Why is "javascript:" pseudo-protocol stripped from URL bar when pasted? - javascript

So with the most recent Facebook phishing scandal1, Google Chrome (and, I assume, other browsers) disabled the ability to paste javascript directly into your URL bar. Well, it still lets you, but it strips the javascript: part.
I'm trying to find a work around to be able to directly paste javascript into the URL. Test it out for yourself:
javascript: alert('Hello World');
instantly (for me at least) strips the "javascript:" part of the code only in Google Chrome.
1 Facebook Phishing Scandal - It's when people where copy-paste that JavaScript code into their URL and it'd invite all their friends to an event OR post something malicious on every friend's wall.

Next best thing workaround: Leave out the leading j when copying the snippet and add only that character manually:
mark (w/ mouse) from avascript:…
Ctrl+C
Ctrl+L
j
Ctrl+V
Enter

When coding a little yourself, you may find yourself needing to frequently prepend javascript: into the address bar.
Here are two ways to speed this up:
Add a search engine keyword entry with the keyword j and the URL javascript:%s.
Then you can do:
Ctrl+L
j
Space
Ctrl+V
(It also works like a charm, when you already have JS code in the address bar:
Home
j
Space
)
Autocompletion can save you a few keystrokes, if you don't want to create a search engine keyword entry.
It requires a quick preparation: Feed javascript into the address bar:
Ctrl+L
javascript
Enter
From then on, this shortcut is available:
Ctrl+L
j
(javascript should be proposed as completion. Otherwise repeat submitting javascript in the address bar, until your browser promotes it to default completion for j.)
End
:
Ctrl+V

Yes. Use normal developer console.

So with the most recent facebook phishing scandal, google chrome(and i
assume other browsers) disabled the ability to paste javascript
directly into your URL bar. Well it still lets you, but it strips the
"javascript: " part.
IE9 and FF added this "protection" too... only Opera holds, for now.
Still, it became even easier. Just trick your user to paste code into console. Same effect as with old snippets.

It is so in any version of Chrome. As I think they are trying to protect you from execution of dangerous code. There are some ways of solving it:
Paste then type javascript: by hand
Press F12, open console and execute the code (without javascript:) from there
Add javascript link to favourites and execute just by clicking
Make an extension or use some suitable one

Simply bookmark the bookmarklet (that's the term for javascript:...). Create an anchor which links to the bookmarklet, and ask the user to bookmark this link.
Example:
Bookmark this by dragging it on your bookmark bar
I've just tested it in FF7, and it works like a charm.

Related

Is it still possible to run javascript in the address bar [duplicate]

So with the most recent Facebook phishing scandal1, Google Chrome (and, I assume, other browsers) disabled the ability to paste javascript directly into your URL bar. Well, it still lets you, but it strips the javascript: part.
I'm trying to find a work around to be able to directly paste javascript into the URL. Test it out for yourself:
javascript: alert('Hello World');
instantly (for me at least) strips the "javascript:" part of the code only in Google Chrome.
1 Facebook Phishing Scandal - It's when people where copy-paste that JavaScript code into their URL and it'd invite all their friends to an event OR post something malicious on every friend's wall.
Next best thing workaround: Leave out the leading j when copying the snippet and add only that character manually:
mark (w/ mouse) from avascript:…
Ctrl+C
Ctrl+L
j
Ctrl+V
Enter
When coding a little yourself, you may find yourself needing to frequently prepend javascript: into the address bar.
Here are two ways to speed this up:
Add a search engine keyword entry with the keyword j and the URL javascript:%s.
Then you can do:
Ctrl+L
j
Space
Ctrl+V
(It also works like a charm, when you already have JS code in the address bar:
Home
j
Space
)
Autocompletion can save you a few keystrokes, if you don't want to create a search engine keyword entry.
It requires a quick preparation: Feed javascript into the address bar:
Ctrl+L
javascript
Enter
From then on, this shortcut is available:
Ctrl+L
j
(javascript should be proposed as completion. Otherwise repeat submitting javascript in the address bar, until your browser promotes it to default completion for j.)
End
:
Ctrl+V
Yes. Use normal developer console.
So with the most recent facebook phishing scandal, google chrome(and i
assume other browsers) disabled the ability to paste javascript
directly into your URL bar. Well it still lets you, but it strips the
"javascript: " part.
IE9 and FF added this "protection" too... only Opera holds, for now.
Still, it became even easier. Just trick your user to paste code into console. Same effect as with old snippets.
It is so in any version of Chrome. As I think they are trying to protect you from execution of dangerous code. There are some ways of solving it:
Paste then type javascript: by hand
Press F12, open console and execute the code (without javascript:) from there
Add javascript link to favourites and execute just by clicking
Make an extension or use some suitable one
Simply bookmark the bookmarklet (that's the term for javascript:...). Create an anchor which links to the bookmarklet, and ask the user to bookmark this link.
Example:
Bookmark this by dragging it on your bookmark bar
I've just tested it in FF7, and it works like a charm.

