I'm looking for a javascript version of PHP's html_entity_decode. I found this:
function html_entity_decode(str){
var tarea=document.createElement('textarea');
tarea.innerHTML = str; return tarea.value;
tarea.parentNode.removeChild(tarea);
}
However, I can't use this because I need to write this code for an FBML/FBJS Facebook canvas app, and they have disabled innerHTML and anything similar (insanity, I know).
Is there any other way to do this that doesn't resort to sticking the string into an element and pulling it back out again? Please make sure to only use functions that would be allowed in FBJS
I guess you'll have to do it manually. A quick Google search brought up this library that does what you want.
Related
I am trying to scrape a number of sites to find if a certain code snippet is present. Most of the time the scraper works perfectly as intended.
I am using the following method to find the bit of code I am looking for:
...
item["foo"] = response.xpath("//script[contains(text(), 'fooscript')]")
...
if len(item["foo"]) != 0:
doStuff()
However, my issue is the following: sometimes the thing I want to find is not in the script itself but as the source for the script (I know how to scrape this as well), and sometimes when JQuery is used, I can't get the correct scrape results.
So my question is, is there an easier way to look through the raw HTML/JS text to find a match for what I am looking for? Trying to look through all alternatives to scrapes will quickly bloat up the code, and I only need to see if this certain text is present. I have not found a suitable method from the official scrapy documentation (though I am still somewhat inexperienced with the tool, so I might have missed it), so if anyone has a solution for this it would be greatly appreciated.
Maybe simple regex search through the HTML source is what you are looking for? Something like
if re.search(r'fooscript', response.text):
doStuff()
Or, if you just know it's wrapped inside some element and just don't know which, you can do
item["foo"] = response.xpath("//*[contains(text(), 'fooscript')]")
Also, you don't need to use len to check the result, simply
if item["foo"]:
doStuff()
is enough.
I dont know why this is the case but my replace does not work. It is somehow unusual considering my syntax is correct.
info.textContent.replace('Title', "replaced");
where info is the variable that stores an element. It should actually replace all instances of Title with "replaced". I prefer not using innerText due to compatibility issues and innerHTML due to security risks. textContent is supported by firefox and I have no idea what is going on.
I would appreciate some insight. I am learning javascript and tips for best practice are welcome.
Below the full code in Jsfiddle:
http://jsfiddle.net/r7bL6vLy/123/
It works, it's just replace method returns new string you need to assign back:
info.textContent = info.textContent.replace('Title', "replaced");
I'm trying to set the value of a textarea on the following page by executing something similar the below javascript:
javascript:alert(document.getElementsByClassName('uiTextareaNoResize uiTextareaAutogrow _1rv DOMControl_placeholder')[0].value='blabla');
This works if I manually enter the code into the address bar on the target page, but I want to pass this argument through a link.. ie...
<a href="/nextpage.php?javascript:alert(document.getElementsByClassName('uiTextareaNoResize uiTextareaAutogrow _1rv DOMControl_placeholder')[0].value='blabla');"
Just wondered if anything like this is possible at all?
You can send the arguments via the url like you would for GET requests. Then have the receiving page parse location.search.
For instance, you can send it like this:
http://example.com/?arg1=foo&arg2=bar
And the receiving page have a script like this:
var queryString = location.search; //?arg1=foo&arg2=bar
You'll have to parse it manually though, removing the ?, split by & then each by =
This is called XSS or Cross-Site-Scripting, and as many comments have already pointed out, it is a security issue. This is why most major browsers do NOT allow it.
However, I believe that some browsers do allow it, for example Opera - although I can't recall exactly which version.
If you are looking to make your own "browser", I would recommend using C# .Net WebBrowser, then use the runtime package XULRunner (https://developer.mozilla.org/en-US/docs/Mozilla/Projects/XULRunner).
Despite all this, I would not recommend doing anything that may be against laws of your current location, or doing anything to displease the site owner.
My knowledge of Jquery & Javascript is limited at best, but I'm under the impression JQuery is basically a simplified version of JavaScript.
