oracle forms javascript integration - javascript

I'm trying to experiment with the new javascript integration features of oracle forms 11g.
My current configuration:
Forms 11.1.2.2.0
Weblogic 10.3.6.0
JRE 1.7u55
Windows 7 x64
I installed the demo at http://www.oracle.com/webfolder/technetwork/tutorials/obe/forms/11g/jsinteg/formsjsinteg/setup.htm
This is only working from FORMS to Javascript but not the other way. i.e Javascript to FORMS.
I thought all the additional Javascripts et al in it is making it difficult for me to know what's happening so I created a simpler html page with a textbox, a button and an anchor for onclick along with the applet in iFrame.
Again the code is working from FORMS to javascript but not the other way.
This line is not working:
window.frames['forms_iframe'].contentDocument.document.forms_applet.raiseEvent(event, payload);
UPDATE:
I changed it so the applet and all the testing code is placed in one html. and added some try catch code to my calls.
changed my call to:
function frmEvent (event, payload) {
alert(event+", "+ payload);
event = "PUSH";
try {
document.forms_applet.raiseEvent(event, payload);
}
catch(err) {
var txt = "There was an error on this page.\n\n";
txt += "Error description: " + err.message + "\n\n";
txt += "Click OK to continue.\n\n";
alert(txt);
}
}
Now I get in IE
liveconnect call for applet id 1 is not allowed in this jvm instance
in chrome, it says:
Error calling method on NPObject
I think the whole problem is with this liveconnect changes to java runtime... wondering what else to do to solve this issue now.

Lower the Java security setting from High (only authorized Java script can be run) to Medium (Prompt before unauthorized Java script), user will receive a prompt and then the worksheet can be opened just
fine. It's due to higher security requirement with JRE 7u45
https://blogs.oracle.com/java-platform-group/entry/updated_security_baseline_7u45_impacts

Related

Getting "picked up Java tool options" error while running a test script in HPALM integrated with CA LISA

I am trying to integrate HP-ALM with CA-LISA (a service virtualization tool). On trying to run the below test script
function Test_Main(Debug, CurrentTestSet, CurrentTest, CurrentRun)
{
try
{
TDOutput.Clear();
lisa = new ActiveXObject("MercuryLisaBridge.MercuryTestRunner");
lisa.Init(TDConnection, TDOutput);
lisa.Reload(ThisTest);
if (Debug) lisa.Debug(ThisTest);
if (!Debug) lisa.Run(CurrentTest, CurrentRun);
}
catch(e)
{
TDOutput.Print("Run-time error [" + (e.number & 0xFFFF) + "] : " + e.description);
}
}
I am getting this error
Run-time error [5376] : Picked up JAVA_TOOL_OPTIONS: -agentlib:jvmhook
Picked up _JAVA_OPTIONS: -Xbootclasspath/a:"C:\Program Files (x86)\HP\Unified Functional Testing\bin\java_shared\classes\jasmine.jar"
Picked up JAVA_TOOL_OPTIONS: -agentlib:jvmhook
_JAVA_OPTIONS and JAVA_TOOL_OPTIONS are environment variables which allows you to provide default values for Java options which will be picked up by every JVM (see details on http://progexc.blogspot.com.cy/2013/12/what-i-discovered-while-trying-to-pass.html and Difference between _JAVA_OPTIONS JAVA_TOOL_OPTIONS and JAVA_OPTS for details).
This variables are set by UFT installer (and probably by some other HP ALM related stuff).
I'm not sure why it causes your script to fail (maybe because they are written in standard error stream - I don't remember), but if you want to elimimate them you need to clear those two environment variables on the machine where script is running. I would clear them for a particular process, but leave them untouched globally, because it may affect UFT stuff.