How can I achieve bookmarklet functionality in Microsoft Edge browser (without installing anything extra)?

Microsoft Edge browser does not support javascript bookmarklet in favorites.
Is there an easy workaround for this?
When browser extensions for Edge come out, then it might be possible if the user installs an extension -- but that's much higher overhead for the user and developer.
I assume this is by design. But what is the microsoft workaround for this besides extensions?
description of problem:
http://answers.microsoft.com/en-us/windows/forum/apps_windows_10-msedge/please-support-drag-and-drop-bookmarklet-and/dc7d2f09-8742-46a5-bb4a-4d1f576b8919
and old workaround: http://www.howtogeek.com/231775/how-to-install-and-use-bookmarklets-in-microsoft-edge/
a hack using an installed program:
http://www.emmet-gray.com/Articles/EdgeManage.html
After experimenting around, I found out that in fact EDGE does support bookmarklets, but they call it Reading list. It works almost like bookmarklets, but a bit more poorly and difficult to debug, plus there is a (logical) limitation that cannot be circumvented as easily as in say Firefox: if your script comes from a http:// site, it cannot be run on a https:// site.
You can use bookmarklets in Edge this way:
Right-click your button with your javascript:.... url.
Click Add to reading list.
Navigate to your site and run the script on that site by clicking Reading list (Reading list on my version of Edge on PC is located behind the three horizontal lines called Hub and then the fancy icon with many curled horizontal lines called Reading list, on mobile the Reading list icon appears above the address bar when you click the ... menu icon) and from that list clicking your script.
I have tested it AND IT WORKS ON BOTH PC EDGE AS WELL AS MOBILE EDGE (Mobile: Windows 10.0.14393). Hope this helps someone as I almost abandoned my Lumia for an Android mainly because of my perceived lack of this feature.
With Windows 10 Fall Creators Update, Edge now supports editing URLs for favorites.
Reference : https://blogs.windows.com/msedgedev/2017/10/17/edgehtml-16-fall-creators-update/
Edit URLs for favorites
By popular demand, we’ve added the ability to edit the address for
individual favorites in the Favorites Hub or on the Favorites bar.
To do this, simply right-click or press and hold a favorite and select
“Edit URL.”
Points to Note:
The javascript code that's pasted in place of the URL should be in a single line. [i.e. remove all the new line breaks.]
The javascript code should not exceed 2083 characters.
Now that Edge supports editing a URL on the favorite bar - simply do the following.
Add a favorite (doesn't matter what)
Use "Inspect element" from the bookmarklet button context menu (right-click)
Use "Edit URL" from the favorite (create in step 1) context menu (right-click)
Paste the bookmarklet URL
(tested on 41.16281.1000.0)
I know this is kinda an old question, but...
Now that Microsoft Edge stores its favorites in a database, the "old workaround" is no longer viable.
But, there is a free 3rd-party application called EdgeManage that will allow you to edit/create the URL directly in the favorite.
So, this will allow you to use bookmarklets in Edge
PS: I am the author
I'd be happy to discover a better work-around, but the closest I have found for MS Edge version 92.0.902.78 is a feature known as "Snippets". The devtools guide describes Snippets as alternatives to bookmarklets.
To add a "Snippet":
Open the dev tools (F12 or Ctrl-Shift-I or navigate: ...->"More Tools"->"Developer Tools")
Find the "Snippets" pane in the "Sources" panel
Click the "New snippet" button
Add your javascript code in the editor area and save
To run a "Snippet":
Right-click on the snippet name in the Snippets list of the developer tools and select "Run"
Each snippet is associated with a uri-looking link (like snippet:///add-library-proxy), but these don't appear to be recognized in bookmarks nor from in the address bar.

stop the event-listener operate while using website surfing

I like using the oxford dictionary site.
http://www.oxfordlearnersdictionaries.com/definition/english/loudly?q=loudly
Here is the website url when i searched a certain word, 'loudly'.
Hmm.. I'm chrome user and I also use a chrome-dictionary addon.
The feature of the dic-addon is that I can readily search a word just double click any words, then addon automatically find out what is mean by showing the little popup view located on the upper left corner of chrome browser.
The problem is, like the dic-addon, oxford dictionary site offer the same double click service.
In oxford dic site, if you just double click any words for search the meaning of word through chrome dic addon, suddenly they pick me up to a site where shows the definition of word that i double clicked, and addon's searching result page was canceled due to moved site url. How annoying.. :(
But I want to use only chrome dic addon double click feature.
And the more worse, I can't give up the use of oxford dictionary...
So.. There is any breakthrough to ignore the double click event in dictionary website?
If you open the developer tools (F12) on a page of http://www.oxfordlearnersdictionaries.com/ and they type $('.main-container').off('dblclick'); and hit enter this will disable oxfordleanersdictionaries double click feature. However this will need to be done each time you load a page.
If you know how to make Chrome Extensions you could create one that calls this code each time a www.oxfordlearnersdictionaries.com page is visited. Alternatively install something like Tampermonkey and add this line to a custom script.
I created a tampermonkey script with the following code and it works perfectly
setTimeout(function() {
$('.main-container').off('dblclick');
}, 1000);
Run at in the settings was set to document-end

