TinyMCE windowManager.open() secure PHP script - javascript

I am using TinyMCE's activeEditor.windowManager.open() method to implement my own file browser. It opens a PHP script that does the file uploads/browser.
My concern is that anyone looking at the JavaScript will know the URL to my script and be able to open it in any browser window. I wouldn't want that because only admins to my web app should be able to upload or manage/delete stuff.
I have tried checking for $_SERVER['HTTP_REFERER'] in my file browser script, but I think this is not foolproof.
Any ideas how this can be made more secure?

Related

Download and open a file by javascript

I am making a SPA.
I want to download a file (e.g. .xlsx) and open a "Open With" dialog like this, by javascript.
Or open the file on client's PC.
Is there a way to solve this?
I know javascript cannot access to local files without
<input type="file">.
I want any advice. (even THIS IS IMPOSSIBLE)
I'm assuming your SPA has an API? Well, you need to the direct the user to an API endpoint that will create and then send to the client the .xlsx file.
You can use the Content-Disposition header to control how the browser will open the file.
Kind regards,

add print and download protected pdf viewer to web site

Is there any way to add slide share like PDF viewer to the web site?
Only users can be able to view document... print or download can't be done.I tried several JavaScript plugins for doing that but unable to find one that has no print and downloadable options. And also client can disable JavaScript in browser therefore I think of that suitable server side script.
I also unable to find a server side script (PHP) for this. Please suggest.
Just keep the file outside the web root directory because the web browser follows the local file system privileges and not its own. Put them into a directory with a .htaccess file that blocks all communication.
Ex: Order deny,allow
deny from all
I don't know how much it will gonna help you.

Download file without opening download dialog

The Problem:
I need to force the download dialog not to open in a browser when in a downloading process:
I have the server code like any other download servlet.
On the client side I have a link that points to the servlet like any other download link.
Is there a way to download automatically when clicking on the link without opening the dialog?
What I think is that it may be related to the following:
Server code (Java) ?
Client code (JavaScript) ?
Browser settings ?
Browser type ?
The Purpose behind this:
There is a website that belongs to this company where it is fortified with a high security wall clearing out the chance of downloading any virus.
The clients of this site need to have the download link saving automatically when clicked on.
No, you can't interact with files on HDD from a browser without notifying the user. It's a security policy.
If I understand well, you want the browser to download your file on a default folder without asking you where?
Well, I think that, this depends on your browser, maybe you can customize the configuration in order to set a default download folder, but, I think it is not possible to force it on the server side.

Can I write a private greasemonkey script?

I want to write a greasemonkey script for my client to automate his tasks, however I don't want to share the script with others (as obviously, my client would not be too happy with this!)
How can I do write a greasemonkey script without sharing it with others?
The question is not clear. But if you mean, "Can I stop my client from seeing the Greasemonkey script's code and possibly sharing it?"
Then the answer is "NO". Anyone using Firefox can see/edit the script's code via the Greasemonkey menu or the User Scripts tab in the Add-on manager.
This is by design. The producers of Greasemonkey (and most script authors) do not want any possibility of hidden or encrypted scripts being foisted on unsuspecting users.
~~~
Additionally, the script source can be seen by anyone with access to the client-machine's file system.
If you mean:
How can I run/install the script in my browser without uploading it to the userscripts site?
That's easy...
Save your script to to a file, EG MyScript.user.js. Keep track of where you saved it, and make sure it's not in a system temp folder.
In Firefox, choose Open File (CtrlO).
Navigate to where you'd saved your script and open it.
Greasemonkey will pop up a dialog asking if you want to install the script. Press Install.
See "Installing Scripts" in the documentation.
Make site with a link like this
Install special script xx
and save your script at
http://yourserver.com/yourscript.user.js
Grease Monkey and Tamper Monkey will see a javascript file and if it ends with user.js it will ask to install it. Give the url with the install link to your client. You can protect your site with a password.

Open local html file in current window with Javascript Bookmarklet

I'm trying to build a sample bookmarklet to grab current webpage source code and pass it to a validator. Validator is not a an online website, but a folder with bunch of javascript and html files. I'm trying to open file:///C:/Users/Electrifyings/Desktop/Validator/Main.html file with the help of javascript bookmarklet code and put the source code in the textarea in the newly opened window, but it is not working for some reasons that I'm not aware of.
Here is the sample code with algorithm:
javascript:(function(){var t = document.body.innerHTML;window.open('file:///C:/Users/RandomHero/Desktop/test.html',_self);document.getElementById("validator_textarea")=t;})()
Here are the steps:
Grab current web page source code in a variable.
Open locally stored HTML web page in current or new window or new tab (either way is fine with me, but no luck)
Put the source code from the variable into the validator textarea of the newly opened HTML file.
I have tried above code with a lot of variations, but got stuck on the part where it opens the new window. Either it's not opening the new window at all or it is opening blank window without loading the file.
Would love to get some help with this issue, thanks a lot.
Oh and btw,
Windows 7 x64, Tried IE, Firefox and Chrome. All latest and stable builds. I guess it's not a browser side issues, but something related to javascript code not opening the URI with file:/// protocol. Let me know if any more details are needed. :)
You wouldn't want a webpage you visit to be able to open up file://c:/Program Files/Quicken/YourSensitiveTaxInfo right? Because then if you make a mistake and go to a "bad" website (either a sleazy one or a good one that's been compromised by hackers), evil people on the intarweb would suddenly have access to your private info. That would suck.
Browser makers know this, and for that reason they put VERY strict limits to prevent Javascript code from accessing files on a user's local computer. This is what is getting in the way of your plan.
Solutions?
build the whole validator in to the bookmarklet (not likely to work unless it's really small)
put your validator code up on the web somewhere
write a plug-in (because the user has to choose to install a plug-in, they get much more freedom than webpages ... even though for Firefox, Chrome, etc. plug-ins are basically just Javascript)
* * Edit * *
Extra bonus solution, if you don't limit yourself to a purely-client-side implementation:
Have your bookmarklet add a normal (HTML) form to the page.
Also add an iframe to the page (it's ok if you hide it with CSS styling)
Set the form's target attribute to point to the iframe. This will make it so that, when the user submits the form and the server replies back to that submission, the server's reply will go to the (hidden) iframe, instead of replacing the page as it normally would.
Add a file input to your form - you won't be able to access the file within that input using Javascript, but that's ok because your server will be doing the accessing, not your bookmarklet.
Write a server-side script which takes the form submissions, reads the file that came with it, and then parrots that file back as the response. In other words, you'll have a URL that you can POST to, and when it sees a file in the POST's contents, it will respond back with the contents of that file.
Now that you've got all that the user can pick their validator file using the file input, upload it to your server, your server will respond back with the file it just got, and that file will appear as the contents of the iframe.
And now that you finally have the file that you worked so hard to get (inside your iframe) you can do $('#thatIframe').html() and viola, you have access to your file. You can save the current page's source and then replace the whole page with that uploaded file (and then pass the saved page source back to the new validator page), or you can do whatever else you want with the contents of the uploaded validator file.
Of course, if the file doesn't vary from computer to computer, you can make all of that much simpler by just having a server that sends the validator file back; this could be a pure Apache server with no logic whatsoever, as all it would have to do is serve a static file.
Either way though, if you go with this approach and your new file upload script is not on the same server as your starting webpage, you will have a new security problem: cross-domain script limitations. However, these limitations are much less strict than local file access ones, so there are ways to work around them (JSONP, cross-site policy files, etc.). There are already tons of great Stack Overflow posts explaining these techniques, so I won't bother repeating them here.
Hope that helps.

Categories

Resources