Search for injected script code on the Windows Server for my ASP.NET site

My site was probably hacked. I am finding script.js from bigcatsolutions.com in my page. It triggers a popup of an affiliate program. The script isn't on the page by default and I want to know how can I find where it was injected. The script sometimes injects other ad sites.
In chrome I see this:
The injected script code:
function addEvent(obj, eventName, func) {
if (obj.attachEvent) {
obj.attachEvent("on" + eventName, func);
} else if (obj.addEventListener) {
obj.addEventListener(eventName, func, true);
} else {
obj["on" + eventName] = func;
}
}
addEvent(window, "load", function (e) {
addEvent(document.body, "click", function (e) {
if (document.cookie.indexOf("booknow") == -1) {
params = 'width=800';
params += ', height=600';
params += ', top=50, left=50,scrollbars=yes';
var w = window.open("http://booknowhalong.com/discount-news", 'window', params).blur();
document.cookie = "booknow";
window.focus();
}
});
})
My site is moved from my hosting company to Amazon EC2 Windows 2013 Server and still have the issues, so it means that the code still resides on the server somewhere. My site was build using ASP.ENT / C#.
Things I did:
tried to search the original aspx and aspx.cs code files
Have you checked the IIS logs to see if they are hitting a specific page and injecting it there?
Do you load any data from a database? You could check in the tables and see if anything out of the ordinary appears there.
It is unlikely that the .aspx pages have actually been physically modified and even more unlikely that the DLL have been as .aspx.cs files are compiled in to your BIN folder as DLL's. The more likely scenario is that you have an unsecure page that a malicious site is injecting its script into. The other possible attack vector is that you have had malicious code via SQL injection and are loading it each time.
After deep searching and I missed it in the first run, I found that the script was injected into the ASP.NET masterpage.
I ran a search to search for a specific string in all the files and that's how I found it. It seems that the server itself was breached and the hacker put the code into several websites.
So for those of you who have this type of problem, I recommend running a text search and try to find the URL that is tights to the running script.
Hope that helps and thanks for your time.

Google + SignIn Button Blocked Frame

I have been trying to build a kind of Hello World project using Google + SignIn. I followed the tutorial at https://developers.google.com/+/web/signin/, with my (excerpted) code being:
...
<script>
function signinCallback(authResult) {
//location.reload();
//var x = 0
//while(x=0){
if (authResult['access_token']) {
// Successfully authorized
// Hide the sign-in button now that the user is authorized, for example:
document.getElementById('signinButton').setAttribute('style', 'display: none');
//document.getElementById("secret").innerHTML = ("<p>Non-Conspicuous Link to Super Secret Page</p>");
//alert("IT WORKED");
document.getElementById("secret").innerHTML=("Non-Conspicuous Link to Super Secret Page");
document.getElementById("game").innerHTML=("Non-Conspicuous Link to Super Secret Game Page");
document.getElementById('refresh').setAttribute('style', 'display: none');
//alert("Please Refresh");
} else if (authResult['error']) {
// There was an error.
// Possible error codes:
// "access_denied" - User denied access to your app
// "immediate_failed" - Could not automatically log in the user
console.log('AuthERROR: ' + authResult['error']);
//alert("ERROR: A team of poorly trained robots has been dispatched to handle the situation. If they arive, tell them '" + authResult['error'] + "'");
}
}
</script>
...
<span id="signinButton">
<span
class="g-signin"
data-callback="signinCallback"
data-clientid="CLIENT ID"
data-cookiepolicy="single_host_origin"
data-requestvisibleactions="http://schemas.google.com/AddActivity"
data-scope="https://www.googleapis.com/auth/plus.login"
data-width="wide"
data-theme="light">
</span>
...
<p id="secret"></p>
...
When I run the code in Google Chrome (Version 29.0.1547.18 dev-m), I get this error:
Blocked a frame with origin "https://accounts.google.com" from accessing a frame with origin "https://apis.google.com". Protocols, domains, and ports must match.
The code in my signinCallback function is called on the page's first load, but doesn't run when the button is used for sign in. The code isn't executed until the page is reloaded.
However, this issue does not occur in Firefox, so it seems to be an error isolated to Chrome. I have not yet tested any other browsers.
Is there anyway to solve this issue?
Thanks!
I was adapting the java hybrid server-side flow quick-start app and having the "blocked frame" error even when using https. I found that the error was triggered by this block of javascript client-side code (within the onSignInCallback function):
for (var field in authResult) {
$('#authResult').append(' ' + field + ': ' +
authResult[field] + '<br/>');
}
The code above is part of the quick-start app and is there for education purposes only. The error occurs when enumerating or getting a certain field within the authResult object. Removing the above code (or surrounding it with a try-catch block) solved the problem.
Turns out that the reason that my button wasn't authenticating without a refresh was beacuse I forgot to close my <script> on my server, even though it was closed in the code in my question.
For the error it does seem like you can ignore it (thanks #Ismael ToƩ).