Can a piece of code be dynamically placed on every webpage a user visit

So we have a program that the user can use by copying text from a webpage they visit, alt+tabbing to the program, then pasting it as input. It would be more convenient for users to be able to do it directly in the site.
We were thinking of a panel that would be small and expandable, following them to each site they visit. Is this possible? Either a snippet of code that is auto pasted, or a JavaScript command called that would dynamically paste the code (is Scratchpad any help here, at least in FireFox).
We've never made a FF add-on, but it seems like if the dynamic panel idea falls through, an add-on would be the next best thing.
Basically, users should ideally be able to copy text, either enter a key combo or click a button, see the interface and paste in the text. Would either of these methods work?
A browser add-on or a userscript could certainly do this.
You can also write a userscript and use a user script compiler (such as this one) to convert it to a "true" Addon.
Alternatively your application could act as a HTTP proxy and inject it dynamically, but I'd guess that this would probably be more complicated than the other two approaches.
This site Polyvore used to do something similar, although in the 2 mins hunting around I could not find it, but I have used it and I think the technique was used by Google and Digg for a while. From what I recal it involved iframes and a bookmark in your browser.
Basically you could download a small piece of code that would sit in your bookmarks bar and this would allow you to navigate to a fashion website click on the bookmark copy a picture and insert it back into Polyvore.

What percentage of followed hyperlinks might have their "onclick" JavaScript ignored?

As far as I know all popular web browsers execute the onclick attribute of an anchor link first, then follow the path specified by the href attribute.
The problem here is that the onclick attribute only gets called when clicking with the left mousebutton (without pressing ctrl or shift for a new tab or window) or when pressing enter on your keyboard while the tabIndex is set to the link you want to follow.
But there are many other ways of following a link than just those two.
Ctrl + click
shift + click
rightmousebutton + open
rightmousebutton + new tab
drag & drop link to address bar
and so on...
My client uses onclick for conversion statistics. Which seems heavily unreliable.
My question:
What percentage of hyperlinks are being followed without activating their onclick attribute?
All estimates are highly appreciated. I'm completely lost; I think it can be any number...
Aside from those of us who habitually middle-click/ctrl-click to open links in new tabs, there's another major cause of onClick failure: NoScript and similar plugins which allow javascript to run only when it comes from whitelisted sites. If your domain isn't on my whitelist, then your onClick won't run, no matter how I trigger the link.
If you want reliable stats on which pages people are visiting, there's only one bulletproof source for that: The web server logs.
The logs are probably also your best bet for tracking how people move throughout the site, but they're not entirely reliable, as some privacy-paranoid users will falsify their referer headers or just not send them at all, but I expect that to be far less common than disabling javascript.
It depends. If the audience is more technically inclined, I'd assume that using alternative ways of following a link would be more common. All in all, though, even a lot of technical people seem to be unaware of things like clicking the middle mouse button to open or close a tab. If that's the case with technical people, I wouldn't be surprised if almost no one in the general audience used it.
The links are all exit-links. I was thinking of a PHP script that does the counting of clicks.
Though this is not the subject of your question, you might want to have a look at Google Analytics then. They are The Master in tracking you. They track right-clicks (even when not actually selecting "open in new window" after that, which they obviously cannot know), which will yield Ajax calls to http://www.google.com/url.
To see Analytics in action: with Adblock and the like disabled, search something on google.com and open up Live HTTP Headers in Firefox (or your Firebug Net tab in Firefox, or WebKit's Resources pane in Safari or Chrome, sorted by time). Next, click, right-click, shift-click or control-click any search result (preferably a result that does not require a lot of HTTP traffic by itself, or is in your browser's cache).
the onclick attribute only gets called when clicking with the left
mousebutton (without pressing ctrl or shift for a new tab or window)
Not entirely true. I created a quick test at JS Bin, to show that modifier keys do not affect the onclick event. (For right-click, one should use the oncontextmenu event.)
What are you doing in your onclick handler that you are worried about not working? e.g. if you have a regular link to a page... and the onclick just opens that same page in a pre-sized popup for user convenience in a web application... then there's likely no issue (e.g. CTRL+Click) still opens the page, it just gets opened in a new tab)
If you are just trying to "log" every click in the site/application for tracking purposes then maybe you can hook into the onmousedown/up or focus/blur events instead/also.

Categories

Resources