I am having trouble understanding the file extension .phtml .From what i have read, it is supposed to be a way of using html and php together(please correct me if i am mistaken). What i am trying to do is very simple, I have a php variable, and if it fulfils a certain condition, some html code should be executed, if not some other html code should be executed. The code i have is:
<html>
<head>
</head>
<body>
<?php
$code = "dk";
?>
<?php if($code == "dk"): ?>
<p>
1</p>
</br>
<?php else: ?>
<p>
2</p>
</br>
<?php endif; ?>
</body>
</html>
The output I get when I save and run it as a .php file is only "1", but with .phtml I get "1 2". Can someone explain me why?
You need to configure to run .php/.phtml extensions, so
AddType application/x-httpd-php .php .phtml .html in your httpd.conf file to run phtml file
else you will see the whole code block like if you save the above code in xyz.phtml and run it via http://localhost/xyz.phtml
EDIT
After URL provided in the comments I checked the link and found your PHP code is actually rendered in the View source..please check yourself by viewing the source of this page, so 1 2 is rendered as a part of HTML u mentioned but since the server is not able to understand it silently induced the PHP logical code as well without going into the logical implementation part, hope it makes sense to you.
LINK PROVIDED
One of PHP files' strengths / weaknesses is that you can easily mix PHP and HTML.
In your case, I think your server is not configured to interpret as PHP files that end in .phtml, so the PHP is entirely ignored. Have a look at the page source of the page that outputs "1 2" to see if it's true.
You can have any extension you want be interpreted as PHP, even .html, but that will cause extra overhead of course. If you're running Apache, and want .phtml to be parsed too, adding a line like
AddType application/x-httpd-php .php .phtml
Should do the trick. Choosing a different extension can help hide that you're using PHP, if you're not already using mod_rewrite.
There is no difference between .phtml and .php files. They are both intended to be a php code, which might have some HTML parts.
Your problem is that your server does not know, how to treat .phtml files. You can change the file extension to php (usually after installing the PHP changes your server settings automatically), or accept swapnesh's or J Griffiths's answer.
In fact PHP can parse any file with any extension, it might be even .html or .jpg, if you like. This does not matter*), as the header is most important.
Your code is correct from the PHP point of view, you need to change the server settings.
*) it can in some older Internet Explorer browsers
Try this:
<p>
<?php echo (($code == "dk") ? "1" :"2"); ?>
</p>
</br>
This will work on both .php and .phtml
Don't know why you are doing code redundant this is optimize code also.
Related
Basically, I've a webserver, where I stated in my nginx conf, to show every .cpp as plain text - but I want to make a syntax highlight for more readability.
Any idea how could I proceed?
I want to use google highlights, so any idea about how to insert before an html file before and after every .cpp would suffice.
I thought and tried in the far past using header and footer tags in nginx conf, with no luck whatsoever.
Thanks in advance!
cheers!
As was already pointed out, Nginx is not quite suitable for generating HTML documents by itself. Usually this is a job for a server-side processing language like PHP or Perl. However, there are several ways of solving the problem solely with Nginx.
The first obvious choice would be to use a server-side processing language from within Nginx. There are at least three optional modules for three different languages (Perl, Lua and a dialect of Javascript) that could be used for that.
The problem with this approach is that these modules are rarely available by default, and in many cases you will have to build Nginx manually to enable any of them. Sometimes it can be painful, because as soon as you get your own custom build of Nginx, you will have to support and upgrade it yourself.
There is, however, another option, which involves SSI. It might not be the prettiest solution but it will work. And unlike above-mentioned modules, the SSI support comes with almost every distribution of Nginx. My bet is, your Nginx can do SSI out of the box, without having to compile anything.
So, the configuration goes like this:
# Define a special virtual location for your cpp files
location ~* \.(cpp|h)$ {
# Unless a GET parameter 'raw' is set with 'yes'
if ($arg_raw = 'yes') {
break;
}
# Redirect all the requests for *.cpp and *.h files to another location #js
try_files #js #js;
}
location #js {
ssi on; # Enable SSI in this location
default_type text/html; # Tell the browser that what is returned is HTML
# Generate a suitable HTML document with an SSI insertion
return 200 '<!DOCTYPE html>
<link rel="stylesheet" href="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/styles/default.min.css">
<script src="//cdnjs.cloudflare.com/ajax/libs/highlight.js/9.9.0/highlight.min.js"></script>
<script>hljs.initHighlightingOnLoad();</script>
<pre><code class="cpp"><!--# include virtual="$uri?raw=yes" --></code></pre>';
}
Now here is what happens if you request some *.cpp file in your browser:
The request goes to the first location, because the URI ends with cpp.
Then it is redirected to the second location #js, because there is no GET parameter raw in your request.
In the second location the SSI template is generated with return and then immediately processed by the SSI engine because of ssi on.
