Working with Javascript BBCode Editor - javascript

I know question seems different as there are many BBCodes available out there, I am working on client Side BBCode editor and pretty much had done the work.
The issue i am facing is: when i try to parse the server side data with this:
<cfset show = "<script type='text/javascript'>var data = '#JSStringFormat(answer)#';
document.write(PARSER(data));</script>">
in my view source, it shows like this:
<script type='text/javascript'>var data = '[b]Thanks, This ticket has been Updated[/b]. ';
document.write(PARSER(data));</script>
How can i handle this issue?. I need some good suggestions here

use htmlEditFormat in conjunction with your JSStringFormat function.
var data = '#JSStringFormat(htmlEditFormat(answer))#';
JSStringFormat used alone is prone to XSS attacks.
See Nadal's post
http://www.bennadel.com/blog/2570-For-Better-Security-Use-HtmlEditFormat-In-Conjunction-With-JSStringFormat-In-ColdFusion.htm

Related

How to sanitize PHP posted in comments by users

I am creating a commenting system where users can post comments that can also consist of basic HTML including code. Like this:
<pre><code class="language-php"><?php
echo 'Test';
?></code></pre>
The problem is that I can't sanitize this one server side because the PHP code in the comment will actually run on my server. I tried using JavaScript like this before submitting the form:
$("#comment").val() = $("#comment").val().replace("<?", "<?").replace("?>", "?>");
However, this results in Syntax error.
Is there any way for me to safely post user comments that consist of PHP?
to set a new value of input element using jquery, you need to use this syntax
$("#yourElement").val(newValue);
so change your javascript code to:
$("#comment").val($("#comment").val().replace("<?", "<?").replace("?>", "?>"));
read: http://api.jquery.com/val/

how to retrieve the value of javascript var through python?

I need to get the data of productSkus[ using python but I don't know how to access it. the javascript comes from http://www.ulta.com/lid-lingerie-eye-tint?productId=xlsImpprod15361061 .
This is how it looks like.
<script type="text/javascript">
var currentSkuId = '2502111';
var currentProductId = 'xlsImpprod15361061';
var productSkus = new Object();
productSkus[2502111] =
{"displayName":"Fame & Fortune","id":"2502111","imgUrl":"http://images.ulta.com/is/image/Ulta/2502111?$detail$","largeImgUrl":"http://images.ulta.com/is/image/Ulta/2502111?$lg$","swatchImgUrl":"http://images.ulta.com/is/image/Ulta/2502111sw?$50px$","swatchHoverImgUrl":"http://images.ulta.com/is/image/Ulta/2502111sm?$md$","skuSize":"0.13","skuSizeUOM":"oz"};........
Can anyone help me with this?
If you want to use productSkus on the server side, then you need to use AJAX to send the JS variable to the server.
As Django template is compiled server side. It is then sent to the client where their browser executes the JavaScript. Nothing that is changed by the JavaScript executing on the client browser can have an affect on the template. It's too late at that point.
However the JavaScript could do something like make another request from the server for more information. Or you could just pre-compute the value on the server before you send it to the client.
You can of course use Django templates to set JavaScript variables.
<script>
var myVar = '{{ py_var }}';
</script>
use html form to submit the data to server, or across api

How do implement jQuery autocomplete in Google App Engine with Python?

I found several sources discussing this problem, (this one seems the simplest but it is for PHP). I will be using an existing search form and I created AutocompleteResponse handler to handle the request. I don't understand from the documentation if it is required that the data sent will be in json format or an array of string is ok. I am not sure about what information to send either. I created a new model with search history
class Search(db.Model):
owner = db.UserProperty()
date= db.DateTimeProperty(auto_now_add=True)
query = db.StringListProperty()
and I want to send the relevant query suggestions to autocomplete. Any help to examples whether in documentation or otherwise is welcome. Thanks.
Update
I put this just before the closing </body>
<script>
$('#search_form').autocomplete({
source: "http://ting-1.appspot.com/autocomp",
minLength: 2});
</script>
in my Autocomp handler I put
data = json.dumps("abc, def")
I naively think that data will be passed to jquery autocomplete plug in. But nothing is happenning. What am I doing wrong?
Just tried this and it worked:
data = ['cat','dog','bird', 'wolf']
data = json.dumps(data)
self.response.out.write(data)

Javascript html decoding

When I receive html text by ajax in asp.net application it looks like:
<span%20style='color:green;font-weight:bold'>%20Text%20Msg</span>
how is it possible in javascript decode that text to normal html?
<span style='color:green;font-weight:bold'> Text Msg </span>
Thanks!
Nice function here that does it for you - http://phpjs.org/functions/htmlspecialchars_decode:427
You are probably best suited with finding a server side solution as already mentioned in the comments, since this seems like a server side problem.
If you for some reason wish to do this client side anyway, here is a solution:
var str = "<span%20style='color:green;font-weight:bold'>%20Text%20Msg</span>";
var fixedStr = decodeURIComponent(str).replace(/</g,'<').replace(/>/g,'>');

Using jQuery on a string containing HTML

I'm trying to make a field similar to the facebook share box where you can enter a url and it gives you data about the page, title, pictures, etc. I have set up a server side service to get the html from the page as a string and am trying to just get the page title. I tried this:
function getLinkData(link) {
link = '/Home/GetStringFromURL?url=' + link;
$.ajax({
url: link,
success: function (data) {
$('#result').html($(data).find('title').html());
$('#result').fadeIn('slow');
}
});
}
which doesn't work, however the following does:
$(data).appendTo('#result')
var title = $('#result').find('title').html();
$('#result').html(title);
$('#result').fadeIn('slow');
but I don't want to write all the HTML to the page as in some case it redirects and does all sorts of nasty things. Any ideas?
Thanks
Ben
Try using filter rather than find:
$('#result').html($(data).filter('title').html());
To do this with jQuery, .filter is what you need (as lonesomeday pointed out):
$("#result").text($(data).filter("title").text());
However do not insert the HTML of the foreign document into your page. This will leave your site open to XSS attacks.
As has been pointed out, this depends on the browser's innerHTML implementation, so it does not work consistently.
Even better is to do all the relevant HTML processing on the server. Sending only the relevant information to your JS will make the client code vastly simpler and faster. You can whitelist safe/desired tags/attributes without ever worrying about dangerous ish getting sent to your users. Processing the HTML on the server will not slow down your site. Your language already has excellent HTML parsers, why not use them?.
When you place an entire HTML document into a jQuery object, all but the content of the <body> gets stripped away.
If all you need is the content of the <title>, you could try a simple regex:
var title = /<title>([^<]+)<\/title>/.exec(dat)[ 1 ];
alert(title);
Or using .split():
var title = dat.split( '<title>' )[1].split( '</title>' )[0];
alert(title);
The alternative is to look for the title yourself. Fortunately, unlike most parse your own html questions, finding the title is very easy because it doesn;t allow any nested elements. Look in the string for something like <title>(.*)</title> and you should be set.
(yes yes yes I know never use regex on html, but this is an exceptionally simple case)

Categories