I'm developing a greasemonkey plugin, which is supposed to send a form in background using POST (GM_xmlhttpRequest) on an application not under my control. That application is written in PHP and seems to expect all its input in windows-1250 encoding. What I need to do is to take all the form fields as they are, edit just one of them and resubmit. Some of the fields use accented characters and are limited in length.
Not a problem in theory - I iterate over all form fields, use the encodeURIComponent function on the values and concatenate everything to a post request body. HOWEVER. The encodeURIComponent function always encodes characters according to UTF-8, which leads to all sorts of problems. Because PHP doesn't seem to recode my request to windows-1250 properly, it misinterprets multibyte strings and comes to the conclusion that the resubmitted values are longer than the allowed 40 characters and dies on me. Or the script just dies silently without giving me any sort of useful feedback.
I have tested this by looking at the POST body firefox is sending when I submit the form in a browser window and then resending the same data to the server using xhr. Which worked. For example the string:
Zajišťujeme profesionální modelky
Looks as follows, when encoded by encodeURIComponent:
Zaji%C5%A1%C5%A5ujeme%20profesion%C3%A1ln%C3%AD%20modelky
Same thing using urlencode in PHP (source text in windows-1250) or Firefox:
Zaji%9A%9Dujeme+profesion%E1ln%ED+modelky
Apparently, I need to encode the post body as if it were in windows-1250 or somehow make the server accept utf-8 (which I doubt is possible). I tried all kinds of other function like escape or encodeURI, but the output is not much different - all seem to output in utf-8.
Is there any way out of this?
Another way to get Firefox to encode a URL is to set it as the href of a link. The property (NOT attribute) will always read back as an absolute link urlencoded in the page's encoding.
For a GET request you would simply set the href as http://server/cgi?var=value and read back the encoded form. For a POST request you would have to take the extra step to separate the data (you can't use ?var=value on its own because the link reads back as an absolute link).
Let the browser encode the form. Put it in a hidden iframe and call submit() on it.
Related
So I have a web page that is encoded in ISO-8859 as per the HTTP header that returns its content. I return text content 😳😳😳😳 and as expected it is mangled by the ISO encoding.
However when I make a JSONP AJAX call that returns the same text content 😳😳😳😳, and insert it onto the page, those emoticons are displayed correctly! Notably the AJAX call lacks an encoding type header as its Content-Type header is simply text/javascript.
What's going on here? Does my Chrome browser do some sort of clever tricks to make sure the AJAXed content is displayed correctly?
In case it matters I am using the jQuery library to do AJAX calls.
This is mostly conjecture, as I haven't looked into it extensively, but from what I understand is that browsers convert HTML textual content to some internal representation (perhaps UTF-16, I don't know). I found a mention of that here.
They do that using the clues that the server (Content-Type header), the HTML itself (<meta charset=..., etc) or the user (by explicitly setting the encoding for a page) provides.
Any new textual content that gets pushed into the DOM, for instance that which is retrieved using an AJAX request, undergoes the same transcoding. In other words, the browser doesn't use the encoding of the rest of the page (or perhaps only in the case where it has absolutely no idea when the encoding is), but the encoding that's provided by the server, in the AJAX response (or it uses a default if the server doesn't set it).
So internally, everything gets converted to the same encoding, which is why you can inject UTF-8-encoded data using JS into an ISO-8859-encoded page and it works.
i have a text field TinyMCE 4.0 i when i am posting html from this field using ajax i seem to be having a problem with the data not ending up server side
in Firefox firebug it shows i posted this data
attendanceID=¬eID=&Category=2&date=20-May-2014&leave=<p> </p> <p>fxghdfhdsfhsdfhsdf</p>&prn=15407&act=edit
server side PHP
print_r( $_POST['leave']);
It prints
<p>
but when i post this
attendanceID=¬eID=&Category=2&date=20-May-2014&leave=<p>fadsfdasfasdf</p>&prn=15418&act=edit
everything works as expected prints
<p>fadsfdasfasdf</p>
You need to have it properly url encoded. It hits and thinks you've started a new variable.
This question has some more detailed information - When are you supposed to use escape instead of encodeURI / encodeURIComponent?
If it's data that someone else is providing to you, you should use encodeURIComponent on each url parameter. This prevents them from sending something to the server you're not expecting.
Note:
There is also encodeURI which encodes the whole URI, ignoring some characters that have meaning to the url.
Instead of leave=<p> you should have leave=%20
%20 is the url encoded value for a space
You need to make your post parameters URL encoded.
