I have a textbox in which users can enter some text. And after entering this text I show it for them with help of innerHTML. ( befor it - I replace smiles with <img> tag ) I'v tried to enter some JavaScript there, and have found that it is not working. The question is how safe is that?
View 8 RepliesI can't imagine that IE 8 wouldn't support innerHTML but for the following code:
HTML Code:
<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd">
<html>
[Code]....
What did I do that IE 8 doesn't like?
when i click a button, this codes will be executed (tested, its working)
var cart=document.getElementById('cart');
cart.innerHTML=cart.innerHTML + document.getElementById('name'+cartNum).innerHTML + "(" + qty + ")" + "<br>";
this is the style of my cart
[Code]...
my problem is, the overflow which i set to auto is not working. the div keeps on enlarging its height everytime i click the button. seems like it has a conflict with innerhtml?
why the string comparison test doesn't work in this javascript function? It works if you use just text between the currentItem div tags, but not when you use html for an image. I even tried to use iso characters instead of angle brackets, as in "<img src=expand.png></img>" and still no dice. Why not?
Is it because of the way innerHTML manages html and it's not really a string? Is it because it doesn't have all the tags and some other representation?
Code:
<html>
<head></head>
<body>
[Code].....
I'm having an issue with Firefox and the innerHTML code. My index file has the following html body code in it:
Code:
<div id="testBox" style="text-align: center; color:white;">
test text
</div>
Then, in a separate html document loaded through an iframe, I have the following code that works great in IE but not in Firefox:
Code:
<SCRIPT type="text/javascript">
function ChangeML(){
parent.testBox.innerHTML ='text has been changed';
};
</script>
The function ChangeML is called on a click event using MooTools, but I figured that part isn't what's causing the problems because everything else works fine. No error seems to be reported ... it just skips right over this piece of code.
I have a form that is shown depending on some criteria. If the criteria are met, I use innerHTML to swap it in. When a button is pressed, the info on the form is checked with javascript - if it passes the check I use innerHTML again to change the button to '...'.
This works fine on Firefox and Safari - the problem is that it doesn't work when I test it with my iPad (iOS 4.3). The button stays the exact same and the javascript seems to stall on the line where I execute the innerHTML. Up to this point, innerHTML on mobile Safari seemed to work the exact same way as MacOS Safari. On my iPad, the innerHTML swaps out this button if the event is triggered from a different button, but not from id="submitbutton" itself.I tested another method - disabling the button. Same issue - works on MacOS Safari/Firefox but not on mobile Safari on my iPad when using onClick from itself.
code snippets
Form (it is a string since using innerHTML=)
...form content...
<div id="submitarea" class="center">
[code]...
I have this script that I've been modifying, but somehow it doesn't work in Opera and Firefox!! IE, Safari and Chrome works just fine!
Code:
/**
* This function creates a Ajax call to the defined responce file and can run a defined javascript right after the innerhtml is loaded.
[Code].....
According to a financial website I tried to access without javascript:
"the site uses JS for security reasons."
How would using JS improve security?
I have an application which runs with secure access. User logs in,
uses the services, and logs out. After logging out, if the user click
the back button, it actually takes them to that page. How can I
prevent this?
Is there a way, that if the person clicks the back button or access a
browser history, how can I make sure that the latest page is displayed
instead of just the cache. Or, clicking the back/history should
refresh that page.
I have a intranet site that allows users to log in and get excel
reports. The user clicks the name of the report and it opens it from a
folder for that user. Easy enough. The problem is that the path of the
folder for that user is displayed in the Status Bar when it is being
downloaded. I've discovered that users are grabing that path, changing
the folder name, and can then access other folders. I don't want that
to happen.
I was wondering if using Javascript to redirect a user, on the client
side, to different pages depending on what they entered was insecure.
I do not want the user to be able to view the source of the page. I
am having the user enter in some input using the input dialog box and
then using a window.location redirection based on their input. Is it
possible to view the source of a page after the input box has closed
but before the new page has loaded, ie. while the browser is
requesting the new page?
I'm working on an html form that will be launched from within another application, but every time it launches the form none of the JS coding works because of the stupid IE security. If I launch the form from outside the application I just have to select "allow blocked content" from that stupid information bar that says "to help protect your security IE has restricted the webpage from running scripts...."
I added the application site to our trusted sites and basically turned off security for that zone but it still doesn't work. Obviously there is a way to run JS without allowing the content, but I don't do enough coding to know how that is done.I need the JS to run automatically without that information bar appearing at all.
If my Ajax is set up like
html <--->ajax(js)<--->server(php)
it would be easy for someone to copy the html and javascript pages to their site and then access my server pages. I don't suppose it matters much if someone did that as long as the php page had proper validation but is it possible to block someone linking to my server pages like that.
As most Javascript coders probably know by now, IE on Windows XP SP2 likes
to prevent our code from running right away (the user is asked to give
permission the first time). Although I can see the danger in allowing all
scripts to run, the fact that IE makes it sound like we are going to install
some huge, horrible application when we are simply adding rollovers or
client-side validation or some other simple little thing really frustrates
me. Specifically what stuff does IE block? Does it check for certain methods
in the script? Does it block everything until you say it's OK? What can
places do to allow their scripts to be run without the need to be validated
by the user? I have heard about "Signed Scripts", but I feel that it would
be hard to modify and develop when a script had to be "Signed" every time.
