I have an app that gets youtube video id's to share them out over twitter. Looking at the tweets I can see users are sharing them out, but in some cases the share content is broken.
We have a restful API which responds with the id, and then with a string replace method we replace {{id}}.
http://twitter.com/intent/tweet?text=http://www.youtube.com/watch?v={{id}} Share your video to win.
Replace method
var href = $('#twitter-btn').attr('href');
$('#twitter-btn').attr('href', href.replace('{{id}}', response.youtube_id) );
In most cases the tweets can be seen like so...
http://www.youtube.com/watch?v=0bxW5fd Share your video to win.
But in some cases we are seeing...
http://www.youtube.com/watch?v
What I find really strange is that the '=' has been removed as well. We have ruled out the server giving a bad response as we are logging all ID's to check they are valid.
Is anyone aware of how this could happen, or if certain ID's break twitter as I am aware the '#' symbol needs to be url encoded to %23 else it breaks.
The share functionality works using the standard twitter share.
<script type="text/javascript" async src="//platform.twitter.com/widgets.js"></script>
This has really stumped me as it is such a basic task I cant understand how this can happen.
Any Ideas would be very appreciated.
replace isn't broken. If the href string really contains
http://twitter.com/intent/tweet?text=http://www.youtube.com/watch?v={{id}} Share your video to win
...then your replace as shown will replace the {{id}} with the value from response.youtube_id.
Given that the = isn't showing up in the result, the only possibilities I see are:
href doesn't have the ={{id}} in it in the first place. Perhaps something is modifying the attribute before you grab it.
You're not looking directly at the result of the replace, but at something derived from it, and in the process of the derivation the = and the value after it have been removed, perhaps only when the = was originally followed by something invalid (possibly blank) — in which case, the problem would be with the response.youtube_id.
But don't focus on the replace, it's not the problem.
http://www.dummies.com/how-to/content/how-to-insert-links-into-tweets.html
or use http encoding for querystring parametter text=http%3A%2F%2Fwww.youtube.com%2Fwatch%3Fv%3D%7B%7Byourid%7D%7D
and
$('#twitter-btn').attr('href', href.replace('yourid', response.youtube_id) );
this should be it.
Related
I'm working in javascript (in the browser not nodejs) and I want to be able to take an emoji character (something like 🤨) and grab a description or name for it (like face with raised eyebrow). This data seems to be available in some form in Unicode's full list of emojis but I'd like to know if there is some kind of way to fetch this data automatically.
Thanks!
I've been searching for this and found Open Emoji Api. Probably it'll be helpful for your use case.
Thanks!
Tiago
I have several html A tag generated programmatically in ASP.NET with a JavaScript function taking long parameter in href. One of those has over 20K characters when it get assigned in backend, but I am seeing the actual link has only 5239 characters on the browser side and the JavaScript function does not have closing. So the link never works. I am thinking about workarounds for this implementation since it's not a good idea to put this much amount of data in links, but now I'm just curious about cause of the issue.
Examples of the code assigning values to the link:
HtmlAnchor.HRef = "javascript:doSomething('Import','" + strHeader_LineIds + "');"
In this case the variable strHeader_LineIds carries a string over 20k characters.
Example of what I'm actually seeing in client side:
<a id=anchor1 class=class1 href="javascript:doSomething('Import', 'blahblahblahblah....">Link Text</a>
Please note the javascript function has no closing here. But when I'm debugging in backend I do see the closing of the function.
I guess this issue may have something to do with the browser's URL limit? I am using IE and I learned IE has a maximum URL length limit as 2,083 characters from Here. But how can the link show up with 5,239 characters?
I've had a similar issue with javascript like dynamic functions created in code and then called. I found that I had to play with swapping out single quotes in the javascript function with double quotes or escaping the quotes.
Then again just reading your post could be a limit issue.
Have you tried assigning the long to an element in the background and then referencing that as part of the javacript. I know IE gets funny with spaces in passed in parameters.
I think found an answer to the issue though. According to This Article:
JavaScript URIs
The JavaScript protocol is used for bookmarklets (aka favlets), a lightweight form of extensibility that permits a user to click a button and run some stored JavaScript on the currently loaded page. In IE9, the team did some work to relax the length limit (from ~260 characters, if I recall correctly) to something significantly larger (~5kb, if I recall correctly).
