I have a file a.html, which has the following content:
<script>
var x=document.URL.substring(document.URL.indexOf('#')+1);
document.write(x);
alert(document.body.innerHTML);
</script>
<body>
</body>
When I am browsing to a.html#somevalueh;alert(1)</script>, why only "somevalueh;alert(1)" but not the </script> portion appeared inside the body?
I am using chrome btw. Is it a feature that prevent XSS? Does it work by stripping </script> or ...?
Chrome has default protection against Reflective XSS attacks. In Chrome there is a flag with which you can start the browser. If you start the browser with this flag, you can do what you want:
--disable-web-security
Related
I am using default cache setting which is 24hours.
However, when I refresh the page, I see updated html page every time. Why the file is not cached for 24hrs. I didn't set any invalidation mechanism.
Here's the URL: https://dhr5io29ip73w.cloudfront.net/
html file content:
<html>
<h1>Test</h1>
<p id='myTime'></p>
<script>
var d = new Date().toLocaleTimeString();
document.getElementById('myTime').innerHTML = d;
</script>
</html>
Your page includes JavaScript. The JavaScript code runs in the web browser. That means each time you load the page, your web browser executes those JavaScript statements in the <script> tag which includes updating the page with the current time.
CloudFront just caches the raw HTML of the page. It doesn't cache the rendered result.
I am trying to embed an AWS Quicksight dashboard into our application but I am having some trouble with the embed process. The URL has been generated correctly and but I get a permission denied error when I attempt to embed it.
I am able to load the generated URL directly in a new tab but when I attempt to embed it I get a 401 error.
I have whitelisted the domain in the Quicksight console and am accessing the page over HTTPS. The complete test page is shown below.
The following code is what I am using to test embedding. It was taken from an Amazon example.
<!DOCTYPE html>
<html>
<head>
<title>My Dashboard</title>
<script src="https://unpkg.com/amazon-quicksight-embedding-sdk/dist/quicksight-embedding-js-sdk.min.js" ></script>
<script type="text/javascript">
function embedDashboard() {
var containerDiv = document.getElementById("dashboardContainer");
var params = {
url: "<link that works in a standalone browser tab>",
container: containerDiv,
parameters: {
},
height: "700px",
width: "1000px"
};
var dashboard = QuickSightEmbedding.embedDashboard(params);
dashboard.on('error', function(err) {console.log('dashboard error:', err)});
dashboard.on('load', function() {});
}
</script>
</head>
<body onload="embedDashboard()">
<div id="dashboardContainer"></div>
</body>
</html>
Amazon sends a 302, followed by a 401. Which results in a frame with the error message "We can't display this page (Not Authorized).
The first request in the image fetches a fresh link from the server and the subsequent two are the framing attempt.
I would expect that if something was wrong with my authorization then a loading the link in it's own tab would not work. I think the issue must be with the frame but don't know what other options to check beyond the whitelist.
Does anyone have any idea what else I can try?
I can't seem to get any sample app working. I'm trying to run a simple websocket 101 starter app that does nothing more than log something to console.
I have cfws directory in my webroot C:\inetpub\wwwroot, and I'm working in C:\inetpub\wwwroot\site\.
I have enabled web sockets in the cfadmin, with "use proxy" option, port 8579.
The code I'm running is:
index.cfm:
<html>
<head>
<title>Example One</title>
<script language="javascript">
function messageHandler(msg) {
console.log("messageHandler Run");
console.dir(msg);
}
</script>
</head>
<body>
<h1>Example One</h1>
</body>
</html>
<cfwebsocket name="myWS" onMessage="messageHandler" subscribeTo="news">
Application.cfc
component {
this.name="cfwack2_1";
this.wschannels = [{name:"news"}];
}
I run the code and there are no errors, but I don't see the expected log in the console.
So far every sample app I've tried does five eighths of nothing. Any help appreciated.
You may have a typo in your Application.cfc. According to the docs here, it should look like this:
component {
this.name="cfwack2_1";
this.wschannels=[{name="news"}];
}
An = (equal sign) instead of a : (colon) after name.
The documentation also shows that the JavaScript function should accept an event and a token value. Here is the example from the documentation.
<script type="text/javascript">
function mymessagehandler(aevent, atoken)
{
var message = ColdFusion.JSON.encode(atoken);
var txt=document.getElementById("myDiv");
txt.innerHTML +=message +"";
}
</script>
<cfwebsocket name="mycfwebsocketobject" onmessage="mymessagehandler" subscribeto="news">
<cfdiv id="myDiv"></cfdiv>
Im trying to implement oauth1 for quickbooks, using a python library requests_oauthlib. My problem is i tried setting up the quickbooks oauth as suggested by quickbooks inserting the quicbooks button.
The sample code provided was:
<html xmlns="http://www.w3.org/1999/xhtml" xmlns:ipp="">
<head><meta http-equiv="Content-Type"
content="text/html; charset=ISO-8859-1">
<title>My Connect Page</title>
<script type="text/javascript" src="https://appcenter.intuit.com/Content/IA/intuit.ipp.anywhere-1.3.2.js">
</script>
<script type="text/javascript">
intuit.ipp.anywhere.setup({
grantUrl: 'http://www.mycompany.com/HelloWorld/RequestTokenServlet'
datasources: {
quickbooks : true,
payments : false
},
paymentOptions:{
intuitReferred : true
}
});
</head>
<body>
<ipp:connectToIntuit></ipp:connectToIntuit>
</body>
</html>
But what it does is, it opens a new pop up like window and goes through the oauth process, but i am not able to figure out, how to get the control back to my app when the redirect happens to the redirect url mentioned, with the access token. Now the redirect url is also opened within the pop up window.
But what it does is, it opens a new pop up like window and goes through the oauth process,
This is expected behavior. This should happen. The entire OAuth process takes place within the pop-up.
Now the redirect url is also opened within the pop up window.
It should be, this is good.
All you have to do is use window.close() to close the pop-up once the OAuth process completes.
I'm running the developer's Django server while writing a simple view and it seems whenever I request a page, the console shows that there are 2 GETs for the same URL. What would cause this happen? I'm not using any redirects, so I don't see how a 2nd request would be made?
EDIT: It appears to be caused by the template. Changing to a blank html file for a template resolved the issue. The question is why? I have multiple {% if %} {% endif %} sections, with no elses. Could that be an issue?
It also could be Firefox following a WC3 directive under which it's supposed to dual load if certain tags come empty or broken, for example, a without a src="" etc. That being said, I saved off the rendered HTML on receipt and moved it into a static file, where I added the same headers as the real checkout and a small DB log of all accesses.
I just stumble upon this problem and fixed it removing my img wit src=""
Please confirm, if Django is redirecting after appending slash to your url. Its the property APPEND_SLASH in your settings.py controls that.
The second request is probably caused by a mis-configured asset link - a script, style or img tag which is empty or omits the initial / and is therefore re-requesting the page.
It could be your shortcut/favicon
Do you have link rel="shortcut icon" in your page template? Comment it out to see if it removes the second request
In my case : I have the same javascript code in 2 files : one in the base template and the same one in another template. As I use ajax to not reload all the page I got the call 2x, then 4x, and 8x, ...
The solution is the use the javascript code only in mybase.html
Hereafter my js code :
<script type="text/javascript">
// Code jQuery Ici
$(document).ready(function(){
// GET
$(".ajax_onglet_get").click(function(e){
var lien = $(this).attr('href');
$('#zone_travail').fadeOut('fast', function(){
$('#zone_travail').load(lien, function() {
$('#zone_travail').fadeIn('fast');
});
});
e.preventDefault()
});
});