Anyone can help me on how to remove or replace existing link in JS templating. I use backbone.js for this.
Here is my code:
<script id="option-show-template" type="text/template">
<address>
<abbr title="Website">Web :</abbr> <%= (website)? '' + website + '' : '' %></address>
</script>
Output:
Web: www.test.com
The Problem is even though it will output the correct data but the href attr is not totally display the correct one. My localhost/testserver includes in the href attrib.
Web: www.test.com
What I want is to remove the default base url. Must be output like this way:
Web: www.test.com
Add http://
Try This
<abbr title="Website">Web :</abbr> <%= (website)? '' + website + '' : '' %></address>
What is wrong here??
The problem with your implementation is, when you set href attribute without any protocol(http, https, ftp etc) the browser treat the link as relative path. so when you are viewing the page on http://localhost/testserver/ the url for your page become localhost/testserver/www.test.com
How to fix??
In short, to fix the problem you need to add http:// before your url if there is not any. You can do it in many ways, like :
Update your template as Nitish Kumar suggested.
replacing all url prepend with http:// using jquery
.... or many other ways!!!
The option 1 or 2 is easy enough to implement and would solve your problem, if your are sure your URLs will be always like your example. But will fail for following use cases:
If your url already got a protocol(i.e. http://google.com). Then your URL will become http://http://google.com
If your url is really a relative url(i.e. my/relative/url). Then it should be stay as it is but you will get invalid url without a domain - http://my/relative/url
The ultimate solution!!
So you can use following function to fix your URLS
//Check if it is a valid URL with FQDN
function isValidUrl(url) {
return url.match(/((ftp|http|https):\/\/)?[\w\-]+\.[\w\-]+/);
}
//Check if the url already contain a protocol or not
function hasProtocol(url){
return url.match(/(ftp|http|https):\/\//);
}
//Fix your URL only if needed!!
function setHttp(link) {
return (!isValidUrl(link) || hasProtocol(link)) ? link : 'http://' + link;
}
You can use this function in several way to fix your problem. a sample implementation you can find here
Happy coding!!
The href must start with the protocol if you are using an absolute path. Without the protocol, the browser is going to interpret it as a relative path, leading you to get something like localhost/testserver/www.test.com.
I believe the only real solution to this is going to be to add the protocol to your href.
Are you copying the URL out? www.test.com isn't a valid fully qualified URL. You'll want to prepend http:// to your URL. The only other way that could be entering into things is if the 'website' variable contains that information, which I don't quite get from your question.
Your question is phrased a bit oddly and the example you provide isn't quite sufficient to suggest more at this point (although I will say that I generally discourage ternary operations inside of template echos like you've got).
replacing url prepending with http://. This should get your problem solved
Related
Using JavaScript, how can I make it redirect to another site based on the URL?
(Example)
If someone goes to https://example.com/12345, it will redirect them to https://example.net/12345.
And if someone goes to https://example.com/abc123456, it will redirect them to https://example.net/abc123456
How can I do this?
In the place that you have hosted that domain, See if you can find something that makes it a single page app or a way to rewrite all urls to one page so that it doesn't show 404 not found. (not certain how you can do that, I only done it with firebase hosting, it has a way of configuring it so that no matter what url you give it, it always shows you the same page, and also the url doesn't get changed ) if you can do that, this is the code you need:
let pathname = location.pathname //if the url is https://example.net/1234, the path name will be /1234
location.href = "https://example.net" + pathname //if you add that to this string, it would be https://example.net/1234
You can use following code for that:
location.href = 'https://example.net/12345';
location.href = 'https://example.net/abc123456';
Or used following code for that:
location.replace('https://example.net/12345');
location.replace('https://example.net/abc123456');
All:
I have an issue with a project I am working on using C# MVC4
In the project, I am accepting a URL and other parameters from a user, then do some processing and send the result of the processing to the URL provided by the user.
The result is being sent using the following code:
var context = HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", postUrl));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
Whenever a user attempts an XSS like passing a url value of javascript%3aalert('xss')%2f%2f, the JavaScript runs and the pop up shows up.
I've tried Antixss.HtmlEncode() to encode the URL before passing it into string.Format but still doesn't work. I've tried Antixss.UrlEncode() also, but this gives error as the form doesn't submit to the URL.
Please help me out, Is there something I am missing? What else can I do?
Thanks in advance.
You will need a three pronged approach to solve this issue.
Preventing XSS injection:
Note that if a user injected the url value
" /> <script>alert('xss')</script>
this would also leave you vulnerable:
<form name="myform" method="post" action="" /> <script>alert('xss')</script>" >
Therefore you should use the HttpUtility.HtmlAttributeEncode function to solve this one.
However, don't stop there. As noted, you should project against javascript: style URLs. For this I would ensure that the URL begins with http:// or https://. If not, throw a SecurityException which you should be logging and handling server-side, and showing the user a custom error page.
Finally, you want to protect against Open Redirect Vulnerabilities. This is to stop phishing attacks by redirecting users to other domains. Again, use a whitelist approach and ensure that the domain redirected to is one of your own. Be careful on the parsing here, as it is easy to get it wrong - a URL of http://example.org?http://example.com will pass the validation filter for example.com on many badly written validation routines. I recommend using the Uri object in .NET and retrieving the domain through that rather than rolling your own string functions.
You could also check if the URL is a relative URL, and allow it if acceptable. Use something like this function which uses a built in .NET library to ensure that it is relative or not.
Just a thought - try putting this script in rather than just document.myform.submit (and remove the form's action property):
if("{0}".indexOf('http') !== 0) {
//this is some sort of injection, or it's pointing at something on your server. Should cover http and https.
