I'm wondering if, with the new File API exposed in Chrome (I'm not concerned with cross-browser support at this time), it would be possible to write back to files opened via a file input.
You can see an example of what I'm trying to accomplish here: http://www.grehz.com/ide.
I know I can use server side scripts to dynamically create the files and allow the user to download them normally. I'm hoping that there's a way to accomplish this purely client side. I had read somewhere that you can write to files opened via a file input. I haven't been able to find any examples of this, though I have seen passing references to a FileWriter class.
I would be completely not surprised if this wasn't possible though (it seems likely that there are security issues with this). Just looking for some guidance or resources.
UPDATE:
I was reading here: http://dev.w3.org/2009/dap/file-system/file-writer.html
As I was playing around in Chrome, it looks like FileSaver and FileWriter are not implemented, but BlobBuilder is. I can call getBlob() on the BB object, is there any way I can then save that without FileSaver or FileWriter?
UPDATE2:
I found this issue in the Chromium project: http://code.google.com/p/chromium/issues/detail?id=65615&q=FileSaver&colspec=ID%20Stars%20Pri%20Area%20Feature%20Type%20Status%20Summary%20Modified%20Owner%20Mstone%20OS
So it's clear that it hasn't been implemented in any version yet (however, no mention of FileWriter - although I believe FileWriter depends on FileSaver).
Moving away from that, I'm considering a server-side solution. When a user clicks save, the contents of the textarea is posted to a script that then writes to a page and is sent back as plaintext or whatever mime-type would be appropriate for the user to download. Any other suggestions? This solution is fine for a "save as" but it's a little clunky as a general purpose save button.
From:
http://code.google.com/p/chromium/issues/detail?id=58985#c7
FileSystem is really the right place
to store big files (which is what it
sounds like you're doing) and is
available in Chrome 9. I suggest you
look at these alternatives.
Note the not-extensions label at the top left. It sounds like this may just be for Chromium OS. I emailed Jeremy, the developer who made this comment for clarification.
Update:
Jeremy replied that extensions actually will get access to File API including writes, but that it will be confined to a sandbox. He also linked to some undeployed docs on the matter:
http://code.google.com/p/html5rocks/source/browse/www.html5rocks.com/content/tutorials/file/filesystem/index.html?spec=svn1cbb2aab2d6954a56f3067d2d3b9e997215be441&r=1cbb2aab2d6954a56f3067d2d3b9e997215be441
No way that I know of to save until those apis are implemented - which may be some time off.
Related
It's most likely a virus: I got it from a local chicken shop website, asking me to update Firefox as it was apparently out of date. Which it wasn't, but okay. I clicked the thing because why not, and it downloaded a .JS file.
The file itself is seemingly a pile of gibberish, here's the first line:
(function(wyfdysu){var iwtquom="arwob"["c"+("H","q","n","o")+["U","n","H","H"][(-
So yeah, aside from a VM, is there any way I can safely inspect this?
Typically malicious websites use so-called Drive-by Downloads to get you to download their exploits onto your system. From there on they often use remote code execution to read and write data from your PC. This may be the case with you.
Inspecting the file
As it only downloaded a .JS file, you can safely inspect it with a text editor on your current system. You can also try to find an exploit that used the same technique on Exploit-DB or searching the code in question on Google. Best bet though would be to hexdump it on a VM and try to reverse engineer your way to see what it does if you can't find any more information on the code.
Take aways
Never grant a malicious website access to files and privileges that they could exploit
Never allow a malicious website to download a file for you.
I'm facing an interesting problem right now: I want to modify a PDF file generated on the server (using TCPDF and Symfony2) on the client before displaying it.
Why? The PDF will contain some semi-sensitive information and our customers would probably be happy to hear that this info never leaves their machines. (I'm aware that HTTPS is considered pretty much safe enough, this is more of a luxury issue to assure our customers that their data is safe.)
This is how far I got: Use placeholders on the PDF, save it as a String and retrieve it via AJAX, replace the placeholders with the local data, and convert the string to Base64. The real issue is getting the file to the user.
A lot of people recommend using the HTML5 "download" Attribute and clicking a hidden link with it, that method does not work on Safari or older versions of IE though. Data URIs are another option, but beyond a certain complexity the base64 string just gets too long and the browser freezes trying to display it in the address field. I also looked at libraries like Downloadify.js, FileSaver.js etc. but none of these seem widely supported (or rely on flash, which I would love to avoid).
I'm very open to suggestions as to what else I could try, or even someone telling me why what I'm trying to do is wholly unnecessary.
Let me preface by saying I have no idea of what I'm doing. I've inherited a system from a contractor that we hired to do a job. I'm not significantly familiar with web development, and I have no idea how the magic voodoo was configured or really works. If you're going to reply, be patient, and assume I don't know jack about what you're telling me - please don't leave anything "for the reader to figure out." I'm embedded by trade and would rather bang bits than develop back end code for a website.
Server is running on an embedded Linux platform (basis is OpenWRT). The core is Lua/Luci, but there's a plethora of HTM files that utilize both HTML and JavaScript.