So I just hit the ~5kb limit.
Before anyone jumps in and says, "Oh!! that's a bad idea", I know it is.
I want to keep both the key and value in the query string to be not easily visible to the end user.
I have something like this google.com/?category=textile&user=user1
I need to make it unintelligible like this: google.com/?kasjdhfkashasdfsf32423
Is there any way to achieve this in javascript. I have already seen this
I have already seen this
and this.
but I don't think encoding will solve the problem. Also, this code is entirely in client side. I know that it is not secure but I just need this is a naive, weak defense.
Please help.
Edit
I apologize if my question was not clear earlier.
The URL google.com/?category=textile&user=user1 is being passed on from a different application.
The values passed in the query string directly controls what is being displayed to the user. As is, anyone with no technical knowledge can easily change the value and view the data corresponding to a different category or user. I need to make this unintelligible so that it is not obvious. If a user is a techie and figures out the encryption used, then it is fine. I need a stop-gap solution till we have a better architecture in place
You can use base64. Javascript has native functions to do that :
alert(btoa("category=textile&user=user1")); // ==> Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx
and to reverse it :
alert(atob("Y2F0ZWdvcnk9dGV4dGlsZSZ1c2VyPXVzZXIx")); // ==> category=textile&user=user1
Be careful to read the doc if you have unicode strings, it's a little different : https://developer.mozilla.org/en-US/docs/Web/API/Window.btoa
If you don't looking for serious strong crypto, you can use ROT13:
http://en.wikipedia.org/wiki/ROT13
This is enough for slightly obfuscate keys/values in the your URLs.
So i am using the jQuery UI library to open new dialog windows, when the new dialog windows are opened I am passing some parameters like this
open modal
The site works fine and no issues at all, my custompage.html just picks up those values that were passed and they are being used on the page, something like this:
var a = customfunctionget(param1); var b = customfunctionget(param2)....
I just received a report that we are vulnerable to Cross-Site Scripting attacks by replacing any of the params with something like this:
><script>alert(123)</script><param
Which I understand correctly what is supposed to happen but on any browser that I try to inject the script the alert is never displayed so the "script/injection" is not being processed, the custompage.html stops working as expected since we need the values to be entered correctly but there is nothing I can do on that respect.
Is there a magic pill that I am missing here? Most of the XSS information that I find does the same thing, try to inject an alert through a tag but other than me denying to display any content if the parameter is not well formed I dont know what else can be done.
Any recommendations, tutorials welcome.
One of the easiest things you can encode all <, >, and & characters with <, >, and &, respectively. Whenever a browser sees a <something> it thinks its a dom element. If you encode those characters, the browser will actually display them. This will foil people trying to execute <script>badstuff</script> on your site.
Note that people won't be able to do things like add <b> tags to things if you do this.
The above suggestion is a first step, but is by no means exhaustive.
I just found this, which seems like a good guide.
There is encodeURIComponent() function in Javascripts to encode special characters to avoid inserting scripts
I try to adapt etherpad so it is only accessible if certain params are sent with the request.
For example I want a certain pad just to be displayed if there is a unique id provided like
http://myetherpad.com/thepadid?myparam=blub
Does anyone know where exactly I can parse the params? I searched all the js-files but didn't find exactly what I am looking for.
I found out that there is some kind of request object. You can access it like
request.params.padId
But I also don't know where to search for the implementation of this object.
I hope somebody can help me. Thanks :)
You could probably hack something into the code at https://github.com/ether/pad/blob/master/etherpad/src/etherpad/licensing.js#L153
But if all you need is some kind of password protection, there are easier ways. The easiest would be to use something that is built in to your web server, or to use the built-in pro functionality -- more on that on http://etherpad.org/2010/10/14/241/
(Your idea with using URL-parameters for password could be simplified; just use a complicated pad name and only those with the URL will find it. Having a "nice" pad name and adding a complicated password at the end doesn't protect the pad at all.)
For anyone with the same problem: You can get the GET-parameters via
request.headers['Referer']
It returns the URI the user called. But I still don't know how to do it properly (or get the POST parameters).