Gmail not loading when script is injected or even when a word is replaced, why?

I was using fiddler core proxy to do some script injection. I noticed that gmail login just failed after its login progress bar moving forward and backward for some time. A sample is given below using c#, tested using google chrome as the browser. The below code goes inside the beforeresponse event of fiddler proxy where oS is the HTTP session.
oS.utilDecodeResponse();
oS.utilReplaceInResponse("</body>", "<script type='text/javascript'>var a = 10;</script></body>");
Updated
As Eric have suggested I made sure that the script is not making conflict with any other java script variables. Added the script only in the expected page when gmail logs in. However the problem is still there.
if (oS.oRequest.headers.HTTPMethod == "GET" || oS.oRequest.headers.HTTPMethod == "POST")
{ //exclude other HTTP Status codes
if (oS.oResponse.headers.HTTPResponseStatus == "200 OK")
{
if (!oS.oRequest.headers.Exists("X-Requested-With"))
{
var accept = oS.oRequest.headers.FindAll("Accept");
if (accept[0].Value.Contains("text/html"))
{
if (oS.oResponse.MIMEType == "text/html")
{
oS.utilDecodeResponse();
string script = "alert("Hello");"
//The main http request after gmail login has a response with a script closing tag before body closing, so I am replacing it with my script added.
oS.utilReplaceOnceInResponse("</script></body>", script + "</script></body>", false));
}
}
}
}
}
Works fine with chrome, however in safari and opera, alert is called infinitely so as the HTTP request to reload the page.
The problem you're having is that your replacement is insufficiently precise. You're replacing ALL instances of </body> on ALL pages with a string containing quotation marks. However, in some of the instances, the string you're replacing is appearing within JavaScript strings in the Google application, and as a consequence you're mangling the JavaScript string and causing a script error.
Use the following script sample to get a better understanding of all of the places you're replacing, then update your script to more specifically replace the expected string on only the expected page.
oSession.utilDecodeResponse();
if (oSession.utilReplaceInResponse("</body>", '<!-- INJECTED --></body>'))
{
oSession["ui-backcolor"] = "lime";
}

How to customise "old version" SWF output, with swfobject 2.1?

I've been using swfobject for a recent project, and its great. But now that I've managed to get FlashSwitcher up and running in Firefox I notice that when I'm running Flash Player 7 the info displayed when I am running a version lower than I've specified has been customised (in this case by the Moodle page the the swfobject embed code sits in). Attached is a screenshot of that output SWF, as generated by Moodle. I can confirm that some of my users also see this, so my FlashSwitcher is functioning correctly.
Most of my use cases are outside of the Moodle context, they're standalone, what I'm after is exactly how they customised it, how I can change their customisation, and how I can do the same when the swfobject detection is standalone.
Please note that enforcing the user to upgrade their Flash Player plugin via ExpressInstall has been frowned upon by the client, they want suggestive actions and a link - but no auto installs or similar.
My implementation uses the 'twice cooked' method as I have an accessibility requirement to show non-Flash content should a user have neither Flash, Javascript or both. Here's my embed method call, which executes when a YUI2 document load event fires:
swfobject.embedSWF("../../swf/video-loader.swf", "flash_object_a", "877", "400", "8.0");
Ultimately I want to customise this "old version" output to be something I've created/written.
cheers,
d
You can use swfobject's getFlashPlayerVersion method (explained here) to check for Flash Player version and take appropriate action.
A simple example would be:
var has_version_8_or_greater = swfobject.hasFlashPlayerVersion("8");
if(has_version_8_or_greater){
//embed SWF using SWFObject
} else {
//Check to see whether an older version of Flash is found.
var version = swfobject.getFlashPlayerVersion();
if(version.major > 0){
//You have Flash but it's too old.
var version_str = version.major + "." + version.minor + "." + version.release;
alert("You have Flash Player version " + version_str + ". Please update!");
} else {
//You don't have Flash.
}
}

Categories

Resources