Client-side CGI, JavaScript / Python - javascript

Is it possible to pass information from the client-side browser using JavaScript to a client-side Python script using Python CGI? I have done some light googling and everything points to server-side Python scripts receiving information from client-side browsers. I have a somewhat unique'ish project that would require the ability to pass this information locally from browser to a local script.
For example I would have a webpage with a table. In each cell in the table would be an image with a checkbox next to it. When I hit submit, the checked unique values from each checkbox that was checked would be pass to a local python script, from which further processing would occur.
Any thoughts on this? Thank you!
Edit - There is likely some confusion to as my oddball question, so a tad bit more clarification. My python script starts out by mounting and walking an NTFS volume, making a list of the path of every graphic file found. It then mounts a RAM disk. The python script then generates thumbnails of each image found. The python script then generates a "master" html page, and then dynamic ammounts of html pages to be used in an iframe. The HTML files and thumbnail files are stored in the RAM disk. The iframe pages contain the thumbnails in tables of all images found on the computer with check boxes next to each thumbnail. After all this information is generated the Python script then opens a browser calling that page in the RAM disk. The user is then supposed to check images of interest, the checked checkbox values are stored in an array. When the user has finished selecting all of their items, the user would submit. What I would like to then happen would be for the array values to be passed to the python script, then the python script would take each item referenced from the values in the array and hash them, then stick the thumbnails onto a PDF, 8 per page, each thumbnail with hash values of the original file, path and modified/accessed/created times from the OS. To generate the hash values of the local image files and get the MAC times I need to access the local machine with Python, as JS lives in it's little sandbox. Hope this makes sense!

You can setup your own local server and connect browser to it. Something has to open connection and something has to listen for connections. So automatically your python client turns into server however it sounds.
Anyway, why you are not using just javascript? Most things can be done with lone js.
UPDATE:
You can also just forget about html and javascript and make everything in python. Check PyQt4, you can make pretty easly your own gui to check images with it.

