Difference in HTML/JavaScript parsing between WebView and browser - javascript

I'm hitting a very peculiar difference between the Android browser and a WebView. Namely, I have the following markup:
<script type="text/javascript">
<!--
// some js code...
// -->
</script>
Now, in the browser, this works perfectly fine. However, when loading the markup in the WebView using loadData(markup, "text/html", "utf-8"), the JavaScript code is not executed at all.
Now, if I remove the HTML comment tags (<!-- and -->), it works fine in the WebView as well. However, this is not something that I want to do, because the markup is coming from a web service that I'd rather not change.
Is there something I can do with the WebView to accept this markup?

On the whole, the put-the-JavaScript-in-comments trick appears to be no longer the recommended pattern, and so I'd encourage you to reconsider your plan to keep serving it that way.
You have obviously enabled JavaScript in the WebView, otherwise it would not work when you tried removing the comments. I know of no other setting to tell WebView to to ignore the comment markers.
You're welcome to examine the AOSP Browser code to try to find out what they do, though that code is nasty, brutish, and long. You could patch up the HTML before handing it to the WebView. You could set a particular user agent on the WebView and have your Web service hand back cleaned-up HTML for that user agent, leaving the rest of your Web service clients unaffected. And you can see if you get a response to your bug report, though there's no assurance of getting such a response.
Beyond that, I'm out of ideas.

Related

How to add a script to a page on the public internet?

I would like to test what would happen if I were to add a script that I wrote myself to a page on the public internet that I'm viewing in a web browser, such as Internet Explorer (in this specific case).
This is not something I would want to do in a production system, but I would like to test a page-enhancing script with many existing pages. I do not want to modify the page in any way for other viewers, I just want to see what would happen if my script were to become part of the page.
It would be fine if there were some tool that could be used to intercept the page from the server before loading it into the browser and add the script tag there.
It would also be good to be able to modify the page in the browser itself, though this would probably be less desirable as there might be a different way to do this in each browser.
I do realize that I could simply download a page manually with all its related resources and then run a modified copy from a local server, but that would be rather cumbersome.
You can use Fiddler to manipulate responses between the server and your client / browser, adding in arbitrary javascript (for example) through "FiddlerScript".
See: http://docs.telerik.com/fiddler/knowledgebase/fiddlerscript/modifyrequestorresponse for more info
For example, you can replace a specific Javascript with another via:
if (oSession.PathAndQuery=="/version1.js") {
oSession["x-replywithfile"] ="version2.js";
}
In the OnBeforeResponse event

How can I gently "bust" UIWebview?

Recently, a few developers have started creating apps which do nothing more than point at state-owned content (free, public property) through UIWebViews. This wouldn't ordinarily be a problem, except the apps are all ad-supported and some are even paid. Essentially, they're making money on state-owned content.
My question is this: how can I force the site to open a new Safari window rather than display in the UIWebview (which is wrapped in their app's branding)? I am able to detect UIWebview using the following, but am unable to do anything besides simply hide the content. I'd prefer it to provide a link to our content which then opens in Safari.
This is how I'm detecting UIWebview:
var is_uiwebview = /(iPhone|iPod|iPad).*AppleWebKit(?!.*Safari)/i.test(navigator.userAgent);
unfortunately its fairly trivial for a developer to force the User-Agent string to anything they want, so your attempts to thwart these developers might only be temporary. You can't force your content to be viewed in a browser. A user could use a tool like CURL to view your content also...
Once you detect that you're in the UIWebview, you need to fire a window.open() to put your content in a fresh window.
This talks about some quirks that make it a little tricky (but not impossible): Opening popup links in UIWebview. Note that the question there is the reverse of yours, but the accepted answer does show how to get UIWebview to pop a new window via Javascript.
This has been a concern ever since the Web began. You can't stop people from scraping your content, but you can make it hard to reframe it.
Edited to add
Unfortunately for you, the app can intercept window.open(): UIWebView respond to Javascript calls
I suppose you could always give up and show a banner that says something like "you paid for this data with your taxes, you shouldn't pay for it again with ads. Just open a browser and go to ... "
You can find out if it is a WebView or Mobile Safari, as seen in this thread. The problem is, that you could only open Safari via a custom URL scheme, but think, only http://, https:// etc. work. Even if there would be something like safari-http://, the programmers of the apps with the UIWebView could catch that request and redirect it back into the web view. So, I'm sorry to say: That's not possible.

How do you keep content from your previous web page after clicking a link?