What I want to do seems really, really straight forward, but I can't seem to make it work: There is a file in /etc that I want to be able to download from the server to the local machine. Needs to work with IE, Firefox, and Chrome.
I would have loved something like:
download
But it doesn't work for files outside the subdirectory area that lua/luci knows about (i.e. I can't "../../../etc/file")
I've tried several different things, but the biggest issue is I can't seem to get the lua/luci stuff to recognize anything new in the same directory that contains some of the htm files, nor anything from the server's root directory (e.g. /etc/file). Usually what I do goes back to the home page or displays:
No page is registered at '/admin/talon/file'.
If this url belongs to an extension, make sure it is properly installed.
If the extension was recently installed, try removing the /tmp/luci-indexcache file.
(And yes, I clear the cache before I reload the page).
I'm OK with creating a symlink to the /etc/, but that hasn't been fruitful, either - mainly because I really don't know what kind of magic the lua service is doing to find the existing files.
I'd prefer for the solution to be in just HTML and JavaScript.
Yes, I've looked around for a basic solution, but either the questions want to do more than just download, or there's not enough information for me to figure out what is supposed to be done.
Please post a full solution, not just snippets.
I was able to figure it out based on some other code within that same source. It worked on one page, but not another. Not sure why - just more sorcery. Had to work within the LUA scripting language to get to the file I wanted; HTML was straight forward. If I knew what the magic thing was to make it work, I'd post the actual solution, but I think the solution is somewhat unique to how the original developer put things together, so it wouldn't be useful to anyone else.
I've looked around and haven't been able to find anything that will allow me to detect when a download is finished within Chrome.
The reason I want to do this is that I want to better "sort" my downloads once they are downloaded, automatically based on various criteria.
I've tried setting up a listener with: webRequest.onCompleted and while that seems to work for most resources (images, .ico, etc), I can't get it to trap a .ZIP or .EXE file download. I'm not sure why it won't, but it'll work for other resources without a problem.
I haven't set a filter on it so it should (as far as I know) be pulling in all resources and checking them for the specified extensions. I know that might not be the best way to do check, but I haven't found a better one yet.
Looking at the experimental downloads API, that doesn't seem to do what I want either as that mostly just initiates a download, which isn't what I am trying to do.
Thanks for any assistance!
Haven't seen an extension for this, but when you think about it this kind of makes sense. It almost seems like something that should be native to the browser...I guess it does give you the most recent downloads though and that is relevant to your current task. Anyways, thought I would mention that there is an experimental api that allows interaction with the native download interactions. This may be a reference needed in getting the extension cooking. Good luck
Link to Experimental API:
http://developer.chrome.com/extensions/experimental.downloads.html
For completely non-nefarious purposes - machine learning specifically, I'd like to download a huge dataset of CAPTCHA images. However, CAPTCHA is always implemented using some obfuscated javascript that makes getting at the actual images without a browser a non-trivial task, at least to me, who is a javascript novice.
So, can anyone give me some helpful pointers on how to download the image of the obscured word using a script completely outside of a browser? And please don't point me to a dataset of already collected obscured words - I need to collect the images from a specific website for this particular experiment.
Thanks!
Edit: Another way this question could be asked is very simple. When you click "view source" on website with complicated javascript, you see the script references, but that's all you see. However, if you click "save webpage as..." (in firefox) and then view the source of the saved webpage, the javascript will be resolved and new html and the images (at least in the case of ASIRRA and reCAPTCHA) is in the source. How can I mimic this "save webpage as..." behavior using a script? This is an important web coding question in general, so please stop questioning me on my motives with this! This is knowledge I can use from now on in all web development involving scripting and I'm sure other stack overflow visitors can as well!
While waiting for an answer here I kept digging and eventually figured out a sort of hacked way of getting done what I wanted.
First off, the reason this is a somewhat complicated problem (at least to a javascript novice like me) is that the images from ASIRRA are loaded onto the webpage via javascript, which is a client-side technology. This is a problem when you download the webpage using something like wget or curl because it doesn't actually run the javascript, it just downloads the source html. Therefore, you don't get the images.
However, I realized that using firefox's "Save Page As..." did exactly what I needed. It ran the javascript which loaded the images, and then it saved it all into the well-known directory structure on my hard drive. That's exactly what I wanted to automate. So... I found a firefox Add-on called "iMacros" and wrote this macro:
VERSION BUILD=6240709 RECORDER=FX
TAB T=1
URL GOTO=http://www.asirra.com/examples/ExampleService.html
SAVEAS TYPE=CPL FOLDER=C:\Cat-Dog\Downloads FILE=*
Set to loop 10,000 times, it worked perfectly. In fact, since it was always saving to the same folder, duplicate images were overwritten (which is what I wanted).
Why not just get CAPTCHA yourself and generate images? reCAPTCHA's free too.
http://www.captcha.net/
Update: I see you want it from a specific site but if you get your own you can tweak it to give the same kind of images as the site you're targeting.
Get in contact with the people who run the site and ask for the dataset. If you try to download many images in any suspicious way, you'll end up on their kill list rather quickly which means that you won't get anything from them anymore.
CAPTCHAs are meant to protect people against abuse and what you do will look like abuse from their point of view.