When I used Facebook's Open Graph API, I noticed that the JSONP responses generated by Facebook seemed to have an extraneous "/**/" at the beginning of each response like this:
URL:
https://graph.facebook.com/SOME_ID?method=get&pretty=0&sdk=joey&callback=FB.__globalCallbacks.f1c77f051c
Response:
/**/ FB.__globalCallbacks.f887adeec(...);
Why is this?
We added this to protect against an attack where a third party site bypasses the content-type of the response by doing: <object type="application/x-shockwave-flash" data="http://graph.facebook.com?callback=[specifically crafted flash bytes]"></object>
Google does something similar, except they use //... + \n (e.g. http://www.google.com/calendar/feeds/developer-calendar#google.com/public/full?alt=json&callback=foo)
Certainly to prevent XSSI... so you can't execute it...
http://maxime.sh/2013/02/javascript-quest-ce-que-le-xssi-et-comment-leviter/&usg=ALkJrhhjfdwBrK7kxNipOowAYacIcJm89g">Here is a french blog post about that (with google translate)
To prevent XSSI
look into the graph of facebook for more help
https://developers.facebook.com/docs/opengraph/overview/
Seems like Facebook is using a scrubber on their JSON, and it's just leaving the remaining comment holder at the beginning. Most likely leave comments there for debugging purposes, but in production the actual comments are scrubbed.
Related
Hello i am trying to get page level insights and post level insights in the same request but cant seem to get the syntax correct.
page id /published_posts?fields=permalink_url,created_time,message,shares,reactions.limit(0).summary(1),comments.limit(0).summary(1),insights.metric(post_reactions_by_type_total,post_impressions_unique,page_posts_impressions_organic)&since=yesterday
This is my request for now but i wanna add page insights like page_fans and page_fans_city.
How can i do that?
You are using the published_posts endpoint there already, you can not go back “up” to the page object from there. You need to rewrite the whole thing so that you use the page id itself as the basic endpoint, and then request everything else via the fields parameter. The trick is to get the syntax and nesting right …
/page-id?fields=insights.metric(page_fans,page_fans_city),published_posts{…}
should work, inside the {…} you then put all the original fields you requested from the published_posts endpoint before, so
/page-id?fields=insights.metric(page_fans,page_fans_city),published_posts{permalink_url,
created_time,…,insights.metric(post_reactions_by_type_total,post_impressions_unique,
page_posts_impressions_organic)}
And &since=yesterday then just goes at the end again, after all that.
To have the since limitation still apply on the post level, it apparently needs to be added on that “field” again, syntax similar to .metric():
?fields=…,published_posts.since(yesterday){…}
I am currently trying to develop a web activity that a client would like to track via their Learning Management System. Their LMS uses the AICC standard (HACP binding), and they keep the actual learning objects on a separate content repository.
Right now I'm struggling with the types of communication between the LMS and the "course" given that they sit on two different servers. I'm able to retreive the sessionId and the aicc_url from the URL string when the course launches, and I can successfully post values to the aicc_url on the LMS.
The difficulty is that I can not read and parse the return response from the LMS (which is formatted as plain text). AICC stipulates that the course start with posting a "getParam" command to the aicc_url with the session id in order to retrieve information like completion status, bookmarking information from previous sessions, user ID information, etc, all of which I need.
I have tried three different approaches so far:
1 - I started with using jQuery (1.7) and AJAX, which is how I would typically go about a same-server implementation. This returned a "no transport" error on the XMLHttpRequest. After some forum reading, I tried making sure that the ajax call's crossdomain property was set to true, as well as a recommendation to insert $.support.cors = true above the ajax call, neither of which helped.
2 & 3 - I tried using an oldschool frameset with a form in a bottom frame which would submit and refresh with the returned text from the LMS and then reading that via javascript; and then a variation upon that using an iFrame as a target of an actual form with an onload handler to read and parse the contents. Both of these approaches worked in a same-server environment, but fail in the cross-domain environment.
I'm told that all the other courses running off the content repository bookmark as well as track completion, so obviously it is possible to read the return values from the LMS somehow; AICC is pitched frequently as working in cross-server scenarios, so I'm thinking there must be a frequently-used method to doing this in the AICC structure that I am overlooking. My forum searches so far haven't turned up anything that's gotten me much further, so if anyone has any experience in cross-domain AICC implementations I could certainly use recommendations!
The only idea I have left is to try setting up a PHP "relay" form on the same server as the course, and having the front-end page send values to that, and using the PHP to submit those to the LMS, and relay the return text from the LMS to the front-end iframe or ajax call so that it would be perceived as being within the same domain.... I'm not sure if there's a way to solve the issue without going server-side. It seems likely there must be a common solution to this within AICC.
Thanks in advance!
Edits and updates:
For anyone encountering similar problems, I found a few resources that may help explain the problem as well as some alternate solutions.
