I am seeking for the proper way to linkify a string block with MeteorJS.
The goal is to prevent XSS vulnerabilities but also to keep the reactivty.
I am currently bulding a chat with MeteorJS. Each of the message in my template can be edited. I have already tried thoses solutions:
1- Linkify DOM node woth various jQuery plugins/custon regex replace() function. Problem is that the onRendered callback is fired once, so messages updated won't be linkified again.
2- Return linkified HTML content from a helper. Problem is that it expose the app to XSS vulneravilities, and with a sanitizing process, some text may be lost (i want to keep the whole text, to display HTML code as text for exanple)
3- Used an autorun conputation declared in the onRendered callback with the Template.currentData() reactive dependency. It ensure that the DOM node will be linkified at every message update, but problem is that old content added manually with jQuery will remain in the node.
So, is there a way to ensure reactivity but also to keep the whole text in place. The goal here is to allow people to send code as text via messages. Meteor Spacebars is already predenting basic XSS with the double curly brace notation {{}}.
Thanks,
wILL
Ok, seems like https://github.com/chuangbo/meteor-marked is the good option. It handle bare links.
Related
Pretty new here, so sorry if the post isn't clear at first!
I'm trying to get a Custom HTML Tag to work from Google Tag Manager. The tag fires just fine, but the JS code inside the tag doesn't seem to do anything. It's supposed to update an Adroll conversion, but nothing happens.
I'm more wondering if this type of JS would even work in GTM? Like the fact that it uses a specific adroll function, how would that even work without access to a larger library?
<script> try{__adroll.track("pageView", {"segment_name":"eea7cf78"})
} catch(err) {}
</script>
how would that even work without access to a larger library?
It would not. If you have not loaded a library that defines an _adroll object with at least a track method, then this will give an error.
You probably cannot see this error because of the try/catch block. The idea behind try/catch is that you can prevent a script from going into an undefined state bey handling errors in the catch branch in a controlled manner.
In this case however, it is used merely to hide an error. The problem with that is that now you do not know what is wrong :-). Error messages are useful, and suppressing them is not.
There should be an accompanying tracking library, that you can either load via a script tag in the same custom tag, in another custom tag that fires before your tracking tag (best done via tag sequencing), or ideally Adroll would provide a custom GTM template for their tag. At least their support should provide instructions where to get their tracking library.
Also remove the try/catch, since it does nothing but to obscure a problem that should be fixed (and also creates a performance hit in the process).
I am using tinymce editor in asp.net page. It was configured fine but when I tried to write soem text in editor it raised error "A potentially dangerous Request.Form value was detected from the client with timymce" I searched and came to know it was bascailly scan of input message form script and sql injection attaks.
To remove this error I put ValidateRequest=fasle in page heade in aspx page. Now I am sure input is not beign validated but is it unsecue now ?
Please guide me what type of threat it has now and what safty measure I can take to prevent it. The editor is being used for compose and store emails. I just read on some sites that client side script attaks are possible from input. Please guide and help.
I believe this answer is along the lines of what you are looking for.
Basically, you have to make sure you html encode/decode all the input fields where applicable. In reality, you cannot completely avoid it, unless you disable the validation. But if you are, make sure you take steps to avoid direct use of the input.
My web-app records users via webcam and microphone. I want to use HTML/JS for the controls and content, so I created two separate Flex modules:
* A "Webcam Setup" module that lets you choose your camera and mic input devices
* A "record" module that lets the user record and submit the recording
When I embed either of these on the page, since they access the user's Camera/Mic object, Flash shows the Privacy dialog that says "[mysite] is requesting access to your camera and microphone. If you click Allow, you may be recorded."
The problem is, if I answer Yes in the Setup module, and later add the Record module to the page using Javascript, it again shows the Privacy dialog.
Is there a way to avoid the second privacy popup?
I would think that saying "Yes" for [mysite] would store that permission for at least that session, but apparently not.
What I've tried
I tried combining them into one SWF, adding it to the page once and moving the DOM element with jQuery's append() function when needed. When I move it, however, it reloads and asks me again.
Imagine if [mysite] was, say, blogger.com or livejournal.com (or, if it were still around, geocities.com). Would you want a "yes" response on that site to be good for every page under that domain?
Rememeber, just because you promise (cross your heart & hope to die) not to abuse the security hole you request, doesn't mean they can allow you to have that security hole.
Eventually, I found a usable workaround, similar to what I originally tried (above).
I combined the setup and record modules into one SWF. I first show the setup screen. When the user hits the Continue button on my page, Javascript calls a function in the SWF to swap to the Record screen.
I then move the <div> containing the Flash object to another location on page using absolute positioning, and resize the object.
Previously, I was trying to use jQuery's append() function to move the div within the DOM, and that was causing the SWF to reload. Just changing position and size does actually work.
You could build the "record" component to simply send and receive signals using an API you've created for your "setup" component (which has already been authorized, meaning one auth & two swfs) by using the LocalConnection class:
http://livedocs.adobe.com/flex/3/langref/flash/net/LocalConnection.html
This seems far closer to best practice than the other implementations mentioned, which smell a bit hacky and would probably confuse anyone who may inherit the codebase in the future.
