Is there a way to send javascript commands to an open web running in a browser from the shell?
Let's say I have stackoverflow.com open with Chrome. Well, I'd like to send something like
alert('hi!');
from the shell, with something similar to the following:
$ send -t Chrome -w "stackoverflow.com" -c "alert('hi!')"
I was wondering this, because if I can write alert('hi!') on the javascript console of Chrome, I should be able to do the same with a call somewhere, right?
I've seen node.js but I think is not possible with that, please, let me know if I'm wrong.
I know the question could seem weird but I'm curious, thanks in advance :)
You can send JavaScript to Firefox through the jssh extension.
http://www.croczilla.com/bits_and_pieces/jssh/
This is what the Watir testing framework uses to automate Firefox.
I don't know of an equivalent for Chrome.
For IE seems like you can use good old VBScript: http://www.autohotkey.com/forum/topic7642.html
Worked for me just fine now with IE8. :)
Edit: to open this very question and alert JS value have this code as .vbs file and run it:
Dim oIE
Set oIE = CreateObject("InternetExplorer.Application")
oIE.Visible = 1
oIE.Navigate "http://stackoverflow.com/questions/4992552/send-javascript-code-to-browser/4992812"
Do While (oIE.Busy)
Wscript.Sleep 10
Loop
oIE.Navigate "javascript:alert(fkey);"
I think it is possible if you write and install some browser addon that would receive your signal, and do the job. Interesting question, ill be tracking it.
It is entirely up to the browser to provide this sort of functionality. In fact, the form of your problem isn't specific even to browsers:
I was wondering this, because if I can [provide some sort of input] to [a program] to make it [do something], I should be able to do the same with a call somewhere, right?
Some programs do indeed provide hooks for scripting, but if they don't, you're out of luck. There is certainly no guarantee that if you can do something via the GUI, then you can trigger the same action from a command line call.
Now the fact that most browsers provide some sort of plugin architecture, makes it much more likely that such a plugin exists that will listen for external input in this way, if this functionality is missing in the base product.
However, this is still going to be very specific to the particular model and even version of the browser you want to control - so if it's something you wanted to release into the wild, you'll need to be very specific with your requirements.
You can send arbitrary code to browser through the address bar! For example in AutoHotKey style,
send F6 //focus the address bar
send ctrl+v //given that your code is in clipboard
send enter
Now there is another question. Can we get the return value of the inject code? The answer is YES!
Assign your return value to document.title, and retrieve the window title from your application.
If the return value is too long (eg. a JSON format string), do the trick that
document.title='calculating...';
document.title=returnValue.subString(0,20);
sleep(10);
document.title=returnValue.subString(20,40);
sleep(10);
document.title=returnValue.subString(40,60);
...
document.title='finished';
Hope it works.
Related
Never trust the client. It's my coding mantra. All javascript can, with enough effort, be overwritten or compromised. The thing I want to understand is how.
Let's say I wrote a function checkStep() for a game - each time the player moves one space, it polls the server to check for any events: HP regeneration, enter random battle, move to next map, etc. I asked myself "self, how would I go about rewriting or disabling this function?" Research turned up some conflicting results. Some sources say functions can be directly redefined from the console, others say it would be a much more involved process.
My question is this: what would a player have to do to rewrite or disable my checkStep() function? Can they simply redefine it from the console? Would they have to rip, modify, and re-host my code? How would you do it?
Please note, I'm not asking how to make this function secure.
The first person to leave an answer/comment along the lines of "you
can try minifying it, but it still wont be secure" or "put in some
server-side checks" is getting bludgeoned with a semicolon, as an
example to the rest.
You could use a web debugging proxy like Fiddler to do this for your local machine. Programs like this allow you to intercept content you download and fiddle with it. So you could write a new version of the function, then use the program to replace it with your version when the file is downloaded from the server. Then, for your local machine, the code would run with the new function in place. The web session manipulation page on the Fiddler site has a few more details.
There is no reason to use any Javascript or browser a even.
If a normal user can use their browser to play the game then any user can use any program to communicate with the server and send it anything they want. The server is not able to know if someone is using a browser to connect to it or not.
This applies to anything. A game server doesn't know if the user is connecting to it through the official game client. Since the official game is closed source it would be easy to fall into trusting it even though it is possible to reverse engineer the protocols used and use anything to connect to the server.