//Specifically, it makes sure that the url starts with 'http' - so a 'javascript' url isn't going to work.
} else {
document.myform.action="{0}"
document.myform.submit();
}
There is more you could do, but this should help.
Since you are adding the postUrl as an attribute "action" of the form tag, you can try using HtmlAttributeEncode method in the HttpUtility
[ValidateInput(false)]
public ActionResult Test(string url)
{
var context = System.Web.HttpContext.Current;
context.Response.Write("<html><head>");
context.Response.Write("</head><body>");
context.Response.Write(string.Format("<form name=\"myform\" method=\"post\" action=\"{0}\" >", HttpUtility.HtmlAttributeEncode(url)));
context.Response.Write("</form>");
context.Response.Write("<script type=\"text/javascript\">document.myform.submit();</script></body></html>");
context.Response.Write("</body>");
context.Response.Flush();
context.Response.Clear();
context.ApplicationInstance.CompleteRequest();
return null;
}
http://localhost:39200/home/test?url=https%3A%2F%2Fwww.google.com - Worked
http://localhost:39200/home/test?url=%3Cscript%3Ealert(%27test%27)%3C%2Fscript%3E - Worked(Did not show alert)
It is always good practice to Validate the user input against a white list of inputs, to prevent XSS exploits.
try using HttpUtility.UrlEncode
something like Response.Write(HttpUtility.UrlEncode(urlString));
see How To: Prevent Cross-Site Scripting in ASP.NET for more steps =)
if (oSession.HostnameIs("www.youtube.com") && oSession.oResponse.headers.ExistsAndContains("Content-Type","text/html")){
oSession.utilDecodeResponse();
oSession.utilReplaceInResponse("old string","new string");
}
Please tell me if I'm using the above script correctly or not.
Basically, How do I to replace/hide the word dolphin from the search query ? I don't want the client browser(my Google Chrome) to see it by any means.
Example : http://www.youtube.com/results?search_query=dolphin&page=3.
If this is not possible with Fiddler,then what other application do you recommend?
Thank you
You can replace anything in the url inside OnBeforeResponse, but doing so won't do anything useful, because the URL has already been sent to the server by then, so changing it that late has no visible impact to anything outside of Fiddler.
If you want to change the URL, do so inside OnBeforeRequest. In your FiddlerScript, look for the urlreplace handler to see how that works.
How can I add something in JavaScript that will check the website URL of someone on a web site and then redirect to a certain page on the website, if a match is found? for example...
the string we want to check for, will be mydirectory, so if someone went to mysite.com/mydirectory/anyfile.php or even mysite.com/mydirectory/index.php JavaScript would then redirect their page / url to mysite.com/index.php because it has mydirectory in the URL, how can I do that using JavaScript?
If I have understood the question correctly, then it is fairly simple and can be achieved using document.URL
var search = 'mydirectory'; // The string to search for in the URL.
var redirect = 'http://mysite.com/index.php' // Where we will direct users if it's found
if(document.URL.substr(search) !== -1) { // If the location of
// the current URL string is any other than -1 (doesn't exist)
document.location = redirect // Redirect the user to the redirect URL.
}
Using document.URL you can check anything in the URL, however you might want to look into using something like Apache's mod_rewrite for redirecting the user before they even load the page.
Check out window.location, particularly it's properties and methods. You would be interested in (part of the) pathname property (you can split it on /) and the href property to change the page.
This is all assuming the javascript is being served in the first place; so I'm assuming anyfile.php and index.php would all result in the JS being served and not some 'generic 404' message.
I'm trying to make a field similar to the facebook share box where you can enter a url and it gives you data about the page, title, pictures, etc. I have set up a server side service to get the html from the page as a string and am trying to just get the page title. I tried this:
function getLinkData(link) {
link = '/Home/GetStringFromURL?url=' + link;
$.ajax({
url: link,
success: function (data) {
$('#result').html($(data).find('title').html());
$('#result').fadeIn('slow');
}
});
}
which doesn't work, however the following does:
$(data).appendTo('#result')
var title = $('#result').find('title').html();
$('#result').html(title);
$('#result').fadeIn('slow');
but I don't want to write all the HTML to the page as in some case it redirects and does all sorts of nasty things. Any ideas?
Thanks
Ben
Try using filter rather than find:
$('#result').html($(data).filter('title').html());
To do this with jQuery, .filter is what you need (as lonesomeday pointed out):
$("#result").text($(data).filter("title").text());
However do not insert the HTML of the foreign document into your page. This will leave your site open to XSS attacks.
As has been pointed out, this depends on the browser's innerHTML implementation, so it does not work consistently.
Even better is to do all the relevant HTML processing on the server. Sending only the relevant information to your JS will make the client code vastly simpler and faster. You can whitelist safe/desired tags/attributes without ever worrying about dangerous ish getting sent to your users. Processing the HTML on the server will not slow down your site. Your language already has excellent HTML parsers, why not use them?.
When you place an entire HTML document into a jQuery object, all but the content of the <body> gets stripped away.
If all you need is the content of the <title>, you could try a simple regex:
var title = /<title>([^<]+)<\/title>/.exec(dat)[ 1 ];
alert(title);
Or using .split():
var title = dat.split( '<title>' )[1].split( '</title>' )[0];
alert(title);
The alternative is to look for the title yourself. Fortunately, unlike most parse your own html questions, finding the title is very easy because it doesn;t allow any nested elements. Look in the string for something like <title>(.*)</title> and you should be set.
(yes yes yes I know never use regex on html, but this is an exceptionally simple case)