElementById("code2").value;
var code3 = document.getElementById("code3").value;
var code4 = document.getElementById("code4").value;
document.getElementById("code1ans").innerHTML = code1;
document.getElementById("code2ans").innerHTML = code2;
document.getElementById("code3ans").innerHTML = code3;
document.getElementById("code4ans").innerHTML = code4;
}
</script>
</body>
</html>
Wordpress uses the template hierarchy, so I'm guessing you want this code to execute on a specific page or perhaps you want it to run on every page load?
Wordpress uses a system of hooks called filters and actions to run things at certain times. One of them is https://codex.wordpress.org/Plugin_API/Action_Reference/wp_enqueue_scripts which allows you to load scripts. Here you can also add code run the script only on specific pages. You should add your script here based on the documentation.
Your question doesn't appear to specify where you are putting your code.

html button disappears after onclick() event

Hello guys I am New to javascript I want to know why does the html button disappears as soon as i click it. The browser shows the text but the button disappears. here is how my html looks likes
<html>
<head>
<script type="text/javascript">
function funcname(){
document.write("<br/> <br/> <br/> some text");
}
</script>
</head>
<body>
<form>
<input type="button" name="something" value="touch me" onclick="funcname()">
</form>
</body>
</html>
The write() method writes HTML expressions or JavaScript code to a document.
The write() method is mostly used for testing: If it is used after an HTML document is fully loaded, it will delete all existing HTML.
Answer from: source
<html>
<head>
<script type="text/javascript">
function funcname()
{
document.body.innerHTML += "Some Text";
}
</script>
</head>
<body>
<form>
<input type="button" name="something" value="touch me" onclick="funcname()">
</form>
</body>
</html>
Try above code it will work fine.If you use document.write() overwritten body so should be use document.body.innerHTML .
The Document.write function overwrites the document content when called, as stated by the Mozilla Developer Network:
Note: as document.write writes to the document stream, calling document.write on a closed (loaded) document automatically calls document.open which will clear the document.
Source: https://developer.mozilla.org/en-US/docs/Web/API/Document/write
document.write() will override your whole body element. If you want to override only specific parts, you could define a target and use innerHTML to change the text.
<html>
<head>
<script type="text/javascript">
function funcname(){
document.getElementById("someParagraph").innerHTML = "Paragraph changed!";
}
</script>
</head>
<body>
<form>
<input type="button" name="something" value="touch me" onclick="funcname()">
</form>
<p id="someParagraph">Hey<p>
</body>
</html>

Working with external JavaScript functions and HTML

Thank you in advance for helping me with my issue. I was wondering if someone could explain this for me as i am self teaching about JavaScript JQuery. What i am trying to do is push a message into a variable that is in the parameters of a function. Then i want to display the message using the function by calling it back to the html file that i originally had. So i want write a message in my function and print to my html page. I think i maybe in the right direction here is my source code. I am trying to get use to write with external javascript files as i think it is much cleaner way of working with HTML, CSS3, and JavaScript.
<!DOCTYPE html>
<html lang="en">
<head>
<meta charset="utf-8">
<title></title>
<script type="text/javascript" src=".js"></script>
<link rel="stylesheet" type="text/css" href="mystyle.css">
</head>
<body>
<form>
<input type="button" value="Click me" id="message "onclick="test();" />
</form>
</body>
</html>
External JavaScript file.
function test(message){
alert("Hello");
}
Use this.value to get the value of the input
<input type="button" value="Click me" id="message" onclick="test(this.value);" />
And then use the message you get
function test(message){
alert(message);
}
To show this message on your page, create an element on the page
<div id="message"></div>
Then, in your test function, instead of alert, set the innerText or innerHTML to the message
document.getElementById('message').innerText = message;
To show message in popup do it this way
Html:
<input type="button" value="Show message in popup" id="message "onclick="test2('hii this is my message');" />
JS:
function test2(message)
{
alert(message);
}
To show message in div
Html:
<input type="button" value="Show message in div" id="message "onclick="test('hii this is my message');" />
<div id="message"> </div>
JS
function test(message)
{
document.getElementById("message").innerHTML = message;
}
Demo : Fiddle
Adding the message: The easy way to do this would be by using jQuery or a javascript library of your choice. Otherwise, you can simply do this:
Create an empty div to display the msg with an id="msg"
and in your javascript function:
document.getElementById("msg").innerHTML = "Your message";
jQuery is much more fun: you can use readily available functions like .html() and .append()
You definitely want to do this, as it is much MUCH cleaner to do so. It also lets you use the same code in multiple places.
Look at this: http://www.w3schools.com/js/js_whereto.asp
(down by 'external JavaScript')
Essentially, you need to save the .js file as an actual file, like filename.js:
<script type="text/javascript" src="filewithcode.js"></script>
where filewithcode.js is the file path to the JavaScript file you have created.
Hope this helps

get the contents of a CKEditor within an Iframe

I have the following code to display a CKEditor at http://www.wilsea.com/iframe. I can get and set the data within the html document.
<!DOCTYPE html>
<html>
<head>
<script type="text/javaScript"
src="http://ajax.googleapis.com/ajax/libs/jquery/1.10.1/jquery.min.js">
</script>
<script src="http://www.wilsea.com/ckeditor/ckeditor.js"></script>
</head>
<body>
<textarea id="editor1" name="editor1" rows="10" cols="80">
This is my textarea to be replaced with CKEditor2
</textarea>
<div id="someID">Hello world!</div>
<script>
function myFunction() {
var html = 'this is my new text from function1 ';
alert('function 1 test121');
CKEDITOR.instances['editor1'].setData(html);
}
function myFunction2() {
var editorData = CKEDITOR.instances['editor1'].getData();
alert('new data' + editorData);
}
CKEDITOR.replace( 'editor1' );
</script>
<p>Click the button to trigger a function.</p>
<button onclick="myFunction()">Set Data</button>
<button onclick="myFunction2()">Get Data</button>
<p id="demo"></p>
</body>
</html>
I followed this answer here: http://simple.procoding.net/2008/03/21/how-to-access-iframe-in-jquery/
So I added:
<div id="someID">Hello world!</div>.
I have uploaded the app to www.wilsea.com/iframe so there should be no cross domain issues.
The button code is:
var HTML1 = $('#iFrame1').contents().find('#someID').html();
alert(HTML1);
var HTML1 = $('#iFrame1').contents().find('#editor1').html();
alert(HTML1);
I have used the developer tools in Chrome and I see that 'id someID' exits so what part of this am I not understanding here?
My goal is to be able to:
Populate the html content of the CKEditor from my database.
Allow the client to edit / add images etc.
Save the html content of the CKEditor to my database.
I got the answer from here:
https://getsatisfaction.com/application_craft/topics/accessing_an_iframe?utm_source=notification&utm_medium=email&utm_campaign=new_reply&utm_content=reply_button&reply[id]=14399739#reply_14399739
The key is that the DOM element id is not the AC widget name. But you can get and use the DOM id fairly easily with the following ('contextMenu' is the AC name of an iFrame widget in this example)
contextMenuId = 'iframe_' + app.w('contextMenu').base()[0].id;
document.getElementById(contextMenuId).contentDocument.getElementsByClassName('cke_wysiwyg_frame')[0].contentDocument.body.innerHTML
It maybe not relevant to everyone as it is specific to application craft but the thought process may help others.
MRWarby

Categories