Reading files from hard drive with javascript - javascript

My application creates .xml files and stores them on the user's hard drive; there is a default folder that I set in the web.xml to store the files, let's say D:/temp. Now after I write the files I need to read them back with javascript, I am using a javascript library that has this function mxUtils.load('URL of the file') (this function returns the content of the file), the problem is that it is giving me an error Cross origin requests are only supported for HTTP, (I now it doesn't have anything to do with the function or the library) I think the problem is that you can't read local files because of some security issues. Anyone can advise me some solution? Thanks

You cant access local filesystem using javascript.
For accessing the file using javascript , you have to upload it to a server and access it using the files url.

As stated, you cannot access a file on the filesystem strictly through Javascript. You could, however, use the input file type to upload the file to your server and then read it:
<input type="file" name="myfileinput">
Then, you can access it via the $_FILES global in PHP - other languages also provide this functionality through other means. Please note, again, that there is absolutely no way to access a file that is on someone's filesystem with Javascript without their consent (i.e. using the file input type). That would be a huge security risk - imagine going to a page and having it wipe your whole D:/ drive.

It's best to expose your files via HTTP and use mxUtils.load("http://yoursite/static/yourfile.xml").
Search for static files on Apache HTTP Server HowTo. Setup Apache to serve your xml files, make sure that you can view xml file in browser and then use the same url in mxUtils.load call.

Related

How can I upload a file in an FTP server using javascript?

I want to upload a file to an FTP server.
I'm using Angular but after some research I realized that Angular has no way to upload files to FTP. So I tried to follow this code but I didn't have any success because 'new FtpConnection()' is not recognized by javascript.
Is there any other valid code to upload a file to FTP via javascript or do I need to upload the file to FTP via the backend? (I use c# in backend)
JavaScript has no native mechanisms for handling input and output, including FTP communication. It depends on the host environment to provide APIs for that.
Browsers (which I assume you are using given your angular tag) do not provide JS with an API for making FTP uploads, so you cannot.
(The question you reference is about JS running in Adobe Photoshop, not in a web browser).
The closest you could get would be to write a web service which you could send a file to via HTTP and then have it make the FTP upload.

How to understand website is sending uploaded files to its server?

How can I understand uploaded files are permanently stored in the website's server?
For example, how can I understand when I uploaded my PDF file to this website (https://smallpdf.com/pdf-to-jpg) whether its also saves my file to its server?
If you are referring to a third party server that you have no control over there is no programmatic way of determining if they are in fact storing your pdfs permanently.
They might have a Terms and Conditions page where they set out the terms and conditions of using their service.
Alternatively if it concerns you try to find a site that makes it clear that they do not store your files permanently.

Search metadata in all server-side files in subfolder NOT using FileSystem API

I have a server-side subfolder structure in my HTML5/JS site.
The subfolder structure contains various media types where each media file is wrapped in its own HTML file which contains metatags.
I want to list all metatags for all files but I do not want to have to browse for a file (i.e. no FileSystem API) and get it's metadata. I just want to scan through the subfolder and list all metadata in each file.
I'm not able to find any script to do this, everything I keep running into is asking for the FileSystem API and the requirement to browse for a file.
alternatively, if FileSystem API can do this, I'd use it as long as I don't have to go browsing for files to use it.
My server is a standard LAMP server and the files are all HTML files inside a site subfolder. This site currently has no DB and I'm hoping to not add one for this functionality.
Any help would be appreciated.
Maybe Node.js would be a good fit for you. Then you can write everything in Javascript. It is server side scripting, but for demonstration purposes the configuration is much easier than Apache.
If I understand correctly that you don't want to browse the file system on the server side, but on the client side you are willing to do anything with Javascript, then the following may also be an option.
Using LAMP, you can configure Apache so that it shows directory indexes (https://httpd.apache.org/docs/current/mod/mod_dir.html#directoryindex), which you can use to browse to the content you need on the client side.
In any case, you will have to hit the files on your server somehow, either directly through the file system on the server side or with an HTTP request from the client side.

Security concerns with uploadify

I just implemented uploadify in my project, and I noticed what seems like an important security issue with the uploading process:
The folder in which the file should be uploaded is provided as a javascript argument, so client-side. If the user changes the script, and fills in a different folder (i.e. "/") for the upload, the file gets uploaded to the different folder.
There is an option in the config to filter the filetypes, but again it's provided on the client side ("fileExt").
So am I wrong to think this could lead to a possible hack? Uploading a php file anywhere in the Web Root and executing it seems easy.
Is it the desired behavior?
Should I just cross-check the upload folder in the uploadify.php file?
Should I send a notice to the uploadify makers?
I'm sure I'm not the first one to think about this. Oh, and the same goes for other config parameters, like sizeLimit and queueSizeLimit.
Just looked at the code (haven't installed it anywhere), and it certainly looks like this is a security problem. Looking at uploadify.php, I see this:
$targetPath = $_SERVER['DOCUMENT_ROOT'] . $_REQUEST['folder'] . '/';
Which means that passing "/" would put the file in the document root (i.e. the home directory of your website). Of course, the user could easily (for example) pass in a folder parameter like '../../etc' and a file named 'passwd'. Or, more trivially, he could upload a "logo.jpg" to the document root and, hey, now you've got porn for a site logo!
Of course, even if you sandbox the users, there are still lots of potential problems with allowing a user to arbitrarily upload a file to your server. What if they upload a .php file, then go to that file with their browser? They suddenly have the ability to execute arbitrary code on your server!
If you want to do this, you should force the user's uploads into a restricted directory (the realpath function will sanitize the path, in case the user created crazy paths with "../.." or whatever), and you should restrict the types of files allowed (i.e. to only ".jpg", ".gif", ".png" or whatever). Even then, a malicious user could DOS you by filling up your disk quota.
i just want to give my opinion about your post.
You forget a important thing in your analyse.
Developpers HAVE TO check variables in the server side script.
If you use javascript (like uploadify, or your own script) or if you don't use javascript (just a simple FORM in html), YOU HAVE to check the data in the server side script. So no matter if you are using uploadify or not for your security. Don't forget that it's easy to buid HTTP request and send it to the server. So the security of a web application not depends of the client
Thanks for your attention
GUIGUI
That is indeed a security issue, path traversal. You should email them and ask them to fix it.
You are free to put file anywhere using your server side script and your config. I never use their javascript config for such things.
I know this is a bit old topic, but here's a note from plugin developer:
Given the wide variety of scripting languages, server side validation is up to the users to code. We are developing the plugin to allow those who know what they are doing to use what ever language they want for the front end and back end. And creating new scripts to retrieve information makes it that little bit harder for other users to implement, for example those using aspx, java, codeigniter etc.. would need to rewrite major portions of the plugin.
You can read it full here.
Remember, server validdation is a must! You cannot ignore it, ever. This is what I've learnt reading SO and PHP manual.

How to fetch a file on a web server using JavaScript?

I am trying to write a small documentation tool to be used from the browser. It would need to fetch source code files from a web server. What would be the appropriate way to fetch files from JavaScript itself and then read them so they can be parsed ? The file to be fetched is on a different web server.
thanks in advance,
vivekian
Use some sort of ajax framework (or XmlHttpRequest) that would read a file, parse it and display it.
You'll have to create a proxy to that other server. Otherwise you're going to run into security exceptions.
Given your main url http://www.x.com/help.html, and the source files that are located at http://www.x321.com/src/, you're going to create a proxy at http://www.x.com/proxy/ to http://www.x321.com/src/

Categories