I have a simple link that opens a email.
When I open the email in IE it seems if the address has a "#" sign it doesnt show what ever is after the sign and it only happens in IE.
For example is the address is : 1234 santa cruz #123 st avenue
So after the # sign it wont show anything after .
Any ideas on why its happening and how to fix it?
<a href="mailto:test#test.org?subject=Update
&body=
Account: #trim(Account)#%0d
Address: #trim(Address1)#, #trim(comments)# %0d "> (Request Update) </a>
</cfif>
You can use URLEncodedFormat() function, to fix these kind of issues while working with URLs. The following code will fix your issue.
<a href="mailto:test#test.org?subject=Update
&body=
Account: #trim(URLEncodedFormat(Account))#%0d
Address: #trim(URLEncodedFormat(Address1))#, #trim(URLEncodedFormat(comments))# %0d"> (Request Update) </a>
Related
I am trying to implement the following functionality.
The server sends an email to a user who doesn't necessarily have an account in the server.
In the email, the user is asked to rate a certain model (send a request to the server).
Can I make it in such a way that the user can click the button and doesn't get redirected to some other page, but sends the request directly to the server.
<div>
<p> Hi {{ user }}, </p>
This e mail is to kindly ask you to rate {{ job_seeker }}, who previously
worked with you.
Please rate him from 1 to 3 below.
<button onclick="some function that wont work in email">1</button>
<button>2</button>
<button>3</button>
</div>
I am using django.
NO, you cant execute JavaScript in email templates.
Due to serious security issues, most of the email clients block JavaScript from executing. that's why your redirection script doesn't work.
the solution is to use an <a> tag with a URL that specifies the page link instead of <button>.
I've write a functionality about send email process. Here I've set Mail Server details admin setting. And write a below code for sending email. I can successfully send & receive email to my gmail account. But Here I've added some paragraph with anchor tag value that is click me.
<cfoutput>
<cfmail from="test#gmail.com" to="test#gmail.com" username="myemail#gmail.com" password="mypass" port="587" subject="Chaange title" >
<p> I'm from test link click Me 2! </p>
</cfmail>
</cfoutput>
The issue is in my email not received as a click me as a link. Instead it will display entire html about anchor tag. FYR please refer my email content image.
Note : I've already tried with cfsavecontent too but it's not help me.
Could you any one help on this. Why it's was happen ? Thanks in advance.
Add type="html" to your cfmail tag. That should indicate to the end user's email client that the message should be displayed as an HTML page instead of just plain text.
I am trying to create an a tag leading to Skype chat.
The problem is that Skype did not give me an ID. People find me only using my first and last name.
I tried this but it didn't work.
<a href="skype:John Doe?chat">
see the null space? John   Doe.
How can I type it so it works properly?
E.g: I do not want to use my phone number.
Thank you
The values need to be escaped. <a href="skype:John%20Doe?chat">
Alright so I found a workaround.
I added myself from a new account to see what is my Id.
It has this form live:b3e263c856585e34 .
So I used this <a href="skype:live:b3e263c856585e34?chat"> and it worked fine.
Strange but it works
We have a form in our website where at the very end the user has to type "SIGNED BY ME, [Name of the User]" in a text box before he or she can submit it. It is part of the requirement where the users has to digitally sign the form. The validation code for the text box is below:
<input type="text" placeholder="SIGNED BY ME, YOUR NAME" maxlength="500" value="" id="agreedment2_agreed_sign" name="agreedment2_agreed_sign" data-val="true" data-val-required="Please sign in the box" data-val-regex="SIGNED BY ME, #Model.Fullname.ToUpper()" data-val-regex-pattern="^signed by me, #Model.Fullname.ToLower()|SIGNED BY ME, #Model.Fullname.ToUpper()$">
<span class="field-validation-valid" data-valmsg-for="agreedment2_agreed_sign" data-valmsg-replace="true"></span>
The jquery validation works fine if the user (say, John Smith) enters the text as "SIGNED BY ME, JOHN SMITH" or "signed by me, john smith". But it doesn't work if the user enters mixed case like "Signed by me, John Smith". I have tried adding modifier "/i" to the regex pattern which didn't work. I also tried adding data-val-regex-insensitive="true" to the input. It didn't work either.
Any suggestion, how I can achieve it.
My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.
So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.
What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.
I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);