I am trying to implement what seems to be very simple JavaScript redirection, via the following rudimentary command:
window.location.href = "http://www.somesite.com";
So far so good, it works. I also can do it via the following method:
location.replace("http://www.somesite.com");
No problem here, it works again! The problem comes when I loose the protocol out of the string:
window.location.href = "www.somesite.com";
OR:
location.replace("www.somesite.com");
It just appends the new location to the current url:
www.currentsite.com/www.somesite.com
Of cause, that's not what I want. Is there any way to force the redirect?
One way is to use protocol-relative url like this:
window.location = "//www.somesite.com";
Or
window.location = "//somesite.com";
This way, it would redirect and browser itself will take care of figuring out protocol part eg http or https
Working Example
The protocol is required.
How else would the browser know whether
location.replace("mysite.pl");
was going to a Polish website or a Perl script on the current website?
You could do something like this to add http:// to the URL if it's not already there... although I can't think of a reason for not just including it yourself. Why complicate things?
function redirect(url) {
if(url.substr(4) != "http")
url = "http://" + url;
window.location.href = url;
}
redirect("www.google.com")
Related
In my code, I'm assigning the following:
window.location.href = "www.example.com/test";
But when the page actually loads, the browser URL is www.example.com/test/www.example.com/test. I'm not appending anything to the URL, and I'm not sure how its appending the URL again.
I think you're missing the "http" or "https" part. Have you tried the following?
window.location.href = "https://www.example.com/test";
or
window.location.href = "http://www.example.com/test";
Because you forgot the protocol. If you omit the protocol, window.location.href thinks you are trying to access a folder with the name of www.example.com, relative to the page you are currently on.
window.location.href="http://www.example.com/test/" will ensure that you access the external website www.example.com.
Hope this helps! :)
Check the way you are constructing the url, sometimes we miss the host, or enter the incorrect path
A safe way to change the URl is by making changes in the exisiting URL
first get the existing URL by
let exisitingURl = window.location.href;
now manipulate this url, for eg
exisitingURL = exisitingURL.replace('/auth', '/gateway');
now go to the url by
window.location.href = existingURL;
I have a page which redirects to a url from parameters in query string like:
page.html?redirectUrl=index.html
Inside the page i have code like this:
window.localtion.href = redirectUrl;
It is requiements to use redirect url by parameters. The page contains secure sensitive data. Someone can make the url with javascript like:
page.html?redirectUrl=javascript:alert(document.getElementById("password").value)
and secure data can be stolen.
How to prevent bypass javascript code to window.localtion.href?
You might try putting the URL in an anchor element and checking the protocol:
var anchor = document.createElement("a");
anchor.href = redirectUrl;
if(anchor.protocol != "javascript:") {
window.localtion.href = redirectUrl;
}
However, I'm not sure how good the browser support is for this, since MDN lists it as an HTML5 feature.
This seems like it would work as long as you're not redirecting with it:
Javascript:
var field = document.getElementById("redirectUrl");
var newValue = String(field.value);
alert(newValue);
Basically, using the String constructor to "sanitize" the input.
These will probably help more with other cases:
https://www.owasp.org/index.php/XSS_%28Cross_Site_Scripting%29_Prevention_Cheat_Sheet
https://www.owasp.org/index.php/DOM_based_XSS_Prevention_Cheat_Sheet
Overall, I would recommend NOT using Javascript to sanitize input. If you're handling really sensitive or important data you are highly recommended to use a server-side language to validate and sanitize your input.
My goal is to redirect my website to (/2012/index.php)
ONLY IF the user goes to ( http://www.neonblackmag.com )
ELSE IF
the user goes to ( http://neonblackmag.com.s73231.gridserver.com ) they will not be re-directed... ( this way i can still work on my website and view it from this url ( the temp url )
I have tried the following script and variations, i have been unsuccessful in getting this to work thus far....