Related

Server side injection on ASP.NET backend (IIS) by arbitrary file upload

I'm not an expert in cyber security and exploits. I need help figuring out if my app is vulnerable and in what way.
Let's assume I'm an idiot (and I'm not to this extent), and I leave the possibility for client users to upload (exploiting my front end) any file they want on my server in a subfolder (let's call it 'danger') of my ASP.NET application, hosted on IIS.
Being that way, anybody can upload a generic example.hml file and access it back at the url mydomain.com/danger/example.html. They can also upload JS files and whatever they want.
Let's forget for a moment the fact they can fill my disk.
Given I prevented ASP execution from files in that folder, what kind of damage can I be subjected to?
Thanks in advance.
Just off the top of my head:
An attacker could upload a corrupted file which would trigger a remote-code execution vulnerability in your antivirus, potentially executing code under the local system account. (I've seen this happen with Windows Defender, and I've seen reports of similar vulnerabilities in other AV products.)
They could upload a file with a mangled name which exploited a bug in IIS to bypass your file-type checks and the "no execute" flag on the folder. (I've seen this reported, albeit in a very old version of IIS.)
If the files can be accessed publicly, they could host their own content on your site, potentially including illegal or malicious content. This could damage your site's reputation, and potentially leave you liable to prosecution.
Well, yes, you do have to be carefull IF YOU allow any kind of preview, or say allow the person to download the file, but when you download, you also attempt some kind of preview on the server.
In fact, this is not a lot different then dropping a simple text box into a form, and then letting the user type in information into that text box, you then say hit submit button, and now re-display the page with what they just typed in.
What happens if they start typing in javascript text into that text box?
Say a multi-line text box in which you can type in a paragrath of comments or text.
So, you type in this:
Hellow how are you
<script>
JavaScript code here
</script>
Now, when you go to re-plot the page - not only are you re-display of what was typed in, but those script code typed in ALSO will run!
In fact, if you drop a text box on a web page, and do this:
Hello, how <script> are you
You notice you get a page exectution error. (becuase asp.net has built in protection to NOT allow this). However, if you adopt some html editor text box (ckEdit, or ajaxtoolkit editior), such controls will have additional security code to prevent end users from typing in script code.
So, a few things you have to be concered about:
If you allow up-loading of files, then ensure that you don't have code that attempts to load/execute that file. So, you might allow users to up-load pdf files, and then maybe a routine that attempt to "open" or use that file. But what happens if they in place of a pdf file up-load a MyTest.exe. In other words, they up-load a exectuable program in place of a pdf? Well, then you mostly ok, but you BETTER NOT have code that attempts to load such files - especially code behind that may use some library or code that in effect launches that pdf or word or exec file. Since that code then might try to load or run what is now a .exe program.
So, this means a few things:
You want to limit the file extensions allowed
You need to ensure that your code does not "execute" that up-load file
If you allow download of that file, then careful how you do this
(again, ensure that you don't open up possibiity to execute that file).
So, for the most part you should be ok, but if up-loaded files are further processed by your server side code, then just be aware of HOW you open or process such up-loaded files.
As noted, say users up-load a simple text file, and after up-loading you take the text from that file, and then display it in some kind of memo or text box in a web page. But, again, you sure it is just text in that file? And if you pull the content from that file and THEN have it render in your browser (because you assumed text), but it now might have browser code injected into that text file.
So, any point in your server side code that opens up-loaded files, pulls the content and THEN say spits out that content for display of data is a caution area.
So, the first simple line of defense?
Limit the types of files. If users are expected to upload only PDF files then ONLY allow say PDF and maybe .zip file extensions - reject anything else.
And as noted, just keep in mind any kind of post-processing code you have that runs AFTER up-loading that file. If your site is taking such up-loaded files, and is to open up the file(s), AND THEN DISPLAY that content back to the end user, then again caution is required, since when you display such content in a browser, that content in theory can have script code - and like anything else your code spits out to the browser (like a web page with HTML etc.) also means that the browser will run that script code.
I mean, a browser simple takes whatever the server sends to that browser, and renders the HTML. However, these days, browsers have MUCH more ability to also run code in that browser. So, that's why now you can say run cool games 100% in a browser, since browsers have become VERY powerful systems, and almost their own computer system in their own right. So, the ability of browsers to run code and give an experience that rivals the desktop in terms of speed and response (and even interactive games) is the result of browsers now being able to run code and do much MORE then just display some simple HTML.
So, under no case should you allow up-loading of files, and then have some software that can "run" or even pull contents of that file and spit it out back to the user in the form of browser display. And the reason is that file content may well have executable code in that file contents.

Getting Input From HTML And Storing It In A File (Static Website)

I am trying to make a simple form submission in a GitHub Repository.
Basically what I want to do is take the input of an HTML Tag and then store it in another local file such as another HTML file or a text file without a back-end.
I understand that there was a saveAs function within JavaScript (however I read that it had been discontinued due to security reasons). Once I get the data stored in a file I would call it in the HTML page with the < embed > tag to show it on the page. So basically I want the Input on the page, and then when it is appended to the file, to show up on the same page again when the page is refreshed. My reason for doing this is to make a make-shift Google WorkSpace-like page for my production studio.
Here's a visual of what I want to do:
HTML PAGE:
Embedded File Contents (externalfile.html) Go Here.
Input: Input Goes Here
Submit
When Submit is pressed, it takes the contents within the "Input Goes here" box and appends it to "externalfile.html", then when the page is refreshed, it shows the updated content above the form.
I am not well-versed in JavaScript but I know JQuery a Good bit from making a few websites with Wix, but I do not know much native JavaScript nor it's functions. Any advice would be helpful. :) Thank you. I would be adding multiple input boxes and such on the page.
Hello and welcome to StackOverflow!
Now, if I got your question right, you want to append something to a file and read this file without using any backend? Then I must disappoint you, because there is no way JavaScript allows this, since it would be a tremendous security risk. The reason is, because any malicious JavaScript code on any webpage then could not only create malware files on your PC and dragging it to some start up folder, but also they would be able to read all the files and documents on your machine (without your knowledge!). So I think you see where the problem is.
For your task I recommend you using some kind of backend (i.e. NodeJS, PHP) and make things work with API requests and asynchronous JavaScript. Or you could serve your site with an ExpressJS backend and statically fetch the request and append its contents to a file. Then of course send an HTML file back with all the inputs the user made. The choice is yours.
Cheers

