I'm having a vexing time displaying a remote RSS feed on an intranet site. I'm using the MM_ XSLTransform.cfc version 0.6.2 to pull in the feed and a basic xsl to output. The feed url is www.fedsources.com/FedsourcesNet/RssFeeds/RSS_MarketFlash.aspx. If you open it in a browser, you'll see it appears to be an ordinary RSS feed. But when I try to display it in CF, I get the following" MM_ XSLTransform error.
www.fedsources.com/FedsourcesNet/RssFeeds/RSS_ MarketFlash.aspx is not a valid XML document.
Parsing www.fedsources.com/FedsourcesNet/RssFeeds/RSS_ MarketFlash.aspx
An error occured while Parsing an XML document.
Content is not allowed in prolog." (the actual error included http:// in the urls. Then the feed is dumped as part of the error message.
What's especially frustrating is if I view the source of the RSS and copy and paste it into a text file, then parse that text file, it displays fine.
Running CF version 7.
I tried changing the charset from UTF-8 to windows-1252, but that added some weird characters at the beginning and didn't help. I also tried stripping out everything between <channel> and <item> but that didn't help.
I've successfully parsed other RSS feeds outside our firewall using the same code. Is there something about the aspx extension that's causing the error? Any thoughts? Anyone?
Thanks.
What's the exact code that you're using to parse the XML document? This particular error normally happens if you have some data before the <?xml?> tag in the document, even a single space can cause a problem.
I'm not familiar with the particular CFC you mentioned, so I can't troubleshoot that one for you, but make sure that you use the Trim function around any XML content you're going to try to parse.
UPDATE: A quick Google search led me to this post from Ben Nadel: http://www.bennadel.com/blog/1206-Content-Is-Not-Allowed-In-Prolog-ColdFusion-XML-And-The-Byte-Order-Mark-BOM-.htm
You need to remove the Byte-Order-Mark from the feed. This code works without an error:
<cfhttp method="get" url="http://www.fedsources.com/FedsourcesNet/RssFeeds/RSS_MarketFlash.aspx" />
<cfset xmlResult = XmlParse(REReplace( cfhttp.FileContent, "^[^<]*", "", "all" )) />
<cfdump var="#XMLParse(xmlResult)#" />
Related
I tested site for vulnerables (folder /service-contact) and possible XSS DOM issue came up (using Kali Linux, Vega and XSSER). However, i tried to manually test url with 'alert' script to make sure it's vulnerable. I used
www.babyland.nl/service-contact/alert("test")
No alert box/pop-up was shown, only the html code showed up in contact form box.
I am not sure i used the right code (i'm a rookie) or did the right interpretation. Server is Apache, using javascript/js.
Can you help?
Thanks!
This is Not Vulnerable to XSS, Whatever you are writing in the URL is Coming in Below Form section ( Vraag/opmerking ) . And the Double Quotes (") are Escaped. If you try another Payload like <script>alert(/xss/)</script> That Also won't work, Because this is Not Reflecting neither Storing. You will see output as a Text in Vraag/opmerking. Don't Rely on Online Scanners, Test Manually, For DOM Based XSS ..Check Sink and Sources and Analyze them.
The tool is right. There is a XSS-Vulnerability on the site, but the proof of concept (PoC) code is wrong. The content of a <textarea> can only contain character data (see <textarea> description on MDN). So your <script>alert("test")</script> is interpreted as text and not as HTML code. But you can close the <textarea> tag and insert the javascript code after that.
Here is the working PoC URL:
https://www.babyland.nl/service-contact/</textarea><script>alert("test")</script>
which is rendered as:
<textarea rows="" cols="" id="comment" name="comment"></textarea<script>alert("test")</script></textarea>
A little note to testing for XSS injection: Chrome/Chromium has a XSS protection. So this code doesn't exploit in this browser. For manual testing you can use Firefox or run Chrome with: --disable-web-security (see this StackOverflow Question and this for more information).
I have an xsl-fo xslt file, and it generates blank pages, along with the standard "An error exists on this page. Acrobat may not display the page correctly. Please contact the person who created the PDF document to correct the problem" error message.
I found that the issue was due to the text I was writing into the pdf contained dashes "–" and when I removed characters, the pdf was rendered successfully.
does anyone know why this "–" character would cause the xsl-fo pdf process should fail? everything I have read says this is not a special character and I shouldn't worry about encoding it.
Update here is a link to the Aspose forum's post I created:
http://www.aspose.com/community/forums/permalink/593149/593149/showthread.aspx#593149
Update #2 I found the issue was not the forward slash, but an encoding issue with dashes (I have updated the questions content, sorry for the confusion) at this point i am still looking for an answer, but I confused the differences between my working xml data, and my not working xml.
Which class of tomcat is responsible for converting .jsp file to .class file? I want to see the source code written for the conversion. My aim is to check the logic how scriptlet comments are eliminated and based on that I'll write my own code that will remove HTML comments as well (I've not decided how will I implement it).