This is a follow up to: Core javascript functions to make error, warning or notice messages appear?
Basically, drupal_set_message() stores error messages in the session. I need a way to tell drupal VIA JAVSCRIPT not to display those messages. If the page was refreshed, these messages would be displayed, but I want a way to force them to be displayed immediately.
I'm not sure if I have understood you correct, but it seems you want to react upon something in your javascript and display a message in drupal style with the effects.
First of all to make things clear, the JavaScript and Drupal (PHP) can't really talk to each other very well. The only solution is through AJAX, so it wouldn't make any sense to want to use drupal_set_message() from your javascript. The reason is that it would be quite difficult and you would just end up with html you would need to append to your page. So it would be much easier to just create the html in your javascript direct, like I proposed in the answer to your other question. So all that would be left would be to append the effects. This is actually not that hard to do, depending on your effects. The only tricky part is getting the settings from the messagefx module, which it seems you currently cant, since it doesn't save any settings in the script variables.
So this solution in code would be something like this:
$("#something").a_trigger(function () {
$("#messages").append('your html with message').find('the html you inserted').effect(some effect here);
});
Depending on the effect you want to create, you would to call a different function, look at what messagefx does in it's module file around line 55.
The other possibility is that you want to react on any drupal_set_message(). That hard part would be to figure out when there is a message, as there isn't really a way to know in the javascript. Also consider that most messages is the result of submitting a form, where the page reload anyways, and this would be unnecessary. So you would start by creating a simple AJAX function to fetch the data, and create your own simple module to do this. Basically all you need to to define an url with hook_menu and in that callback handle the ajax. You can get the messages from the $_SESSION super global.
So the callback, would look something like this
function mymodule_ajax_callback() {
if (isset($_SESSION['messages'] && !empty($_SESSION['messages'])) {
$result = array();
foreach($_SESSION['messages'] as $message) {
$result[] = 'Generate html based on $message';
}
unset($_SESSION['messages']) // Remove the messages so they wont appear twice.
}
return drupal_json($result);
}
The rest will look like the first solution, only you will get the html from the ajax instead.
since these messages are in the session and/or db, you'd have to use ajax i guess. thats not a very conventional approach.
have to say that on my sites this drupal_set_message() function frequently displays the message one page too late, so i feel your pain.
Right, in short we basically already have a system in place where the HTML content for emails is generated. It's not perfect, but it works.
From this, we need to be able to derive a plaintext alternative for the email. I was thinking of instantly jumping on and creating a RegEx to strip the <*> tags from the message - but then I realised this would be no good because we do need some of the formatting information (paragraphs, line breaks, images etc).
NOTE: I am OK with actually sending the mail and setting up alternative views etc, this is only about getting plaintext from HTML.
So, I am pondering some ideas. Will post one as an answer to see what you guys think, but thought I would open it up to the floor. :)
If you need any more clarification then please shout.
Many thanks,
Rob
My Solution
OK, so here it is! I thought up a solution to my problem and it works like a charm!
Now, here are some of the goals I wanted to set out:
All the content for the emails should remain in the ASPX pages (as the HTML content currently does).
I didn't want the client code to do anything more other than say "SendMail("PageX.aspx")".
I didn't want to write too much code.
I wanted to keep the code as semantically correct as possible (no REALLY crazy-ass hacks!).
The Process
So, this is what I ended up doing:
Go to the master page for the email messages. Create an ASP.NET MultiView Control. This control would have two views - HTML and PlainText.
Within each view, I added content placeholders for the actual content.
I then grabbed all the existing ASPX code (such as header and footer) and stuck it in the HTML View. All of it, DocType and everything. This does cause VS to whinge a little bit. Ignore It.
I then of course added new content to the PlainText view to best replicate the HTML view in a PlainText environment.
I then added some code to the Master Page_Load, checking for the QueryString parameter "type" which could be either "html" or "text". It falls over to "text" if none present. Dependant on the value, it switches the view.
I then go to the content pages and add new placeholders for the PlainText equivalents and add text as required.
To make my life easier, I then overloaded my SendMail method to get the response for the required page, passing "type=html" and "type=text" and creating AlternateView's as appropriate.
In Summary
So, in short:
The Views seperate the actual "views" of the content (HTML and Text).
A master page auto switches the view based on a QueryString.
Content pages are responsible for how their views look.
Job done!
If any of this is unclear then please shout. I would like to create blog post on this at some point in more detail.
My Idea
Create a page based on the HTML content and traverse the control tree. You can then pick the text from the controls and handle different controls as required (e.g. use ALT text for images, "_____" for HR etc).
You could ensure the HTML mail is in XHTML format so you can parse it easily using the standard XML tools, then create your own DOM serialiser that outputs plain text. It'd still be a lot of work to cover general XHTML, but for a limited subset you plan to use in e-mail it could work.
Alternatively, if you don't mind shelling out to another program, you could just use the -dump switch to the lynx web browser.