I am working on a DotNetNuke application using the iFinity URL Master module. (that may be irrelevant, as a solution may be platform independent)
What I have is a site with addresses based on language.
so
www.thesite.com/en/products/towels/redtowel
is the english version and
www.thesite.com/de/products/towels/redtowel
is the german version.
What I need to do is allow a user (who has already visited the site and set a cookie with their language) to be able to go to www.thesite.com/products/towels/redtowel and get to www.thesite.com/en/products/towels/redtowel if their cookie is set to english, and /de/products/towels/redtowel if it is set to german.
How would I do this?
if it was me and i didnt want to spend a lot of time programming I would look at something like this
http://www.snowcovered.com/snowcovered2/Default.aspx?tabid=242&PackageID=10059
then it could do a redirect based on the cookie - otherwise with iFinity I think you can do that sort of but not exactly. (I may be wrong on that - not a fan of iFinity url rewriter)
Related
I am using redirectTo() function with params to redirect to another pages with a query string in the url. For security purpose this does not look appealing because the user can change the parameters in the url, thus altering what is inserted into the database.
My code is:
redirectTo(action="checklist", params="r=#r#&i=#insp#&d=#d#");
Is there anyway around this? I am not using a forms, I just wish to redirect and I want the destination action/Controller to know what I am passing but not display it in the url.
You can obfuscate the variables in the URL. CfWheels makes this really easy.
All you have to do is call set(obfuscateURLs=true) in the config/settings.cfm file to turn on URL obfuscation.
I am sure this works with linkTo() function. I hope it works with RedirectTo() funcation as well. I do not have a set up to check it now. But if doesn't work for RedirectTo(), you can obfuscateParam() and deObfuscateParam() functions to do job for you.
Caution: This will only make harder for user to guess the value. It doesn't encrypt value.
To know more about this, Please read the document configuration and defaults and obfuscating url
A much better approach to this particular situation is to write params to the [flash].1 The flash is exactly the same thing as it is in Ruby on Rails or the ViewBag in ASP.Net. It stores the data in a session or cookie variable and is deleted at the end of the next page's load. This prevents you from posting back long query strings like someone that has been coding for less than a year. ObfuscateParam only works with numbers and is incredibly insecure. Any power user can easily deobfuscate, even more so with someone that actually makes a living stealing data.
Where can I make changes if I want to make permanent changes in cookie-path value for my website. will that be in context.xml or web.xml or will that be using newCookie.setPath() method only? The server is Tomcat 6.0. I did look online but have not found anything, to the point.
Its just that there is some problem with the session tracking and admin thinks that this requires changing path of my session cookies from /site-folder to /. Is he wrong?
It might not be something considered good programming trick, but to change the sessioncookiepath value, web-app>METAINF>context.xml file is the place. For perticulary my problem, putting following code helped: Context sessionCookiePath="" This might be due to my website structure.
I've switched in my wordpress blog from urls like this:
/blog/2012/01/01/how-to-build-a-website
To shorter urls like this
/blog/?p=123
Wordpress has a search engine who works like this
/blog/search/?s=how to build a website
And search for the s params.
I'm trying to use .htaccess Redirectmatch to redirect all the old urls to the search url with the title of the post as the s params.
So if the user serf to
/blog/2012/01/01/how-to-build-a-website
should be redirect to
/blog/search/?s=how to build a website
I've coded this
Redirectmatch blog/\d+/\d+/\d+/(.+) http://www.mysite.com/blog/?s=$1
But this regex grap the whole string after the last / within the - symbol inside it.
In this way if a user serf to
/blog/2012/01/01/how-to-build-a-website
Will be redirected to
/blog/search/?s=how-to-build-a-website
while I want the user redireced to
/blog/search/?s=how to build a website
How can I write the regex to do this?
EDIT:
Yes guys, I know that this kind of urls are ugly :) But I just would know how to do it, because behind this there are some technical issues I'm trying to solve..
Please don't do this. I know it can seem tempting to go for short URLs; after all, you get things like TinyURL and such. Isn't it better to have /blog/?p=123 than /blog/2012/01/01/how-to-build-a-website?
No. It's not.
The reason is because when someone posts a link to your blog article, the longer URL means something. It tells the person how old the article is. It gives the title. It helps people find your article; after all, the URL is given a lot of weight by Google when indexing your site.