I am sure source code should be available as it's open source.
Or is it possible to implement some kind of filter so the each time server returns a JSP page it removes the comments. I can replace all HTML comments into Scriptlet comments. But I want to ensure, if someone use html comments in future, it is not displayed. It's basically for security.
[Added]
As per the suggestion given by JB Nizet, we will be modifying build.xml file to remove comments. I have come up with this to remove HTML comments -
<target name="-trim.html.comments">
<echo message="Inside trim html comments" />
<fileset id="html.fileset" dir="${build.dir}" includes="**/*.jsp, **/*.html" />
<!-- HTML Comments -->
<replaceregexp replace="" flags="g" match="\<![ \r\n\t]*(--([^\-]|[\r\n]|-[^\-])*--[ \r\n\t]*)\>">
<fileset refid="html.fileset"/>
</replaceregexp>
</target>
However, I am not sure how to remove comments that starts with // or /* */. Any suggestion how can I do so? I have searched over internet but didn't get a clue.
We are using ant script for build.
[Added]
To remove single line comment that starts with // I am using below regex. But somehow it's not working. Can anyone please help me what I'm doing wrong? Thanks in advance.
<replaceregexp flags="gs" match="?:^\s*\/\/(?:.*)$" replace="">
Rather than doing it in Tomcat, use Apache directly. It supports modules which do exactly what you need. mod pagespeed is probably closest to what you want; mod deflate may be configurable to do the same thing, though it also compresses the data, which might be overkill.
As a nice side-effect, this allows you to leave your handy comments in and they'll be served to your internal users (developers) who use port 8080, while those using port 80 will see only the minified product.
It seems that when I use the <cfsavecontent> tag, the output of that is being served by the server (without the variable being outputted), which, to me, kind of defeats the purpose of <cfsavecontent>.
If this is important: my application uses ColdSpring, ModelGlue and Transfer ORM.
Here's my example code in a function:
<cfsavecontent variable="testvar">
<cfinclude template="test.cfm" />
</cfsavecontent>
<cfreturn testvar>
And the template:
<cfdocument format="PDF" pagetype="A4" orientation="portrait" unit="cm">
<cfoutput>
<!--- PDF content here --->
</cfoutput>
</cfdocument>
The PDF content is being parsed by my browser (Google Chrome), while the view hasn't even been loaded in. How can I best prevent this from happening?
Just to clarify: I am not outputting the #testvar# variable yet in this code, though it seems it loads the template in the browser anyways.
To achieve what you're trying to do, should you not simply be using the name attribute of <cfdocument> to put the PDF data into a variable, instead of trying to <cfsavecontent> it?
Disclosure: I've never used <cfdocument> for anything other than proof-of-concept code and testing, but that's what I'm inferring from the docs.
As I also needed to make multiple PDF documents merge, I ended up doing the following. Many thanks to Adam Cameron for providing the solution to my initial issue.
In the template file, I use the <cfdocument> tag with the name attribute to save the PDF in a variable (thanks to Adam Cameron for this)
Then, I store all the PDF documents in an array in their binary format
In my view, I merge the PDF documents together by using <cfpdf>'s merge action, and using a cfloop, to loop over the array, inside it.
Finally, I display the content by using <cfcontent> and using the variable attribute with toBinary(myPdf)
This got me to where I am.
cfinclude will process the test.cfm page, and the way you configured cfdocument will cause "opening" of pdf document in your browser.
You can prevent openning of this file by saving file on the disc:
<cfdocument format="PDF" pagetype="A4" orientation="portrait" unit="cm" filename ="test.pdf" overwrite ="yes">
But this will not prevent execution of cfinclude in the cfcontent tag, it will just prevent opening in the browser.
You can observe cfinclude as request to the server, it will always be executed.
The solution would be to invoke request on test.cfm file which contains cfdocument in the moment that you actually want to generate pdf.
Example: Use javascript on client to invoke report service which will generate and pop out the screen with pdf report.
Hope this helps.
In coldfusion 8, I used bellow code to view "UserDesc"field data from database table that is working on well IE and chrome but not on Firefox. On firefox it does not display on fckeditor,but shows on textarea. please suggest any change in code.
<cfmodule
template="fckeditor/fckeditor.cfm"
basePath="../views/fckeditor/"
instanceName="Question"
value='#UrlDecode(UserDesc)#'
width="530"
height="260">
There are a few newer ways to use the ckeditor in Coldfusion. You can just use the following (this may be cf9+ only, i'm not sure):
<cftextarea name="Question" id="Question"
richtext="yes"
value="#UrlDecode(UserDesc)#">
</cftextarea>
Or you could just use the javascript one as demo'd here (this should work for any version of coldfusion): http://ckeditor.com/demo You would just have to put your value in between the opening and closing text area tags.