If that is the case is there a way of converting this code to Javascript so I don't have to call the JQuery Library as it seems to be causing other JavaScript Functions to not work?
function toggleStatus(mynum) {
$('#product_'+mynum+'_submit_button').removeAttr('disabled');
}
This should work :)
var d = document.getElementById('product_'+mynum+'_submit_button');
d.removeAttribute('disabled');
jQuery is not a simplyfied version of javascript, but a javascript library that enables you to work rather effortlessly with the dom.
the code could be rewritten like that:
var e = document.getElementById('product_'+mynum+'_submit_button');
if( e ) e.removeAttribute('disabled');
The native version of that code would
set the disabled property on the element instead of messing with the attribute
use document.getElementById to select an element by id in lieu of jQuerys $("#id"):
var element = document.getElementById('product_' + mynum + '_submit_button');
element.disabled = false;
Also note that, for future reference, the native equivalent for jQuery's removeAttr is removeAttribute
Which other Javascript function's aren't working? jQuery is a Javascript framework to help you achieve Javascript tasks more easily, as well as create other functionality like animations.
If you're looking to simply convert what you have there into Javascript, you could do this:
function toggleStatus(mynum) {
document.getElementById('product_'+mynum+'_submit_button').removeAttribute('disabled');
}
I have a feeling like this could be the beginning of more Javascript and jQuery questions as you quest to learn more! Good luck! :)
Jquery is not simplified version of javascript. Think it as a library instead. The common functionalities which are needed for our development are simplified and organized in single library. For using that functionalities you have to read its API (Application Programming Interface) documentation. It will help you to write less code as compared to normal javascript code. I think, Jquery will not be the cause of problem in your code.
Any way for writing this code in pure javascript you can follow below code:
document.getElementById('buttonId').removeAttribute('disabled');
Would it be possible to sandbox user-submitted Javascript by overriding various functions such as alert, window.location, and eval?
I'm not looking for a perfect solution. I'm sure some people would still find a way to rearrange divs to spell out swear words or something malicious, but if I could disable page redirects 100% reliably I would be mostly happy.
I tried in Chrome, and doing something like
context={}; //use this to prevent `this` from being `window`
context.f=function(){
var window=null,location=null,eval=function(){};
console.log(window); //also the other two
};
context.f();
seems promising. If I replace the console line with user-submitted code (checking for paren balancing), would that be an absurdly bad idea or a mildly bad idea? On Chrome I can still break things by going through this to Function and redefining things, but that would be acceptable to me.
You can use Microsoft Web Sandbox or Google Caja.
Here are two more possible solutions (disclaimer: I just started looking for this myself, so I am not an expert).
This is very interesting, uses web workers to sandbox untrusted code:
https://github.com/eligrey/jsandbox
even though, I wonder if that is maintaned anymore, or if the following html5 "sandbox" iframe attribute supersedes it:
http://www.w3schools.com/html5/att_iframe_sandbox.asp
vm.js is a javascript virtual machine implemented in pure coffeescript(should run in relatively old browsers) and can be used as a lightweight in-process sandbox. It can break infinite loops and shields global objects from modifications.
Depending on what this needs to do, you could always run the javascript in a document-context-free environment, like through Rhino, and then grab the results server-side and clean/insert those.
You could also try Douglas Crockford's AdSafe, though it does limit the possibilities of JavaScript.
Masking the globals with local variables is not secure actually. Preprocessing the untrusted code with tools like Google Caja may help, but it's not necessary:
For a web-browser simply running a code in a Worker is enough - it seems to be pretty restricted nowadays. See update below
For Node.js you may fork() in a sandboxed process and execute the code there (using the child_process module).
There are also some libraries for simplifying the sandboxing, one of those created by myself is Jailed (there's also a demo with JS-Console which executes user-submitted code in a sandbox).
Update: obviously I was wrong, the worker is not secure by itself, as it can access some of same-origin stuff, like IndexedDB for instance. I have submitted a related question. The solution is to additionally put the worker into a sasndboxed iframe, which is also implemented in my Jailed library.
Use HTML5 "sandbox" iframe attribute.
I made a javascript function for this.
function evalUnsafe(userCode) {
var vars = [];
var legal = {console: 'console', alert: 'alert'};
for(var b in this) {
if (!(b in legal)) {
vars.push(b);
}
}
var funcs = vars.join(",");
var code = "(function sandbox(" + funcs + ") {function runthis() {eval(" + JSON.stringify(userCode) + ");};var a = new runthis();})();";
eval(code);
}
And then you can do this
Example 1:
evalUnsafe("alert(window);");
Example 2 (from a php file):
evalUnsafe(<?php echo json_encode(file_get_contents("example.js"));?>);
You can download it from here:
https://github.com/oyvindrestad/javascriptsandbox