I have one server side js file. I need to take whole source from that file and show it. I have the url i.e. location of the js file in the server. when I hit the url in browser then I am getting response and I can see that source. But when I am trying this code, it is not working. no response, even can't see the alert msg(mean alert("1")), and just stop. please solve this problem.
$.get("http://localhost:8080/web/js/serviceFF.js", function(file) {
alert("1");
$("textarea").val(file);
});
The source file that you are running - is it also being viewed from http://localhost:8080 too? If it isn't, you may be running into XSS (cross-site script execution) browser protection.
So in other words, the code listed above should be on http://localhost:8080/testpage.html and you need to run it from there.
If it is on your local computer, like the browser showing file://home/user/Desktop/testpage.html - the browser may block it to prevent XSS exploits.
Also, same origin policy comes into play too. Please refer to the wiki table:
https://en.wikipedia.org/wiki/Same-origin_policy
Related
I have a weird network request in my page, which refers to JavaScript files, which I removed from every html file earlier. Cache is cleared and there is no single reference to be found in the source html and the JavaScript files. For fixing that and also out of general curiosity I would like to know if there is a simple way to find out where a request was triggered, preferably using the chrome-devtools.
Update:
Thanks to jaredwilli I found the initator column under the network-tab. However this only shows Other. What I would like to know, is the (html or javascript) file where those Requests have been triggered.
On the Network panel, you can determine what the initiator of a request was by viewing the Initiator column. It gives you the file, line number and type of resource it was, either Script or something else.
I moved my website and I have a QR code (which is printed in public and can't be easily replaced) that points to a specific file on my old website that has now been moved. Currently, the URL just points to a "Not found" page on my new website. I try to use javascript in the header to catch the URL and forward it to the right URL as following:
<script type="text/javascript">
if(window.location.href === "https://www.website.com/multimedia/hoerproben/1.mp3")
{
window.location.href = "https://www.webseite.com/app/download/10079133850/1.mp3";
}
</script>
But it doesn't work. Any hints what I am doing wrong?
when you open an url, the browser makes an http request to your server for that particular resource (in your example, an mp3 file).
JavaScript is not involved at all (actually, there are so called "service workers", but they are not what you're looking for, they are meant to do caching, not redirecting). The browser does not know that your JavaScript code exists and would not execute it.
What you should do is route redirecting from server, so when the browser asks from /oldlocation/file.mp3, instead the server answers with /newlocation/file.mp3
This could be in some different way according to your server. If you have no control on how your server works, what you're asking is simply not possibile.
It won't work unless you place that code in the "Not found" page that gets served. If your URL pointed to an HTML file, you could have just placed one to do the redirect. For media files you would have to configure your server to serve an HTML file instead. Don't worry about the extension, it's the Content-Type header that determines the type of the file served. Doing this, however, is not good practice because your server would still be returning a 200 response code.
It's good practice to return 301 Moved Permanently as 101arrowz pointed out in the comments. How that can be accomplished will depend on what server you're using.
Here's how that would have been accomplished with express.js:
app.get('/multimedia/hoerproben/1.mp3', function(req, res) {
res.redirect('/app/download/10079133850/1.mp3');
});
I am new to Wordpress. I have just started the blog in which I can run my HTML / JS code properly. However, When I enter the affiliate code in my post, its not working.
Then I tried it on Local machine simply by just inserting that script but
It is also not working.
This is my code -
<div data-WRID="WRID-145208114021238062" data-widgetType="staticBanner" data-responsive="yes" data-class="affiliateAdsByFlipkart" height="250" width="300"></div>
<script async src="http://affiliate.flipkart.com/affiliate/widgets/FKAffiliateWidgets.js"></script>
I also tried by downloading this script to local machine and then simply giving the link to HTML but no luck.
I know this is something silly but I am not able to figure out. Please help.
It looks like #Jaromanda was on the right track.
I copy-pasted here in local file and in a local test Wordpress, and the script gets downloaded correctly. It shows an ad for flipkart, I suppose this is the expected behaviour.
To see what the script does, you can pass it through a beautifier to read it more easily.
The downloaded script creates an iframe element and sets the source of the iframe in order to display the ad. But to create the string representing this source, it uses, among other things, the window.location.protocol (see function createFKWidgetIframe). The location object represents the url of the document in which the script is run, not the location where the script comes from.
This window.location.protocol is usually http: or https:, but if you have it locally and not served through a local http server, then the adress bar in your browser will be something like file:///C:/path/to/the/file and the protocol window.location.protocol will be file:, and even if the iframe gets created, the source of the iframe will be set to something like file://affiliate.flipkart.com/widget/displayWidget?wrid=.... This location obviously does not exist. Please have a look at the source code of your page and see what the source of the iframe is set to, to confirm or not.