URLs used to be built for computers. Something like /blog/?p=123 is perfect for computers; it's easy to parse, it doesn't require any extra database lookups. You can write two articles named "How to Build a Website" and the blog engine doesn't have to make sure it adds a -2 on the second one. It maps easily to the actual structure of files on the server, without making up structure in the URL.
But we've realized since that URLs can be built for humans, too. The URL /blog/2012/01/01/how-to-build-a-website has a form that can be easily understood by humans. Sure, it's a bit longer to type, but all the bits you're typing are easier, and most URLs are copy'n'pasted anyway or just clicked on. It's more work for the computer, sure, but it's worth it. It makes the Internet friendlier.
So I'm sorry, but I won't help you. :)
If I have a multilingual site, what is the best way to pass information about language?
Right now the language is saved in cookies. That's convenient except that might be not good for search optimization, if search bots don't use cookies.
The other option would be specifying language in address, like exampel.com/?lang=de, but then you probably need to add ?lang=xx to every link on the page.
Is there a right way?
Better way is to maintain this info in session,
The other option would be specifying
language in address, like
exampel.com/?lang=de, but then you
probably need to add ?lang=xx to every
link on the page.
Is there a right way?
I would have created filter than parse each request and fetches the lang param and process accordingly.
Moreover I would recommend you to use following url pattern, and get the lang from filter
yourapp.com/en/welcome/
If you want all the content crawlable then you'd have to pass it in the URL. Either as a parameter http://mydomain.com/en/english-content or maybe have separate sites/subdomains http://english.mydomain.com/english-content
I would use Wikepedia's approach: Different URLs for different languages.
http://en.wikipedia.org for english
http://es.wikipedia.org for Spanish
On my site, I want to allow users to add reference to images which are hosted anywhere on the internet. These images can then be seen by all users of my site. As far as I understand, this could open the risk of cross site scripting, as in the following scenario:
User A adds a link to a gif which he hosts on his own webserver. This webserver is configured in such a way, that it returns javascript instead of the image.
User B opens the page containg the image. Instead of seeing the image, javascript is executed.
My current security messures are currently such, that both on save and open, all content is encoded.
I am using asp.net(c#) on the server and a lot of jquery on the client to build ui elements, including the generation of image tags.
Is this fear of mine correct? Am I missing any other important security loopholes here? And most important of all, how do I prevent this attack? The only secure way I can think of right now, is to webrequest the image url on the server and check if it contains anything else than binary data...
Checking the file is indeed an image won't help. An attacker could return one thing when the server requests and another when a potential victim makes the same request.
Having said that, as long as you restrict the URL to only ever be printed inside the src attribute of an img tag, then you have a CSRF flaw, but not an XSS one.
Someone could for instance create an "image" URL along the lines of:
http://yoursite.com/admin/?action=create_user&un=bob&pw=alice
Or, more realistically but more annoyingly; http://yoursite.com/logout/
If all sensitive actions (logging out, editing profiles, creating posts, changing language/theme) have tokens, then an attack vector like this wouldn't give the user any benefit.
But going back to your question; unless there's some current browser bug I can't think of you won't have XSS. Oh, remember to ensure their image URL doesn't include odd characters. ie: an image URL of "><script>alert(1)</script><!-- may obviously have bad effects. I presumed you know to escape that.
Your approach to security is incorrect.
Don't approach the topic as "I have a user input, so how can I prevent XSS". Rather approach it like it this: "I have user input - it should be restrictive as possible - i.e. allowing nothing through". Then based on that allow only what's absolutely essential - plain-text strings thoroughly sanitized to prevent anything but a URL, and the specific, necessary characters for URLS only. Then Once it is sanitized I should only allow images. Testing for that is hard because it can be easily tricked. However, it should still be tested for. Then because you're using an input field you should make sure that everything from javascript scripts and escape characters, HTML, XML and SQL injections are all converted to plaintext and rendered harmless and useless. Consider your users as being both idiots and hackers - that they'll input everything incorrectly and try to hack something into your input space.
Aside from that you may run into som legal issues with regard to copyright. Copyrighted images generally may not be used on other people's sites without the copyright owner's consent and permission - usually obtained in writing (or email). So allowing users the opportunity to simply lift images from a site could run the risk of allowing them to take copyrighted material and reposting it on your site without permission which is illegal. Some sites are okay with citing the source, others require a fee to be paid, and others will sue you and bring your whole domain down for copyright infringement.