How to refer to a component inside an IFRAME is showed in this reply. It works under the assumption that there's only one IFRAME (or that we are certain that the zero-th will suffice). However, I wonder how to identify the actual IFRAME I'd like to poke.
I need the syntax for changing:
window.frames[0].document. + my stuff
into something like:
window.frames["theIdOfMyIFrame"].document. + my stuff
but I can't get it right.
I dealt with this problem earlier.
If you show the response of a cross-site request in an iframe, the new browsers are denying the access to this iframe, because of the same-origin policy or cross-site scripting/request prohibition.
For more information see here: IFrame Permission Denied
If you want to dynamically add content, this solution might help you: Add Dynamic Content
Best regards
I would avoid using window.frames. (Might be due to the lack of experience with them.)
When a reply on the net is on form something[0], be cautious. Bad coding style, probably.
The reference to your theIdOfMyIFrame should be used.
The inner document is right under contentDocument.
You can refer to the embedded components like this.
document.getElementById("theIdOfMyIFrame")
.contentDocument.getElementById("controlIdInTheembeddedPage")
.value = "Christophe has eyes for details!";
Use document.getElementById instead of the nasty deprecated window.frames property:
document.getElementById("theIdOfMyIFrame").contentDocument ...
Related
OK I don't use js enough to know, but is there a way to get the real source code of the page with it?
document.body.innerHTML for example gives some kind of "fixed up" version where malformed tags have been removed.
I'm guessing using XMLHttpRequest on the original page might work, but seems kind of stupid.
This happens because browsers parse the DOM and don't keep the HTML in memory. What is returned to you is the browser's conversion of the current DOM back to HTML, which is the reason for the uppercase tags and lack of self closing tags where applicable.
An XMLHttpRequest would be the best way to go. In most cases, assuming the server doesn't send the no-cache header, and the HTML page has finished downloading, the XMLHttpRequest would be almost instant because the file is fetched from the cache.
For accessing JS of the same origin, XMLHttpRequest is quite fine. You can have access to any JS document in "raw" format using this technique without the browser getting in the way (i.e. conversion to DOM and back).
I am not sure I understand your comment re: XMLHttpRequest being stupid : is it because you are worried about the potential duplication of work? i.e. getting the code 2times from the origin server.
I typically use FireBug when I want to peruse or copy source files.
So I saw a code snippet today and was horrified:
<p style='background-image: url("javascript:alert('foo');");'>Hello</p>
Is it possible to execute javascript from within CSS this way? (It didn’t work when I tested it on a clean Firefox profile, but maybe I made some stupid mistake here, but the concept works.)
If so, what means are there to prevent this, either with an HTTP header or by declarations made by the HTML itself (e.g. when sourcing CSS files from another server)?
If not, was this never possible or has this changed?
The current CSS spec says only "valid image formats" can be used in a background-image:
In some cases, an image is invalid, such as a ‘<url>’ pointing to a resource that is not a valid image format. An invalid image is rendered as a solid-color ‘transparent’ image with no intrinsic dimensions. [...] If the UA cannot download, parse, or otherwise successfully display the contents at the URL as an image, it must be treated as an invalid image.
The spec is silent on whether or not a javascript: url that returns valid image data would work -- it'd be an interesting exercise to try to construct one! -- but I'd be pretty darn surprised if it did.
User agents may vary in how they handle invalid URIs or URIs that designate unavailable or inapplicable resources.
(As #Kaiido points out below, scripts within SVG will not run in this situation either, so I'd expect the whole javascript: protocol to be treated as an "inapplicable resource".)
IE supports CSS expressions:
width:expression(document.body.clientWidth > 955 ? "955px": "100%" );
but they are not standard and are not portable across browsers. Avoid them if possible. They are deprecated since IE8.
Yes, in the past this attack vector worked (older browsers like IE6). I believe most modern browsers should protect against this kind of attack. That said, there can always be more complicated attacks that may get around current protections. If you are including any user-generated content anywhere, it is best to sanitize it before injecting it into your site.
It's possible to execute JavaScript where a URI is expected by prefixing it with javascript:. This is, in fact, how bookmarklets work. I don't think however that this would work with css url(), but it does with href or window.location.
say foo
I think whoever wrote that bit of code was confused about it.
I've been looking all over for this, and I think the problem is that I inherently suck at programming or scripting of any sort, and I don't know the right words to use...
Basically: I want to make a Chrome extension that reads the the innerText value from the ticketing system at the place I work with. As an example...
<span class="infomsg">Tickets Found [<span id="tickets_count">5</span>]</span>
The goal would be for the extension to display the text "5" over the icon.
What's the best way to do this? I've tried configuring the background.html page with an iframe with the URL with the ticket count as the source, but then I run into the cross-domain scripting issue. document.getElementById("tickets_count").innerHTML can't use a specified URL, as near as I've found.
I'm sure I haven't described it very well at all - totally floundering here, to be honest...let me know what I can clarify, and I'll edit my post.
Thanks!