Try
encodeURIComponent for javascript
or
rawurlencode for PHP
I'm writing a greasemonkey script to add some features to one webpage(so clearly I can't change the code of the server side).
This is a really old website which only receives GBK encoded string.
For example, the form in current webpage have a text input field filled up with value "中"(\u4e2d, %E4%B8%AD in UTF-8 byte stream, %D6%D0 in GBK byte stream), when the user clicks the submit button, the browser will automatically serialize the form to application/x-www-form-urlencoded text then post it to the server. Because the webpage is claimed to be encoded in GBK, "中" is automatically encoded as %D6D0% in the application/x-www-form-urlencoded text, then the server side will decoded it with GBK encoding and get the right result.
Now I'm switching to ajax to submit the form to server(30~40 times in a short while), and I used JQuery's serialize() method to serialize the form to application/x-www-form-urlencoded text, then posted it. The problem is, JQuery's serialize method eventually uses encodeURIComponent to encode all the values of the form, and at this time, "中" is encoded as %E4%B8%AD regardless of that the charset of current webpage is GBK. The server side still use GBK to decode it, then failed.
I have googled a lot about this, encodeURIComponent will always encode string as utf-8 stream, and in javascript language there is no utility functions can do what I want, which is get the serialized form data as the browser will automatically do.
Any ideas? thanks.
What about writing an firefox addons and use c/c++ code to implement a XPCOM to do the conversion from javascript string to GBK format url-encoded string?
I am using Ajax to post the comments of the website.
No the user can also write some scripts inside a textbox.
The problem is I want to HTML encode it (REMOVE html tags,scripts ETC).
Means remove the html elements.
As far as now i make an unsuccessful try as:
var textData = $("'" + $('#textBox').val() + "'").text();
But this is a ridiculous attempt by me. Though it sometimes work but it MAY fail with special symbols etc.
Any help is this regard is deeply appreciated.
Thank You.
EDIT:
Whenever the user post the comment i send the comment to server and at the server side encode it and save it to DB and also on client side update my HTML. I dont want to get the encoded message back from the server
As everyone else said, please don't do this. Solve it on the server.
However, the shortest way to just HTML encode whatever was send (that is, actually print out <b>x</b> is this:
var yourText = $('#textbox').val(); // or whatever
var yourTextHTML = $('<span></span>').text(yourText).html();
You really shouldn't do this client-side. An attacker can just post a comment, intercept the request using a debugging tool such as Fiddler, modify it so it includes some forbidden characters - and you're XSSed.
It is highly recommended that you do this at the server instead. Just pass each comment through htmlentities in PHP (or the equivalent function for whatever server-side scripting language you're using) before writing it to the document, this will render all XSS attempts useless.
You should do the encoding when you are displaying the comments in a blog page and not at the client side that will helps to avoid XSS attacks and others. Encoding is not about removing html, script tags but it is about representing the angle brackets as character entity names.
For ex.
you have written a nice article<script></script>
after encoded
"you have written a nice article<script></script>"
I haven't found an answer to this, and since I'm pretty new to JS, I don't know if it's even possible.
I have a regular HTML form, where the only field is a user types in a URL (any URL) and clicks submit.
The URL will "be sent" to JS code that stores this URL in some variable, I guess. Basically, I need to be able to call getElementsByTagName() on any URL submitted by the user.
My point is to count up the number of times a URL contains a specified element, which I do know how to do :)
How do I interpret a URL submitted through a form by someone and then take that URL and be able to perform methods (such as getElementsById) on it? I want to return the count of the number of elements to the user.
Any ideas? Can this all be done in JS? Is this possible?
When you say "URL," I assume you are talking about the actual webpage and not the url string. In other words, you want to load the entire DOM into a javascript variable and then parse it with getElementsByTagName(), etc. Javascript cannot load this webpage due to the Same Origin Policy, unless users can only submit pages that are on the same domain as your site. If that was the case, you could use a frame. Otherwise, JS can't do it without Jsonp, which isn't going to work in this case.
However, all is not lost. You can have your JS make an asynchronous request (ajax) to your own server. Your server scripting language /can/ get the entire DOM of the webpage (e.g. PHP can do this with cURL). Then it can send the entire string back to JS as xml that can be parsed. Good luck.
You can't really do that from the client (the web browser) with nothing but Javascript, because security rules will prevent your page from fetching and examining content from a different domain. You'll need to send the URL to a server and have it do the work.