<script language="javascript">
if (document.URL.match("http://www.neonblackmag.com/")); {
location.replace("http://www.neonblackmag.com/2012"); }
</script>
This should work:
<script type="text/javascript">
if(location.href.match(/www.neonblackmag.com/)){
location.replace("http://www.neonblackmag.com/2012");
}
</script>
You should use regular expression as an argument of match (if you're not using https you can drop match for http://...
In your solution the semicolon after if should be removed - and I think that's it, mine is using location.href instead of document.URL.
You can also match subfolders using location.href.match(/www.neonblackmag.com\/subfolder/) etc
Cheers
G.
document.url doesn't appear to be settable, afaict. You probably want window.location
<script type="text/javascript">
if (window.location.hostname === "www.neonblackmag.com") {
window.location.pathname = '/2012';
}
</script>
(Don't use language="javascript". It's deprecated.)
Anyone at any time can disable JavaScript and continue viewing your site. There are better ways to do this, mostly on the server side.
To directly answer your questions, this code will do what you want. Here's a fiddle for it.
var the_url = window.location.href;
document.write(the_url);
// This is our pretend URL
// Remove this next line in production
var the_url = 'http://www.neonblackmag.com/';
if (the_url.indexOf('http://www.neonblackmag.com/') !== -1)
window.location.href = 'http://www.neonblackmag.com/2012/index.php';
else
alert('Welcome');
As I said, this can be easily bypassed. It'd be enough to stop a person who can check email and do basic Google searches.
On the server side is where you really have power. In your PHP code you can limit requests to only coming from your IP, or only any other variable factor, and no one can get in. If you don't like the request, send them somewhere else instead of giving them the page.
header('Location: /2012/index.php'); // PHP code for a redirect
There are plenty of other ways to do it, but this is one of the simpler. Others include, redirecting the entire domain, or creating a test sub domain and only allow requests to that.
I am trying to redirect to a different page in IE9 (9.0.3).
When I try to get/set document.location, or document.location.href, or window.location/window.location.href, I'm unable to do so. It fails without giving any errors.
I've tried to check whether the document and windows objects are set, and they are, so I have no idea why the location object is "missing".
I tried getting the document.URL and that works fine, but it's read-only.
Anyone know what the problem is or how to achieve this in a cross-browser way?
I was also experiencing the same problem but found that adding
window.event.returnValue = false;
above line in the javascript before the redirection resolved the problem.
See this: http://social.msdn.microsoft.com/Forums/en/iewebdevelopment/thread/c864ae63-66f6-4656-bcae-86b0018d70c9
Apparently it's a caching bug, you can solve it by appending a timestamp to the destination URL (that is, using a "unique" URL every time).
Perhaps your IE9 has some security restrictions in place that prevent JavaScript from directing URL's. window.location.href = "" should work normally on IE9.
Cache may be the reason, try:
location.href='something.php?tmp=' + Date.parse(new Date())
Hope it helps
You should use an absolute URL:
var url = '/section/page/';
var host = window.location.hostname;
window.location = 'http://' + host + url;
Where url is the relative path to your page.
I'm just building a simple ajax site but running into a problem in safari and chrome. I'm just creating a simple redirect if the user goes to a page i.e.
"/blog"
they would be redirected to
"/#/blog"
code :
url = window.location.pathname
if(url != "/") {
window.location.pathname = "/#" + url
}
This is working great in FireFox but unfortunatly webkit browsers are turning the "#" into a "%23" and giving a 404, for example:
"/%23/blog"
How can I prevent this?
Thanks,
Alex
pathname refers to everything after the host, and before the query string and hash. Consider this instead:
window.location.hash = window.location.pathname;
window.location.pathname = "/";
I'm not exactly sure which browser(s) are implementing the JavaScript spec correctly, but WebKit's behavior seems correct to me.
You are setting pathname, which, by definition, does not include the hash. Webkit is trying to fix that for you (Firefox just made a better guess of what you wanted). Try this:
window.location = '/#/blog';