The include virtual="$uri?raw=yes" tells the SSI engine to make another request (subrequest) from within Nginx to the originally requested file (the internal variable $uri stores the original URI, that is the web path to your cpp file). The difference between the request from your browser and the subrequest made by Nginx is ?raw=yes.
The subrequest again is handled by the first location, but it never goes to the second one, because of the raw GET parameter. In this case the raw contents of the cpp file is returned as a response to the subrequest.
The SSI engine combines this response with the rest of the template and returns the result to the browser. Additionally, default_type tells the browser to render the result as an HTML document.
You can see an example of the output here. I used this highlighting library for this example. You can change it with whatever you prefer simply modifying the SSI template.
I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).
Is this a bug? I have codes in template file like:
<div class="row" id="tags">
{%include 'y.html'%}
</div>
then jinja2 will render as:
But I never have any quotes in my template. And if I directly place codes in y.html in div section, this problem won't happen.
So, If I have to use include tag, How can I eliminate those annoying quotes?
EDIT:
Thanks for Daniel Roseman, the quotes only exist in Chrome tools, not in the actual html code. BUT:
If I use Chrome browser and use include tag, the layout is abnormal:
If I use Chrome browser and don't use include tag , the layout is OK:
So, there must be something wrong with jinja2 or chrome.
If it is caused by Jinja2, then how to solve this problem? Thanks.
EDIT2:
more strange things: if I move the <div class="row" id="tags"></div> into y.html, the problem will disappear even if I still use include tag.
This may be the solution, but still I don't why.
This isn't Jinja2 doing anything. This is your just your browser's developer tools. The actual HTML will be fine.
I have a simple HTML Form
<form id="uploadForm" method="post" action="/cgi-bin/test.cgi" enctype="multipart/form-data">
<input type="submit" name="add_something" value="add">
<input size="50" type="file" name="myFile" accept="application/zip">
</form>
In addition I do some web page localization on server side by checking user browser locale or searching for a self set language session cookie.
If I upload a file with
Iron 18.0.1050.0
Opera 11.64.1403
Firefox 3.6.27
Firefox 12.0
Google Chrome 19.0.1084.52
SeaMonkey 2.9.1
all works fine. But If I upload a file with
IE 9.0.8112.16421
Maxton 3.3.8.3000
the localization fails. I detected the issue inside the HTTP request:
Opera 11
Content-Disposition: form-data; name="myFile"; filename="ziptest.zip"
Content-Type: application/zip
and IE 9
Content-Disposition: form-data; name="myFile"; filename="C:\Documents and Settings\m1krsch\Documents\Now Some Spaces\ziptest.zip"
Content-Type: application/x-zip-compressed
If I remove the spaces from the path all works fine in IE and Maxton.
Neighter can I exchange the used cgicc library because it is fixed part of the project nor can I force a user to use a path without spaces. How can I circumvent this issue? Is there a way to force IE/Maxton to use the filename instead of the abolute filepath? Or can I set a specific parameter in cgi/env to prevent transmission of abolute filepath?
[EDIT]
I found out that this is a security issue in IE and Maxton. The security zone model of IE allows by default to "Include local directory path when uploading files". I can disallow this behaviour only by changing the client configuration but I am still searching for an application-based solution.
[/EDIT]
Try replacing the spaces with '%20':
"C:\Documents%20and%20Settings\m1krsch\Documents\Now%20Some%20Spaces\ziptest.zip"
I found a stupid error in my localization code. I am using RapidXML for this and encapsulate the whole localization code and RapidXML headers in one class. Unfortunately I did not read the documentation very careful. The data inside vector<char> object - which is holding the XML document data - is not copied into the XML document object xml_document<> by using the parse() method as expected. This looks like procedural C code to me and is in my opinion bad OOD. The documentation says:
3.1 Lifetime Of Source Text
In-situ parsing requires that source text lives at least as long as the document object.
The problem vanished when I corrected my code to get a global vector<char> object inside my localization class.
Nevertheless I am perplexed why mostly all other browsers have no problem with my old code.
I saw this guy approach into organizing PHP projects http://net.tutsplus.com/tutorials/php/organize-your-next-php-project-the-right-way/comment-page-1/#comments and i liked it, but since the head.php will be the same to all pages how can i put JS scripts only in the pages that need them?
Well, first off, putting JavaScript in the bottom of a page tends to yield the best results, but, to answer your question: if you have scripts that are only relevant to one page, you could save that script with the same name as that PHP page (obviously with a .js extension instead), and then inject the file name into the script reference. I'd also maybe add a flag so that you only look for a JS file when the flag is true:
<?php
$usesJS = true;
$filename = "somerandomname";
if($usesJS){
echo( '<script src="/js/' . $filename . '.js"></script>' );
}
?>
This would print out something like <script src="/js/somerandomname.js"></script>
Another option is to create an include file for each page and code your script tags as normal inside the include, and then reference the include. I did something like that for a simple site I did where each page had a different jQuery setup and only one needed a plugin.