Is it possible to create dynamic js file creation?
e.g. I am referring MyJs.js using tag as usual, but source will be accompanied with a context value.
now what I expect, at server side, MyJs.js will be written according to the context value; just like a jsp page.
Is it possible?
For sure. I guess you're using Java (given you mentioned jsp). Just map the request (MyJs.js) to your jsp (or whatever framework dispatcher you use) in web.xml, and then make sure to set the content-type of the response to text/javascript.
If you give more details then you might get a more detailed respones :)
YES
just make sure your response header: Content-type set as: 'text/javascript';
Related
I have a javascript in which I use $.post() command to post variables to a php file, I have the URL of the php file hardcoded in the same .js file.
I just want to know if it's possible for someone to inject $.post() command from address bar and send invalid data to the PHP file?
if yes, how to prevent or how to detect those invalid data?
Yes, anybody who knows how to code in JavaScript could send an AJAX POST request to your PHP file.
As for how to detect the invalid data, that depends entirely on what makes the data invalid. You'll simply need to check the POST values against whatever criteria you're expecting valid data to meet, and then ignore any requests that don't meet those criteria.
Yes, it's very simple. Attacker can modify, add or remove any JavaScript running in the browser, modify DOM, etc. Tools like Firebug allow anyone to call arbitrary JavaScript from the console. Moreover one can simply use curl to run your server and send arbitrary data.
if yes, how to prevent or how to detect those invalid data?
You must ensure data validity and integrity on the server side. Also you might want to add some security on the server side and do not depend on some JavaScript function being "hidden".
Sure, by prepending the script with the javascript: scheme you can do pretty much anything you want to a site:
javascript:$.post(/* stuff here */)
You should always validate your incoming data on the server side, because not only may someone use the javascript on your site to do this, but they may use other tools, like curl or whatever else that will let you make http requests.
Can anyone please explain how jquery handles cross domain requests? I understand the theory that it does via script using src attribute as url. But i was trying to test the same thing in plain javascript . I need to know the sequence of activities to be done for a post request. at what stage the data is sent and script element is constructed ? I am tired of asking the same at different forums where i got to see links explaining CORS. i need a to-do solution here.
Thanks
PS: sorry if i am asking too much :)
The ajax request URL is set as the .src attribute on a dynamically generated script tag and a parameter is added to the URL &callback=someFunc where someFunc is a local javascript function. When the server receives the URL, it's job is to parse the generate javascript that contains the returned data and then calls the passed in function name with the data as an argument. This is usually referred to as JSONP.
I have an aspx page, without the code behind cs file.
therefore, if I wanted to get the value from web.config AppSetting,
is it possible to do this in JavaScript or jQuery?
Appreciate if you could provide me some references, thank you.
Not directly. The config files are locked down by IIS so direct access is impossible.
You will have to go via Ajax to the server and request the setting.
Use this to make the call to the server asynchronously
http://api.jquery.com/jQuery.ajax/
You will need either a Web Method/ Service / Controller Action (if MVC) to handle the incoming request.
Alternatively send the value down in the initial page request via a hidden field or JavaScript variable set.
IIS by default will not serve Web.Config (or a selection of other file types as well) for reasonably obvious security reasons so you'd need to return your application setting to jQuery via an Ajax call or similar.
I would add a asp Hidden field and then set its value on page load from web.config.
You can access that information from JQuery.
The answer is here :
Can i read data from web.config using JQuery?
"Jquery is javascript that runs in your browser, your web.config resides on your server..."
The simple answer is : Not directly , you will have to call a webSerivce method .
It is common that you get the web.config parameters in your code behind.
Is something like this possible?
<script src="http://myserver.com/some.js" my-custom-header="foo"></script>
Update (a bit more detail):
I've been asked if there was a way to communicate some parameters to the server as part of the script request using headers instead of GET params. I said, "no," but thought I'd double check.
Short answer: no. By default a script tag will just retrieve the resource specified in the src attribute.
However, if you use an AJAX request to retrieve the script (and add it later/execute it), you can use the setRequestHeader function of the XMLHttpRequest object (see http://www.developertutorials.com/learn-ajax/custom-http-headers-2643.php).
You could also use more complex methods, such as using mod_rewrite to rewrite paths, and include the parameters in the url. The best solution depends on what you want to do, and how much control you have over the server.
No. You'll need to set the headers on the server that's serving up the JS file.
EDIT: I misinterpreted what you meant, it turns out you wanted to set a request header, not a response header. This is still not possible (from HTML) as far as I know.
It seems like this question is asked periodically and the common response is "You shouldn't do that with AJAX anyway. Just set the window location to the file."
But I'm trying to request a file that doesn't actually exist out on the server anywhere. It's dynamically generated (by a Django view) given the GET/POST context parameters. The file I want to retrieve via AJAX, and then save to the client machine, is a text file (csv).
I can currently get the text to the client machine (and can verify this by seeing it in logging or an alert) but cannot then figure out how to save this text to a file inside of the AJAX success callback fn.
Essentially, is this possible, is it something JS can do? That is, to open file save dialogs for "files" that are actually AJAX response text?
From the browser's point of view, it doesn't matter if the file exists or not, it's just a resource on a server that it's requesting. I think you're going to need to do some version of "Just set the window location to the file". If you set the content type in the header to something that the browser doesn't recognize, I believe it will ask the user if they want to save it.
As others mentioned, you can't do it only with JavaScript.
IMO the best option would be the Flash 10+ FileReference API.
There are some good JavaScript wrapper libraries like Downloadify that provide a JavaScript API to access those methods.
Give a look to this demo.
This isn't something JavaScript (and therefore jQuery or anything other JS framework) is allowed to do, for security reasons. You may be able to do what you want to flash or another route, but not JavaScript. Bear in mind Flash has it's own slew of security restrictions for this as well.
(Yes, IE can do this via an ActiveX object, but I'm not counting that as a "solution" here)
Basically, no. Javascript cant save anything to the local machine due to security restrictions. Your best bet may be to have a signed applet that the user can trust to write the file, or put it in a textarea that they can then easily copy and paste into a new file.
Could you not use the PHP rename() function for this, instead of just Javascript? Call to a PHP file and pass the name of the file you want to copy along with where as parameters?
I have the same problem. You can try this
<button id="Save">Save</button>
<img src="MakeThumbnail.ashx?Image=1.jpg" id="imgCrop">
$("#Save").click(function (e) {
url = $("#imgCrop").attr("src")+"&Action=Save"
e.preventDefault(); //stop the browser from following
window.location.href = url;
});