Any comments?
Is there a way to test for security settings in a users browser AND
their firewall. Lets say someone is using zonealarm. Is there a way
to test for their setting in zonealarm, so I can then redirect them to
a specific page.
The reason I am asking is that I have a flash front page. A user
cannot see the page because he has his security settings set so that he
does not see activex controls. I want to be able to test for those
settings then redirect him to a static page.
It's a security setting "Access Data Sources across domains" you've
got lowered security for whatever zone you accessed the page in.
I am looking for the official javascript security specification for web
browsers. EMCAScript and DOM spec does not seem to contain a section on
security, so I assume none exists and the security policies are
implemented as the vendor pleases. If so, do security specs for IE and
Mozilla exist?
I am writing a script that uses xmlhttp.open, when i attempt to open a protected page I get the login prompt for my htpasswd. Is it possible to detect if there is a login requirement before the login prompt and if there is a login just do something else? I can use xmlhttp.status and check for 200 but if I do this then it would happen after the login prompt.
View 1 Replies View RelatedI have a webpage in which my users complete a form in order to get through to page 2. I cannot use PHP to check as it must be on-the-fly checking.My idea was like the following:
<script type="text/javascript">
function check(x)
{[code]...
And for the images to actually be PHP files that check further details of the user and insert details to DB. Then when the user clicks the next button it will check to see if all 4 users have loaded under that users details.However, I would much prefer it if I could use more PHP as I'm a Javascript n00b. Preferably I would like to use PHP to create unique keys for the images so that once I have obfuscated the javascript code the user will not figure out how to cheat the system even if they manage to reverse engineer the code.
E.g.
<?php
$pic = "picture.jpg";
?>[code]...
Or is this not at all possible?
Edit: I know how much simpler that first script could have been, was just trying to simplify from my double as messy full script which will probably confuse you even more!!!
Some may remember a security flaw in Firefox 1.0.1. It basically goes like this: HTML Code:
<a href="[TRUSTED_URL]">
<table><tr><td>
<a href="[MALICIOUS_URL]">download
</a>
</td></tr></table>
</a>
and with it the developer can trick users into going to or downloading files different from what the user expects.
I recently discovered that you can spoof the status bar in any Javascript enabled browser by the following method, and I'd like to know:Is it a real security flaw?If not, how is it less dangerous than the above method?If so, do I get bragging rights for discovering it, or is it already known? Code:
I pass values from a child window to a parent window as in this code. Is this secure, and if not how can I pass this data securely?
<script langauge="javascript"> function post_value(){
opener.document.editform.ownerid.value = document.lookupform.ownerid.value;
opener.document.editform.petowner.value = document.lookupform.oname.value;
opener.document.editform.ostreet.value = document.lookupform.ostreet.value;
self.close();
}
</script>
What I'm trying to do is put my favorites online so that I can access them from any computer. A friend of mine does this, but he's just relying on it not being bookmarked by anyone and not having his email and being in an obscure directory on his website. I'd like to take it a bit further for myself.
I had considered that the file would be something simple like f.html. f.html would get user input, from me, as a "password". However, the code would not validate the proper password (readable by a smart person) but the password would instead be a directory name. The javascript in f.html would then concatenate the variable received into a string that would be the name of the .js file to include (stuck out in some obscure directory). The included file would then proceed to write all the links. Code:
is there any way we can access the security settings of a browser or at least the status of the SECURITY level?
View 1 Replies View RelatedI am trying to convert a slide show script to install as Web Content on the Windows2K Active Desktop. My ideal implementation would just display all the image files in a specific directory rather than having to edit the script each time I add or remove an image.
I have written a script that uses the File System Object and works fine, but it puts up an alert box when I instantiate the FSO. I am hoping someone can advise me on how to run this particular script without the alert, but I am not willing to give any old script that happens to run access to any important directories.
Password Strength meter: Looking at ways of improving site security:
[url] is a great security feature (in my humble opinion) and I seem to think Ebay, Hotmail, or maybe Amazon use a similar tool. It looks at a proposed password, counts the upper and lower case characters used as well as the use of numerical and other symbols such as #@~? Etc. then rates the password on its perceived unbreakability. Thus it encourages users to use a strong password and therefore improves the security on my site and maybe on other sites too
So far I have linked to this site with success, but I would like to integrate the feature into my site. Does anyone have the code or something similar?
Firefox is throwing a DOM security error. I've used toDataURL() before, and it's never done this. I need to get this little app fixed, so that I can use it on my TabletPC for taking notes in class. The line of code that is throwing this error is:
var Note = document.getElementById("SketchPage").toDataURL();
Here's the full error from the Error Console:
Error: uncaught exception: [Exception... "Security error" code: "1000" nsresult: "0x805303e8 (NS_ERROR_DOM_SECURITY_ERR)" location: "file:///C:/SketchBook-Dev/SketchBook.js Line: 236"]
Here is the JS file:
var PenSize = "3";
var PenShape = "Circle";
var PenColor = "Black";
var LoadFile = "";
var UIstatus = "visible";
var CurrentNote = 0;
var BGcolor = "#C7C1A3";
var DataPath = "Data\";
var ImageExtension = ".img";
var FileList = [];
var SystemPath;
var UIstatus = "visible";
var Server = "localhost";
var NxtNote = new Image();
document.onkeyup = ToggleUI;
function Init() { .....