I can't see the data which is on web page in source code, but I can see via inspect element

I'm scratching my head from yesterday trying to find about this.
When I navigate to account settings page and view source code, there's literally no user specific data like name, email, gender etc, but when I check via inspect element its there. Same happens with other web pages like order history etc.
I'm assuming the data is being generated dynamically (Am I right?)
I have two questions about this.
How do developers do this?
What's the purpose of doing this? Since developers take the extra pain of generating data dynamically this must be solving an issue otherwise why would they do this?
By generating the new page dynamically, developers can improve the user experience. For example, if you had a separate html file for your settings page, the user would have to make a call to your server to receive that file and see the page (maybe 1/3 of a second). However, if the developer dynamically generates new pages using javascript or some framework, everything is stored locally on the user's machine meaning that the page loads significantly quicker (~1/500 of a second).
Hope this helps.

I want to convert an huge excel workbook (with multiple tabs) and few columns and rows hidden on WEB Page

When I tried saving the excel sheet in HTML and displaying I've got few problems:
The numbers in each cell are distorted
Hidden rows and columns are displayed (I want them to keep hidden)
Top rows of my Excel sheet are freezed, I want them to keep freezed.
The Sheet is updated daily and I want the changes to be reflected in Web as well.
Could you suggest a way other than saving excel sheet in HTML? Any other way I could start this project?
P.S: I hold the knowledge of HTML, CSS, JavaScript.
Do I need to learn any additional skill set to get pull this project?
If you are running IIS or can otherwise run .NET code on your server, you can use the Open XML SDK. There are plenty of examples of using the SDK. Apparently, it even works with Mono if you're using Apache.
If not, if you've got some machine that can get to the Excel file and copy files to your web server and from which you can run a scheduled task, you can schedule a task on that machine that using the Open XML SDK to translate the Excel file to HTML, then upload that HTML to the server.
It doesn't have to be a complete page; it can just be the parts of the HTML you need. You can then have some JavaScript on the page that fires off an AJAX request to get the HTML file. This is true regardless of whether your serving content dynamically generated by code running under IIS or a static file generated by code elsewhere and pushed to the server.
You might have something like:
<!-- page where the spreadsheet should go -->
<div id="put-excel-worksheet-here"></div>
Then:
$.ajax({
url: "/path/to/converted-data-partial-html.html"
, success: function(excelHtml) {
$("#put-excel-worksheet-here").append($(excelHtml));
}
});
And your ASP.NET page response or scheduled task would convert your Excel file to something like <table><thead><tr><th id='column-one-th'>....
Either way, I'd recommend you work with a copy of the file rather than the original, since I've found Office can get a little finicky with files being open in two places at once.
As for freezing the top rows, here's a fiddle with an example.
Good luck!
edit: As an alternative to putting millions of cells worth of HTML onto a single page, it might make sense load the Excel data into a relational database like MySQL or Microsoft SQL Server and do some custom web development to pull the data out of that with pagination and filters and other nice reporting features.
If the data in the Excel file is coming OUT of another system, you might be able to set up a system-to-system integration. If not through an integration, though, the Open XML SDK is how I'd do it. You don't have millions of rows to put up per your comments above, so this suggestion doesn't make sense.
edit: Oh, and I recommend your scheduled task run during a time when people aren't likely going to be using the system. If, for example, your users are all in a few adjacent time zones, have the task run at 3:00 AM in the Eastern-most time zone.

have python script send data to javascript using JSON to change web page

I am working on an interactive display with sensors on a raspberry pi. My display is showing a webpage. I am using a python script to interact with the sensors. I want it so that when a user walks by, a different web page is displayed in the web browser. I have already tried changing to a different web page doing it straight from the python script. Unfortunately, it does not work the way I want it to. JavaScript works just fine for changing to a different page. I am thinking it might be good to have my python script send a message to a javascript file to change the page using JSON. Does this sound like a practical solution? Thanks.
Create your html file as a string in python. This string can be modified in response to sensor input. Write it to a file on your system where the html is source file exists; rewrite each time the sensor inputs change. Set up a timer in Javascript, e.g. setTimeout() to refresh the page often.

Categories