I'm sorry if this is a newbie question but I don't really know what to search for either. How do you keep content from a previous page when navigating through a web site? For example, the right side Activity/Chat bar on facebook. It doesn't appear to refresh when going to different profiles; it's not an iframe and doesn't appear to be ajax (I could be wrong).
Thanks,
I believe what you're seeing in Facebook is not actual "page loads", but clever use of AJAX or AHAH.
So ... imagine you've got a web page. It contains links. Each of those links has a "hook" -- a chunk of JavaScript that gets executed when the link gets clicked.
If your browser doesn't support JavaScript, the link works as it normally would on an old-fashioned page, and loads another page.
But if JavaScript is turned on, then instead of navigating to an HREF, the code run by the hook causes a request to be placed to a different URL that spits out just the HTML that should be used to replace a DIV that's already showing somewhere on the page.
There's still a real link in the HTML just in case JS doesn't work, so the HTML you're seeing looks as it should. Try disabling JavaScript in your browser and see how Facebook works.
Live updates like this are all over the place in Web 2.0 applications, from Facebook to Google Docs to Workflowy to Basecamp, etc. The "better" tools provide the underlying HTML links where possible so that users without JavaScript can still get full use of the applications. (This is called Progressive Enhancement or Graceful degradation, depending on your perspective.) Of course, nobody would expect Google Docs to work without JavaScript.
In the case of a chat like Facebook, you must save the entire conversation on the server side (for example in a database). Then, when the user changes the page, you can restore the state of the conversation on the server side (with PHP) or by querying your server like you do for the chat (Javascript + AJAX).
This isn't done in Javascript. It needs to be done using your back-end scripting language.
In PHP, for example, you use Sessions. The variables set by server-side scripts can be maintained on the server and tied together (between multiple requests/hits) using a cookie.
One really helpful trick is to run HTTPFox in Firefox so you can actually monitor what's happening as you browse from one page to the next. You can check out the POST/Cookies/Response tabs and watch for which web methods are being called by the AJAX-like behaviors on the page. In doing this you can generally deduce how data is flowing to and from the pages, even though you don't have access to the server side code per se.
As for the answer to your specific question, there are too many approaches to list (cookies, server side persistence such as session or database writes, a simple form POST, VIEWSTATE in .net, etc..)
You can open your last closed web-page by pressing ctrl+shift+T . Now you can save content as you like. Example: if i closed a web-page related by document sharing and now i am on travel web page. Then i press ctrl+shift+T. Now automatic my last web-page will open. This function works on Mozilla, e explorer, opera and more. Hope this answer is helpful to you.

Track HTML submissions when Javascript is being used

Conventional HTML lets you submit data via forms to a website and the destination (target) is usually visible in the sourcecode. Now, with JS it's a bit more difficult. You have to go through the JS files and find out what happens and where all the data is being sent to.
Is there an easier way to pin down where my data ends up (i.e. what file/address it is being sent to)??
Something like: I click on the button and it shows me what type of action was used and the destination URL?!
I'm on Ubuntu.
Are you trying to prevent phishing attacks or merely capture redirects/ajax calls on button clicks .. what's the purpose of this experiment?
Because Firebug (a firefox add-on) or Chrome Inspector (native to Chrome, not quite as robust as Firebug) will do the things that you're asking for, and give you lots more information to boot.
Additionally, you might consider setting up a local proxy on your machine and capturing all http traffic. It really depends on what you're trying to accomplish.
$("form").live("submit", function(){
alert("The page will be going to: "+this.action);
});
Of course, you will need to know if the window is being unloaded, because the submit could be handled and stopped by the javascript...

Can I prevent user pasting Javascript into Design Mode IFrame?

I'm building a webapp that contains an IFrame in design mode so my user's can "tart" their content up and paste in content to be displayed on their page. Like the WYSIWYG editor on most blog engines or forums.
I'm trying to think of all potential security holes I need to plug, one of which is a user pasting in Javascript:
<script type="text/javascript">
// Do some nasty stuff
</script>
Now I know I can strip this out at the server end, before saving it and/or serving it back, but I'm worried about the possibility of someone being able to paste some script in and run it there and then, without even sending it back to the server for processing.
Am I worrying over nothing?
Any advice would be great, couldn't find much searching Google.
Anthony
...I'm worried about the possibility of someone being able to paste some script in and run it there and then, without even sending it back to the server for processing.
Am I worrying over nothing?
Firefox has a plug-in called Greasemonkey that allows users to arbitrarily run JavaScript against any page that loads into their browser, and there is nothing you can do about it. Firebug allows you to modify web pages as well as run arbitrary JavaScript.
AFAIK, you really only need to worry once it gets to your server, and then potentially hits other users.
As Jason said, I would focus more on cleaning the data on the server side. You don't really have any real control on the client side unless you're using Silverlight / Flex and even then you'd need to check the server.
That said, Here are some tips from "A List Apart" you may find helpful regarding server side data cleaning.
http://www.alistapart.com/articles/secureyourcode

Categories