Pre-Fill html form using Javascript - javascript

I wanna know if it is possible to autofill an html form of a website (not local) using javascript, and if it is possible can you please put me in the right direction.
Edit : I have one mozilla extension that has some dropdowns, textareas ... from which i will get the data i want to put in the form.
Thanks.

JavaScript, running on a website, cannot cause a visitor's browser to go to another website and pre-fill a form there. This would be a serious security issue.
JavaScript running in a browser extension can, but the specifics depend on the specific type of browser extension. (i.e. Chrome Extensions and Greasemonkey extensions are different).
JavaScript running on a server (e.g. via Node.js) can go to another site and fill out a form there (e.g. with PhantomJS). It can't present the filled in form to the user without acting as a full proxy though.

Related

Can I inject Javascript code into Chrome Custom Tabs

In my app, I am currently using a web view to display some content. Then, I use Javascript injection to quickly fill out the form for the user.
The only issue is, Webviews are incredibly slow compared to Chrome Custom tabs. Is it possible to inject Javascript code into these custom tabs?
For example, here is some code I currently use:
myWebView.loadUrl("javascript:document.getElementById('join_first_name').value='" + name + "';void(0); ");
No; that would be a critical security hole.
Since custom tabs use cookies, settings, and password managers from the user's real Chrome instance, you cannot control them at all.
Chrome prohibits you from doing any of that. If this were allowed then it would be a major security flaw since you can modify the page within the app.
Suppose you have an app that has a facebook sign in. If this were possible, one could also steal someone's login credentials.
With Chrome Custom tabs, you don't have much control over the content that is served. You should probably try an alternative, like passing the first name as a URL parameter and then write a script on that page to read the parameter and fill the form out.
you need to do it like that by using data:text/html, as prefix for your script
Try that in your browser tab
data:text/html,<script>alert("hello")</script>
it will fire the javascript and alert , and as well you can print some in html from url
so i guess you need just to open the tab with the script
String suffix = "data:text/html,"
String script = "<script>document.getElementById('join_first_name').value='" + name + "';</script>"
String url = suffix + script
myWebView.loadUrl(url);
It's browser behaviour in desktop and mobile
I haven't try it in WebView.loadUrl and actually still if it's done by WebView.loadUrl it will be a security hole
There's supposed to be no way to inject Javascript to Chrome web browser.
If you can execute the Javascript queries to chrome via some third party apps, thereby you can read all the cookies, clear every sessions, and whatever the javascript is capable of. Which is really a huge security flaw.
What you can do is to load your URL in webview and execute the javascripts there. That's the only possible i've ever heard of. This is the same technique used for EPUB documents, where we load the complete HTML content in webview then we execute external Javascript queries into that view, so you can modify the HTML, CSS attributes.

PHP Initiator in IE

I have a web page which will load an external javascript processed by PHP. In Chrome and Firefox if I want to get the initiator of the js file through PHP, I just need to get it by the superglobal variable $_SERVER["HTTP_REFERER"]. However, this would not work in IE if I visited another web page before browsing this web page. How can I get the initiator web page even in IE?
PHP is not processing JavaScript. Your Browser is processing JavaScript.
The HTTP headers are known to be unreliable, everyone can change their fields to whatever you want in the request. You cannot fix your problem by using $_SERVER["HTTP_REFERER"] nor anything in JavaScript related. Some browsers have turned off the refererrer or offer the possibility to turn it off, as some add-ons will also remove the referrer.
The only reliable way is to generate security tokens, which you will use only once per JavaScript call. Save it in a session, compare them when calling the html/php and when calling the js/php.

Fill out form on websites from within code

I'm working with websites that have forms on their pages. I need to fill out the form and then submit it, using Javascript.
The problem that I'm running into is that if I make a GET request in order to get the HTML of the page, then I don't have access to the JS running on that page and therefore, I can't actually submit the form (since the page is not connected to the server). How would I be able get around this? It could also be that some pages aren't running JS, but are running PHP scripts instead.
You need a headless browser in this case. Here's one for .NET, if you can code C#, otherwise there are plenty of others for different platforms and languages.

Cross site scripting forms

I want to help fill forms for my users with default values on other pages.
To do that I would like to show another page (from different domain) in an iframe and insert there default values when needed into fields.
But it is not possible because of cross site scripting protection.
I have checked http://sourceforge.net/projects/poxy/ and it almost works to view page through proxy but unfortunately not always. Is there another way to do that? Ie.
How to connect to fields in the iframe? Is it possible?
AFAIK, You cannot access fields from another page like iframe. If you want to fill form by using JS, you can try to write Bookmarklet for your browser. That's a bookmark which executes javascript on current page.

Looking for doc on why IE "yellow bar" shows when opening a HTML file that contains JavaScript

I have a site, from which you can download an HTML file. This HTML file contains a form with hidden fields, which is right away posted back to the site using JavaScript. This is a way of allowing users to download to their own machine data that they edit on the site.
On some machines, you get an IE "yellow bar" when trying to open the file you saved. The "yellow bar" in IE is warning that the HTML is trying to run an Active X (which it is not, there is only JavaScript doing a submit() on a form). However if you receive the exact same HTML file by email, save it, and open it, you don't have this problem. (It looks like IE is putting some more constraint on what can be done in a HTML file you saved from web site.)
My question is: where can I find documentation on this IE security mechanism, and possibly how can I get around it?
Alex
The yellow bar is because your page is executing in the Local Machine security zone in IE. On different machines, the Local Machine security zone might be configured in different ways, so you can see the yellow bar on some machines and not see it on other machines.
To learn more about the IE's URL Security Zones, you can start reading here: http://msdn.microsoft.com/en-us/library/ms537183.aspx
Look here for details on the MOTW - Mark Of The Web
If you add this to your locally served pages, IE will not show the yellow bar.
http://msdn.microsoft.com/en-us/library/ms537628(VS.85).aspx
I am not usre about any specific documnet, but if you open the properties for the file in windows explorer on the general tab is the file blocked? if so click unblock and try again and see if you gte the same issue. This is typical security for files downloaded fom the internet.
Other than that i am afraid i dont know what else to suggest.
I don't 100% follow what your JavaScript is submitting to, but if you're submitting back to the original site from the downloaded copy you'll have a problem using JavaScript as all browsers treat cross-domain JavaScript as a security violation.
JavaScript isn't allowed to read or write to any site not on the current domain
As Franci had said it is becaue you are in the local machine security context and this allows scripts to create objects and execute code that could do harm to your PC. For example you can create a File System Object and perform tasks that an untrusted page shouldn't perform generally because it could be malicious in nature.
Have you tried changing the file name from yourname.html to yourname.hta to see if the security problem goes away?
More on HTML Applications (.HTA files): http://msdn.microsoft.com/en-us/library/ms536496%28VS.85%29.aspx

Categories