Complex things like creating a malicious game client, or using a proxy to alter content before it makes it to the browser are technically valid points, however that seems like a lot of effort for something which is very simple to do.
var checkStep = function() {
... // your original function
}
// later on
checkStep = function() {
alert('foo');
}
It is perfectly valid in JavaScript to change what function a variable holds. Any function you define can be redefined on the client side. This can be done by other script files loaded by the browser which use conflicting variable names, scripts injected via XSS, or by the user bringing up the console.
I have the following scenario in front of me:
I am using Selenium to drive my browser to fill a few forms, which works really well.
Now I am at the point, where I also want to upload files via the given webform (can't change how it's processed, can only manipulate the Javascript/HTML/DOM). As I have found out, for security reasons the file upload window pops up right away, when clicking into the field. And also manipulation via normal Javascript isn't possible. Makes sense as well...
I have found out though, that a Firefox Add-On is supposed to be able to do this. The closest I have come to an answer is another Stack Overflow thread on this topic. If I got this working for me, that would be awesome! :-) But unfortunately I didn't, yet...
Minimal example:
<form method="post" url="http://www.example.com">
<input type="file" id="fileInput"/>
</form>
when calling (from the console in Firebug)
document.getElementById('fileInput').value = "C:\\image.png";
in get "Error: The operation is insecure." which is what I expect.
When calling the same in a contentScriptFile in a Firefox Add-On (I am using the add-on builder to create it) the script simply breaks without an error. My indicator for that is, that I do see the alerts before, but none after that line
Now the question is not so much why I don't get an error, but:
1. Am I on the right track? Is this supposed to work?
2. How do I make this work? I am not sure whether the mentioning of the "chrome authority" in the above link is relevant for me. Do I have to extend the scripts privileges somehow? If so, how?
Thank you!
Sandro
P.S. When I tried to set the value via jQuery, Firefox crashed completely.
P.P.S. At the moment this is only supposed to work on my personal machine, cross browser issues or similar things thus aren't relevant
I have now found a solution, that works. Part of the problems seems to have been that I have been using the Selenium VBA wrapper. I then tried it with the C# implementation with a quick Powershell script and it worked like a charme.
Summary:
Original goal: upload a file wit a given form using Selenium
Solution: use SendKeys method on the input element of type 'file' to give full path to file
Sample script in Powershell:
add-type -path C:\path\To\the\dll\on\your\harddrive\webdriver.dll
$driver = New-Object OpenQA.Selenium.Firefox.FirefoxDriver
#the following page contains an element <input type='file' id='fileInput'/>
$driver.Url = "http://pathToTheSite.com/fileUploadFormPage.html"
$element = $driver.FindElementById("fileInput")
$element.SendKeys("C:\Image.png")
Done!!! The file is attached and the form submitted in one go
I'm trying to use Python to download a voice file (mp3) from this site:
I've tried to use mechanize and twill but I haven't got the proper result. I've heard about selenium as well. Anyway, I don't even know if it makes sense technically (mechanize + Javascript).
I was looking for an answer and finally I've found this solution.
It seems like a similar problem to mine but I have absoutely no idea what should I put instead of the 4th line.
If you have any proposition (maybe completely different to mine) I'll be glad to see it.
(Moving to answer to get more space)
Thanks for pointing me to selenium, I didn't know that and it looks cool; anyways: I had a quick look and the js seems to fire an ajax request, that yields no apparent result -- I guess the audio transfer is done some way in the background via flash or so; anyways: what about using the service they offer: developer.ivona.com instead of trying hacking your webservice out of the demo interface..?
Anyways, here it is the hacked web-service you asked for:
This is the URL you want to GET:
"http://www.ivona.com/voicetest.php?rtr=1&t2r=%(the_text)s..&v2r=dXNfc2FsbGk.&lang=us" % dict(
the_text=base64.b64encode("Hello, world!"),
the_voice=base64.b64encode("us_salli"),
)
You can test that with, for example, mplayer:
mplayer "http://www.ivona.com/voicetest.php?rtr=1&t2r=SGVsbG8sIHdvcmxkIQ==..&v2r=dXNfc2FsbGk.&lang=us"
And, from Python, use urllib to retrieve and store somewhere.
Beware that, since this is an unauthorized use, you might get blocked / incur in legal issues / etc. -- don't use in a production application!