It depends on whether the page you're looking at is static (e.g. the server sends you HTML with this information already in it) or dynamic (e.g. some JavaScript on the page requests additional information and then adds this to the page).
If it's static, you can use XHR to request the page and find the string you need in the "raw" HTML response. You can't use getElementById in that case - you'll need to find a way to find the string yourself.
If it's dynamic, that won't work. An iframe-in-the-background approach is valid - but you can't access the contents of the iframe. Instead, you should inject a content script in that page and request the information you need.
I understand it's a broad answer - but your question is also quite broad.
Is it, in any way, possible to disable the browsers execution of script inside a block/section/element ?
My scenario is, that I'm letting my (future) users create "rich content" (using CK-editor).
Content that wil later be shown to other users - with all the dangers that imply: xss, redirection, identity theft, spam and what not...
I've, more or less, given up on trying to "sanitize" the incomming XHTML, after seeing how many known "vectors of attack" there are: http://ha.ckers.org/xss.html
What I'm really looking for is something like:
< div id="userContent">< scriptOFF>
suspect HTML
< /scriptOFF>< /div>
The ideal way is to not accept html/javascript from the end users. If you are okay with that limitation, you just need to make sure you encode the output according to the appropriate context. Don't re-invent the wheel, just use an existing library for that purpose.
But if you must accept HTML, use a library like OWASP's ANTI-SAMY or HTML Purifier. They were built exactly for this purpose.
You have to sanitize the input, there is no way to selectively disable javascript that I know of.
It is important to use a whitelist of allowed tags, not a blacklist. That way it should be possible to do it safely.
Even if you used a "noscript" tag or a "textarea" tag its sill xss. Whats keeping the attacker from injecting closing tags?
< div id="userContent">< scriptOFF>
<?=$_GET['xss']?>
< /scriptOFF>< /div>
But its still xss:
http://localhost/xss.php?xss=< /scriptOFF>< /div> <script> alert(/still_xss/) </script>
Yes, but that would "whitelist" would be HUGE - and I'm far from competent enough to detect subtle loopholes, alá those described here: http://ha.ckers.org/xss.html
This would need to be a "community effort" - looking at HTML-purifier (http://htmlpurifier.org) now...
I just thought it would be great to have such a tag to prevent 99% of the XSS "vectors"
Can "anyone in power" please convince the browser-makers to implement it : )
Edit:
Alright. HTML-purifier it is!
- thanks to everybody for replying : )
#sri mentioned where to find "html5 iframe sandbox" information,
here is a test script.
What you should see is "Browser supports iframe sandbox attribute :)" is you are viewing in Chromium.
Might also get positive results in khtml/webkit based browsers like phone browsers.
Opera 11, Firefox 3.6 and Firefox4 have yet to implement the sandbox attribute.
Article explaining background and current state at gnubyexample.blogspot.com
No, but then again you should definitely not be allowing your users to hand-feed code into the page in the first place.
Don't attempt to sanitize Javascript; do not allow Javascript. In fact, do not allow HTML at all. Write your own limited markup language (ala BBCode) or allow a select few HTML tags if you really have to.
i.e. Be additive rather than subtractive with your security endeavours.
I need to link to a page that uses javascript to create the appearance of different pages. Each of the links on the page I am pointing to calls a javascript function that produces the "new" page. So, if I just link to the page, I get the default configuration. But what I need to link to is a particular configuration after the js function has run.
At first I thought I would be able to append the function to the url, but apparently that functionality is not supported for security reasons (is this correct?). Is it possible to post the values?
Does anyone know how I can display the correct configuration?
In the general case, no, it's not possible, which is why these sort of JavaScript-only pages are an inaccessible, unusable total pain in the neck and people should stop creating them, the idiots.
If you are lucky and the site you're talking about has actually Done It Properly, then they'll have used #fragment navigation, so when you click a link it does a history-able and bookmark-able navigation, updating the URL to one with a #something at the end that you can use to navigate back there. If you're really lucky, there might even be a fallback URL for non-JavaScript browsers that you could link to. But more often all there is is a JS function, which you can't link to or invoke outside of that site, leaving you quite out of luck should you want to deep-link anything.
(Did we learn nothing from the <frame> fiasco, guys? All you trendy webmasters hacking up clever-clever swooshy jQuery-animated load()-powered multiple-pages-in-one sites are churning out rubbish that is no better than the frame-addled worst of the Netscape 3 era. Stop it. Seriously.)
Okay, I was given the solution by a friend. It seems I should answer my own question. In fact, I felt a little silly once I saw how simple the solutions was. I just forgot how to plant "posts" in a URL. It seems the question itself was erroneous.
All I really needed to do was set some Javascript variables in a page I don't own. Solution looks something like this.
http://www.apage.com/control.aspx?var1=someVal&var2=someVal...&varn=someVal
Thanks to those who responded.
The owner of the page could do you a favour and provide a mechanism to run functions depending on a value in the querystring.
Otherwise there may be something that can be done with ajax but it could be messy.