So if you do not serve the file through a local http server, there is no chance to load the iframe content.
If it also doesn't work on a Wordpress install which you access online, then I'm helpless. I could only advise you to check if you have ad blocker software/plugins or similar on your machine/browser, or if they get blocked by a firewall or a proxy you are behind.
Ok, this is my domain: example.com/index.html and I want to create a .txt file into the domain. result: example.com/file.txt with this info:
.js:
$('.saveButton').on('click', function (e) {
e.preventDefault();
$('.HTMLcontentTosave').html(); //save this html content into a file.txt
});
$.ajax maybe?
Thanks a lot!
Using only jQuery/javascript in the browser, and a typically configured web server, this isn't possible. The filesystem of the server is not exposed in such a way that it is directly writeable from a client, that would be a rather large security risk.
To make it possible, you will need to employ some server side code, such as PHP to assist in writing the file on the server. At that point you can send the desired content, and name of the file as a request to the server side code and that code can then write it to your desired location on the server's file system.
Make sure to employ adequate protections so only certain (safe) files can be written to, by the certain users you specify, otherwise you could open the previously mentioned security hole.
Does this help you?
Saving a text file on server using JavaScript
Also, you can go through this one.
Technically, the "right" way would be to make a PUT request (the "type" argument: see http://api.jquery.com/jQuery.ajax/), but this is apparently not supported on all browsers, and some servers may also block these by default so you'd need to get around this. I say the "right" way because a PUT request is intended to mean that the consequence will be to save a file at the pointed location.
The more common approach would be to allow a POST request but you'd need a server-side script to do things like validate that a user had permission to make the request.
In WebKit I get the following error on my JavaScript:
Refused to execute a JavaScript script. The source code of script found within request.
The code is for a JavaScript spinner, see ASCII Art.
The code used to work OK and is still working correctly in Camino and Firefox. The error only seems to be thrown when the page is saved via a POST and then retrieved via a GET. It happens in both Chrome/Mac and Safari/Mac.
Anyone know what this means, and how to fix this?
This "feature" can be disabled by sending the non-standard HTTP header X-XSS-Protection on the affected page.
X-XSS-Protection: 0
It's a security measure to prevent XSS (cross-site scripting) attacks.
This happens when some JavaScript code is sent to the server via an HTTP POST request, and the same code comes back via the HTTP response. If Chrome detects this situation, the script is refused to run, and you get the error message Refused to execute a JavaScript script. Source code of script found within request.
Also see this blogpost about Security in Depth: New Security Features.
Short answer: refresh the page after making your initial submission of the javascript, or hit the URL that will display the page you're editing.
Long answer: because the text you filled into the form includes javascript, and the browser doesn't necessarily know that you are the source of the javascript, it is safer for the browser to assume that you are not the source of this JS, and not run it.
An example: Suppose I gave you a link your email or facebook with some javascript in it. And imagine that the javascript would message all your friends my cool link. So, the game of getting that link to be invoked becomes simply, find a place to send the javascript such that it will be included in the page.
Chrome and other WebKit browsers try to mitigate this risk by not executing any javascript that is in the response, if it was present in the request. My nefarious attack would be thwarted because your browser would never run that JS.
In your case, you're submitting it into a form field. The Post of the form field will cause a render of the page that will display the Javascript, causing the browser to worry. If your javascript is truly saved, however, hitting that same page without submitting the form will allow it to execute.
As others have said, this happens when an HTTP response contains a JavaScript and/or HTML string that was also in the request. This is usually caused by entering JS or HTML into a form field, but can also be triggered in other ways such as manually tweaking the URL's parameters.
The problem with this is that someone with bad intentions could put whatever JS they want as the value, link to that URL with the malicious JS value, and cause your users trouble.
In almost every case, this can be fixed by HTML encoding the response, though there are exceptions. For example, this will not be safe for content inside a <script> tag. Other specific cases can be handled differently - for example, injecting input into a URL is better served by URL encoding.
As Kendall Hopkins mentioned, there may be a few cases when you actually want JavaScript from form inputs to be executed, such as creating an application like JSFiddle. In those cases, I'd recommend that you you at least scrub through the input in your backend code before blindly writing it back. After that, you can use the method he mentioned to prevent the XSS blockage (at least in Chrome), but be aware that it is opening you to attackers.
I used this hacky PHP trick just after I commit to database, but before the script is rendered from my _GET request.:
if(!empty($_POST['contains_script'])) {
echo "<script>document.location='template.php';</script>";
}
This was the cheapest solution for me.