The first is specific to Plateau, a big player in the LMS industry that was acquired by Successfactors. It's some documentation that provide on setting up a proxy to handle cross-domain content:
http://content.plateausystems.com/ContentIntegration/content/support_files/Cross-domain_Proxlet_Installation.pdf
The second I found was a slide presentation from Successfactors that highlights the challenge of cross-domain content, and illustrates so back-end ideas for resolving it; including the use of reverse proxies. The relevant parts start around slide 21-22 (page 11 in the PDF).
http://www.successfactors.com/static/docs/successconnect/sf/successfactors-content-integration-turley.pdf
Hope that helps anyone else out there trying to resolve the same issues!
The answer in this post may lead you in the right direction:
Best Practice: Legitimate Cross-Site Scripting
I think you are on the right track with setting up a PHP "relay." I think this is similar to choice #1 in the answer from the other post and seems to make most sense with what you described in your question.
I'm trying to write a REST API. I honestly do not know anything related to REST structure so I've done some research and find a valuable information that one of the key things that separates REST from other structures is that it utilizes the 'GET','POST','PUT','DELETE' requests of HTTP.
This might come out silly but how can i control the request type. For example if I code it and simply enter a URL www.example.com/users/1234 , how will my server side analyze whether its a GET,POST,PUT or DELETE request.
Sorry if I'm asking an obvious question, but I would love have some information related to this subject
A good place to start is by looking at the SO wiki associated with the rest tag. This is a part of SO that is so often overlooked as a great source of information. Just hover over the tag and select the "info" link.
Since you mentioned LAMP, I post here, a minimal PHP script which is aware of the method being called:
<?php
if($_SERVER['REQUEST_METHOD'] == "POST") {
echo "Got a POST Request";
} else {
echo "Got a non-POST Request";
}
?>
Look at this document which describes a lot of 'standard' PHP variables containing information about and content from the request, and so on:
http://www.php.net/manual/en/reserved.variables.server.php
If you install and run Apache with the PHP module enabled, and serve a PHP file like the above, requesting that file from a client will return the appropriate string.
I'm building an app which allows users to post articles to their facebook wall. When an article is posted, I retrieve the post id and store that in the database along with the rest of the article details. Now I want to be able to show the comments made on that post when someone views the article in my site; I would also like to allow users to add comments to the post from my site.
I know that the user is always logged into Facebook when they are viewing the article, as the system checks for that earlier on.
I've been using the PHP SDK, and thought all I had to do was something like:
$post_comments = $facebook->api('/' . $post_id . '/comments');
However, when I do this, I get the following error:
Fatal error: Uncaught GraphMethodException: Unsupported get request. thrown in /APP_PATH/facebook/src/facebook.php on line 560
I really don't have much of a clue what I'm doing here, to be honest, as I'm very new to the Facebook Graph API, and I can't seem to find a lot of documentation on it.
Can anyone tell me what I should be doing here, or point me to some documentation I could read about it?
Thanks!
It should work.
Here is the code I am using which is working for me.
$comments = $facebook->api($postid . '/comments');
Make sure your postid is a valid one.
Alternatively, you can directly type that url in browser to get details like this
https://graph.facebook.com/<postedid>/comments
Please refer this link for further reference
http://developers.facebook.com/docs/reference/api/Comment/
I don't know what your PHP library is doing, but you can actually access comments by reading graph.facebook.com/<post_id>/comments. Indeed, try with this one from the doc.
Are your sure of your post id? Try to call the buggy function with 19292868552_118464504835613 as post id. It has to work.
We are facing issues of javascript getting embedded into message body,
following is the code snippet of the javascript,
} {*\htmltag241 var
DanaShimData="var DSJsFuncs =
,null,,,,[{nm:\"Refresh\",lcnm:\"refresh\",flg:0xb},{nm:\
\"Install\",flg:0xf},{nm:\"writeln\",flg:0x3f},{nm:\
"GotoURL\
\",flg:0xe},{nm:\"AddRoot\",lcnm:\"addroot\",flg:0xb},{nm:\
\"LoadURL\",lcnm:\"loadurl\",flg:0xb},{nm:\"addRule\
",flg:0xf},
{nm:\"postURL\",lcnm:\"posturl\",flg:0x12},{nm:\
"replace\ \",flg:0x12f},],[{
Could anyone please let us know if you have observed such occurances /
findings.
Any helps appreciated.
Thanks,
Sudipta Ghosh
Try to use HTMLCodeFormat() or HTMLEditFormat().
See docs.
There is a project called 'AntiSammy' (http://www.antisamy.net/) which uses files to combat XSS attacks that are provided by big sites like Slashdot and eBay. You may want to look at extracting the AntiSammy code to help you.
Here is a post by Peter Freitag on using AntiSammy without ColdBox.
http://www.petefreitag.com/item/760.cfm
Here are the docs for the ColdBox Framework:
http://wiki.coldbox.org/wiki/Plugins:AntiSamy.cfm
Also make sure you use cfqueryparams, captchas or some sort of session authentication form posts.