hello my question is what is the best approach to Restrict access to some urls of wordpress website to single referrer domain.
as far as I am familar with javascript I found a way for that. but I think javascript code is not good, because the source code of the page does not change.
I wrote this code:
function getCookie(name) {
const value = `; ${document.cookie}`;
const parts = value.split(`; ${name}=`);
if (parts.length === 2) return parts.pop().split(';').shift();
}
document.body.style.display="none";
var url = document.referrer;
var domainname;
var referal_code = getCookie("protect_faq_pages");
console.log(url);
if(url){
var anchor = document.createElement("a");
anchor.href = url;
domainname = anchor.host;
console.log(domainname);
if(domainname == "softwareservicetech.com"){
var cookieString = "protect_faq_pages=cWs#fgf$a1fD#FsC-)";
document.cookie = cookieString;
}
}else if(!(referal_code == "cWs#fgf$a1fD#FsC-)")){
document.getElementById("page").innerHTML="<p>Sorry you do not have permission to view the content</p>"
}
console.log(referal_code);
document.body.style.display="block";
this site can be accessed itself:
https://health-unity.com/
you can find out the page below is restriced on the view :
https://health-unity.com/help-centre/videos/
and also these pages too:
https://health-unity.com/help-centre/videos/video-number-2/
https://health-unity.com/help-centre/videos/video-number-1/
but when click on the link on below site (link to health-unity-videos):
https://softwareservicetech.com/testpage/
the archive page will be accessible after that. user can go to the pages below directly:
https://health-unity.com/help-centre/videos/video-number-2/
https://health-unity.com/help-centre/videos/video-number-1/
these were restricted before and now can be accessed by a cookie that is set.
but the problem is that page source still exist and did not changed by javascript code and user can view the page source. also I want that the cookie value should be hidden. because of these two problem I think javascript is not a good idea.
please share with me if there is way with javascript, php, or editing functions.php or .htaccess file to achieve this.
thank you for your response in advance
You can use $_SERVER['HTTP_REFERER'] in functions.php
For example:
<?php
add_action('init','check_referrer');
function check_referrer(){
if( str_contain($_SERVER['HTTP_REFERER'], 'https://example-domain.com/'){
// do somthing
}else{
// do somthing else
}
}
?>
My JS file has the following code
function changeLanguage(newLang) {
var winLoc = String(this.window.location);
var pos = winLoc.indexOf("lang=");
var spacer = '?';
if(pos >0) {
var curLang = winLoc.substring(pos+5,pos+7);
winLoc = winLoc.replace('lang=' + curLang, 'lang='+newLang);
} else {
if(winLoc.indexOf("?") > 0) {
spacer = '&';
}
winLoc = winLoc + spacer + 'lang=' + newLang;
}
this.window.location = winLoc; //here is the issue
}
I am encountering XSS Cross Site Scripting issue at the highlighted line when scanning the code through HP Fortify Tool.
what can I do here so that HP Fortify doesn't treat this as a vulnerability? Thanks in advance
Assign location using location.assign. It compares origin of your script with desired url before it's assigned.
From link above:
If the assignment can't happen because of a security violation, a DOMException of the SECURITY_ERROR type is thrown. This happens if the origin of the script calling the method is different from the origin of the page originally described by the Location object, mostly when the script is hosted on a different domain.
You can also use location.replace to prevent current page from being saved in session History.
I need to get the current web page url in a single variable like:
var x = window.location.href;
But the problem is the script will be used sometimes in Cross domain Iframe & sometimes in same domain. Since window.location.href does not work in Cross domain iframe, so I have tested
x = document.referrer for cross domain Iframe(read only) and it worked fine. But I need both option in a single variable so I can use it in url validation with .match() method in Javascript.
I tried to combine like this, but its not working
var x = window.location.href;
if (typeof(window.location.href) === 'undefined') {
x = document.referrer;
}
My full codes are here:
// Get the url-This part isn't working
var x = window.location.href;
if (typeof(window.location.href) === 'undefined') {
x = document.referrer;
}
// Url validation--This part is working fine
var y = "zebra";
var rgxp = new RegExp(y, "gi");
if (x.match(rgxp) > -1) {
alert('Found a zebra in url');
I don't know is it really possible to combine or not, but otherwise I think I have to repeat this script twice. 1 for cross domain Iframe & a 2nd for the same domain.
I am fairly new in Javascript & got stuck here, so any help and direction would be a lifesaver
I want to create a Bookmarklet which will load one link out of a list of ten links, order doesn't matter, but weight-age does.
I tried http://www.htmlbasix.com/textrotator.shtml but it's for rotating a link on a webpage, how to make a Bookmarklet which will open a random URL from the list? Kind of URL rotator script within a bookmark.
Any efficient way to do that?
Thanks in advance.
You can't setup bookmarklet to run automatically. Consider writing browser extension or just use curl.
Not automatically.
Then it varies.
First, if you're 100% that pages don't redirect you anywhere you can try to use window.location inside you bookmarklet in next way:
var next = urls.indexOf(window.location.href) + 1;
next = next < urls.length ? next : 0;
window.location = urls[next];
If one of pages redirects or messes with url then you can use localStorage on your own domain and postMessage to store any data between bookmarklet calls.