Hey all, I've been trying to throw together a generic function that retrieves the absolute URL of an executing JavaScript file on a web page:
http://gist.github.com/433486
Basically you get to call something like this:
getScriptName(function(url) {
console.log(url);
// http://www.example.com/myExternalJsFile.js
});
inside an external JavaScript file on a page and can then do something with it (like find the <script> tag that loaded it for example).
It works great in almost all the browsers I've tested (Firefox, Chrome, Safari, Opera v10 at least, and IE 8).
It seems to fail, however, in IE 6 and 7. The callback function gets executed, but the retrieved name is the URL to the main HTML page, not the JavaScript file. Continuing with the example, getScriptName invokes the callback with the parameter: http://www.example.com/index.html
So all I'm really asking is if there's some other way of getting the URL of the current JavaScript file (which could be IE 6 and 7 specific hackery)? Thanks in advance!
EDIT: Also, this won't work in every case, so please don't recommend it:
var scripts = document.getElementsByTagName("script");
return scripts[scripts.length-1].src;
I'd like it to work in the case of dynamically created script tags (possibly not placed last in the page), aka lazy-loading.
A lot of this depends on what you have access to. If, as it appears, you are trying to do this entirely within the JS code, I do not believe that you are able to do it, for some of the reasons shown above. You could get 90% of the way maybe, but not be definitive.
If you are working in a dotnet environment ( which is the only one I know ), I would suggest the use of a module that would intercept all JS requests and add into them the request location, or something of that nature.
I think you need to address this from the server side, not the client side. I do not think you will have a definitive answer form the client side. I think you will also struggle to get an answer from the server side, but you might be more successfull.
Sorry, I suspect you might struggle with this. IE earlier than version 8 typically gives error messages from javascript errors of the form:
line: 342
char: 3
error: expected identifier, string or number
code: 0
url: http://example.com/path/to/resource
where the url is the window.location.href, rather than the URL of the external Javascript resource that contains the problem. I suggest that IE gives the unhelpful URL value since the script URL isn't available to IE at that point, and neither is it available to any Javascript you might write to try to display it.
I would love to be able to link to IE8 release notes which say this bug / feature has been fixed, hence the reason I created this as community wiki. My MSDN foo is pretty weak!
I try to get to a page straight from Bash at http://www.ocwconsortium.org/. The page appears when you write mathematics to the field at the top right corner. I tested
open http://www.ocwconsortium.org/#mathematics
but it leads to the main page. It is clearly some javascript thing. How can I get the results straight from Bash on the first page?
[Clarification]
Let's take an example. I have the following lines for a Math search engine in .bashrc:
alias mathundergradsearch='/Users/user/bin/mathundergraduate'
Things in a separate file:
#!/bin/sh
q=$1
w=$2
e=$3
r=$4
t=$5
open "http://www.google.com/cse?cx=007883453237583604479%3A1qd7hky6khe&ie=UTF-8&q=$q+$w+$e+$r+$t&hl=en"
Now, I want something similar to the example. The difference is that the other site contains javascript or something that does not allow me to see the parameters. How could I know where to put the search parameters as I cannot see the details?
open "http://www.ocwconsortium.org/index.php?q=mathematics&option=com_coursefinder&uss=1&l=&s=&Itemid=166&b.x=0&b.y=0&b=search"
You need quotes because the URL contains characters the shell considers to be special.
The Links web browser more or less runs from the commandline (like lynx) and supports basic javascript.
Even though the title of the post sounds general, your question is very specific. It's unclear to me what you're trying to achieve in the end. Clearly you can access sites that rely heavily on javascript (else you wouldn't be able to post your question here), so I'm sure that you can open the mentioned site in a normal browser.
If you just want to execute javascript from the commandline (as the title suggests), it's easy if you're running bash via cygwin. You just call cscript.exe and provide a .js scriptname of what you wish to execute.
I didn't get anything handled by JavaScript - it just took me to
http://www.ocwconsortium.org/index.php?q=mathematics&option=com_coursefinder&uss=1&l=&s=&Itemid=166&b.x=0&b.y=0&b=search
Replacing mathematics (right after q=) should work. You may be able to strip out some of that query string, but I tried a couple of things and and it didn't play nice.
Don't forget to encode your query for URLs.
You will need to parse the response, find the URL that is being opened via JavaScript and then open that URL.
Check this out: http://www.phantomjs.org/.
PhantomJS it's a CLI tool that runs a real, fully-fledged Browser without the Chrome.