I have found the solution after few tries
javascript: (function randomlinks() {
var myrandom = Math.round(Math.random() * 9);
var links = new Array();
links[0] = "http://www.javascriptkit.com";
links[1] = "http://www.dynamicdrive.com";
links[2] = "http://www.cssdrive.com";
links[3] = "http://www.codingforums.com";
links[4] = "http://www.news.com";
links[5] = "http://www.gamespot.com";
links[6] = "http://www.msnbc.com";
links[7] = "http://www.cnn.com";
links[8] = "http://news.bbc.co.uk";
links[9] = "http://www.news.com.au";
window.location = links[myrandom];
})()
I have the following code as a Google Apps Script (deployed as a web app) and have inserted it into my Google Enterprise page as a Google Apps Script Gadget. The UI (panel) loads properly with the label, textBox and button, but when I enter in text and click the button, I get the following error:
Error encountered: The resource you requested could not be located.
Here is my script:
function doGet(e) {
// create all UI elements
var myApp = UiApp.createApplication();
var panel = myApp.createVerticalPanel();
var label = myApp.createLabel('Please enter the name of your new site:');
var textBox = myApp.createTextBox().setName('txtSiteName');
var button = myApp.createButton('Create Site');
var btnHandler = myApp.createServerHandler('createNewSite');
button.addClickHandler(btnHandler);
btnHandler.addCallbackElement(panel);
// add all UI elements to the panel
panel.add(label);
panel.add(textBox);
panel.add(button);
// add the panel to the app
myApp.add(panel);
// return the app to the browser to be displayed
return myApp;
}
// button server handler
function createNewSite(e) {
var domain = SitesApp.getActiveSite().getUrl();
var siteName = e.parameter.txtSiteName;
var newSite = SitesApp.createSite(domain, siteName, 'script_center_demo', "this is just a test page");
return app.close();
}
Also, what is the difference between createSite() and createWebPage()?
EDIT: Ok, so using the same doGet() function above, my createNewSite() function could look like this?
function createNewSite(e) {
var domain = 'my-domain.com';
var siteName = e.parameter.txtSiteName;
var newPage = SitesApp.createSite(domain, siteName, 'script_center_demo', "this is just a test page");
var pageName = 'script_center_demo';
var html = '<div><p>This project aims to....</p></div>';
var site = SitesApp.getSite(domain, site);
site.createWebPage('Script Center Demo', pageName, html);
return app.close();
}
Look at this line:
var domain = SitesApp.getActiveSite().getUrl();
You're need to obtain a domain, e.g. example.com, but this line will yield a URI containing google's domain, and a resource path (that contains your domain). Example:
https://sites.google.com/a/example.com/mySite/
^^^^^^^^^^^
When you attempt to create a new site, it cannot be found as a domain. You need to strip the result of getUrl() down to just the domain name.
If you're the Domain administrator, you can use this instead:
var domain = UserManager.getDomain();
Ordinary domain users don't have access to the UserManager Service, so they would need to parse the site URL to extract their domain. I suggest using parseUri by Steven Levithan to handle the task:
var uri = parseUri(SitesApp.getActiveSite().getUrl());
var domain = parseUri(uri.path.slice(3)).host;
The .slice(3) operation is intended to remove /a/ from the path property of the parsed Site URI. This works on my accounts in multiple domains today - ymmv.
After that, we treat the remaining path as a URI and invoke parseUri() again, extracting the host property, which should be our domain.
Also, what is the difference between createSite() and createWebPage()?
You create an instance of a Site, using the Sites service method SiteApp.createSite. Not much to look at, a Site object is a container, a skeleton - you use the Site.createWebPage() method to create Web Pages that will be contained in the Site, and visible to users, mainly via web browsers.
Edit - Debugging Results
Debugging WebApps is tricky. Get familiar with "View - Execution Transcript", since it will show a trace of execution for your createNewSite() handler function when it's invoked. Using that technique, here's what I found, part 1:
We can't call SitesApp.getActiveSite().getUrl() in the handler, because when it's invoked there is no active site. You're already using the simple work-around of hard-coding the domain.
When trying to get a handle on the new site, you have var site = SitesApp.getSite(domain, site);. This is where your latest "resource error" message was coming from. The site parameter is left-over from insertion of the function - it needs to be a string, matching the site name used in createSite().
You're returning app.close(), but have no app defined in the function.
With those problems fixed, here's problems, part 2:
The dialog lets users enter a site name, but there are restrictions on those that need to be followed to make createSite succeed. The simplest rule is that the site name must be lower case. Why not let users enter the site title, and derive the name from that?
What if the site already exists? That's not handled. Same thing for the page creation, later on.
There's no feedback to the user. The example below has very rudimentary status updates in it, which are appended to the UI.
updated code
function createNewSite(e) {
var app = UiApp.getActiveApplication();
var domain = 'mitel.com';
var siteTitle = e.parameter.txtSiteName;
var siteName = siteTitle.toLowerCase();
var result = 'Results: ';
var site = SitesApp.getSite(domain, siteName); // Check if site already exists
if (site)
result += 'Site "' + siteName + '" exists, ';
else {
// Doesn't exist, so create it
site = SitesApp.createSite(domain, siteName, siteTitle, "this is just a test page");
result += 'Site "' + siteName + '" created with title "' + siteTitle + '", ';
}
var pageName = 'script_center_demo';
var html = '<div><p>This project aims to....</p></div>';
var page = site.getChildByName(pageName); // Check if page already exists
if (page)
result += 'Page "' + pageName + '" exists, ';
else {
// Doesn't exist, so create it
page = site.createWebPage('Script Center Demo', pageName, html);
result += 'Page "' + pageName + '" created, ';
}
result += 'Done.';
// Add result text to UI
var uiResult = app.createLabel(result, true);
app.add(uiResult);
return app.close();
}