Recently installed wkhtmltopdf. Was trying to capture the entire page in its current state, however, the below method seems to navigate to the initial state of that page without all the input fields that the user has entered.
PHP
shell_exec('wkhtmltopdf http://localhost/www/bolt/invoice.php invoice.pdf');
I was wondering if someone knew of an implementation of wkhtmltopdf that captures the current state of the page including any text entered in the text fields??
I appreciate any suggestions.
Many thanks in advance!
wkhtmltopdf hits the page independently of your current browsing session. If you hit it like that, you're going to get what anyone would see when they first go to your page. Probably what you want to do is save the current page using an output buffer, and then run wkhtmltopdf on the saved page. Here's some sample code:
sub.php
<?php
$documentTemplate = file_get_contents ("template.html");
foreach ($_POST as $key => $postVar)
{
$documentTemplate =
preg_replace ("/name=\"$key\"/", "value=\"$postVar\"", $documentTemplate);
}
file_put_contents ("out.html", $documentTemplate);
shell_exec ("wkhtmltopdf out.html test.pdf");
?>
template.php
<!DOCTYPE html>
<html>
<head>
<title></title>
<meta charset="utf-8" />
</head>
<body>
<h1>This is a page</h1>
<form action="sub.php" method="post" accept-charset="utf-8">
My Test Field:
<input type="text" name="test_field" value="">
<input type="submit" value = "submit">
</form>
</body>
</html>
Probably in the long run you should have some kind of base template that both pages would use, and one have some markers like value='%valueOfThisVariable%' in your input fields that you can replace with blanks when you present the fields to the user, and fill with the user data when you create the page that you want to write to pdf. Right now it's just going through and replacing all the name='this_name' with value='this_name->value'.
Related
I'm trying to execute a shell script from an HTML page using PHP. I have found a previous example here that I have been trying to follow but I'm having an issue. I'm not sure what the cause is but no errors are returned and no file is created from the bash script.
index.php:
<!DOCTYPE html>
<html>
<head>
<style></style>
</head>
<body>
<form action="./test.php">
<input type="submit" value="Open Script">
</form>
</body>
</html>
test.php
<?php
exec("./bash_script.sh");
header('Location: http://local.server.edu/ABC/abc_test/');
?>
bash_script.sh
#!/bin/bash
touch ./test_file.txt
One thing I have noticed that may be the cause of the issue is that it seems the path on the local server doesn't match with the file system exactly.
If I switch all the relative paths in the scripts to absolute paths such as:
/local/sequence/temp/abc_test/file.exe
Then after clicking the button to run the script I get an error saying:
The requested URL /local/sequence/temp/abc_test/test.php was not found on this server
Edit:
The three files They're located at /local/sequence/temp/abc_test And there is a symbolic link pointing to that directory at /export/www/htdocs/ABC
The error message seems to be indicating that test.php is not being found. As written, it needs to be in the same directory as index.php
You’ve tested the actual bash script, so we can proceed with the assumption that it’s in the execution of the script receiving the submission.
I would suggest putting all the web stuff into one page, because you can test sending and receiving input.
<?php
// for testing
// exec("./bash_script.sh");
// check for POST submission (this is not just reading data)
if(isset($_POST['runScript'])) {
// die('Request received');
exec("./bash_script.sh");
// It’s always proper to redirect after post :)
header('Location: http://local.server.edu/ABC/abc_test/');
die;
}
// finished with logic; show form
?>
<!DOCTYPE html>
<html>
<head>
<style></style>
</head>
<body>
<form method="POST">
<input type="submit" name="runScript" value="Open Script">
</form>
</body>
</html>
Note that I added the name attribute to the submit button, and made the form use POST method while submitting to the calling page (no action means submit to yourself).
I’ve also left a few commented actions to aid in debugging if necessary
You may have to adjust the path to the bash script. Currently it’s going to look in the same directory as index.php, which is not something you’d want to do in production.
You will be able to do that somehow, but its always very risky to allow such operations to execute from the php page.
I simplified my real php page just to get an idea, I have this simple php page with a div, I want to keep this div open and its input with the text that has been changed by the user, when I change the page and go to page2.php
<html>
<head> stuff.. </head>
<body>
stuff in the body..
<div>I want this div to stay in the other page, (without cloning it)
<input type="text" value="hello" />
</div>
</body>
</html>
Please consider this PHP page below, named xss1.php. You can upload it to any LAMP server or VM you have, to understand my conundrum.
<?php
ob_start();
session_start();
$searchValue = "";
if ($_SERVER["REQUEST_METHOD"] === "POST") {
$searchValue = trim($_POST["txtSearch"]);
}
?>
<!DOCTYPE html>
<html lang="en">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8" />
<title>XSS: Sample 1</title>
</head>
<body>
<form name="xssForm" method="POST" action="xss1.php">
<input type="text" id="txtSearch" name="txtSearch" maxlength="128" value="<?php print($searchValue); ?>"/>
<input type="Submit" id="btnSubmit" value="Submit"/>
</form>
</body>
</html>
<?php
ob_end_flush();
?>
I was under the impression, data in text-fields are displayed as is, and need minimal or no-XSS checking. In this text-field, If I were to stick in <script>alert(1);</script> and the form gets posted, the value gets displayed back in the text-field again, with no XSS execution or injection. I'm running Firefox 50.0.2. on my Mac OS X.
Now, if I stick in "><script>alert(1);</script>, there is XSS and I see a Javascript alert pop-out with 1 in it. The characters "/> come after the text-field, rendered as text on the page, not inside the text-field. What changed here? I'm a little perplexed and will perhaps spend the next hour trying to find the answer on XSS Filter Evasion Cheat Sheet, at https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet
In Safari though, I don't see the Javascript alert pop-out, but "/> gets written outside the text-field, right after it on the page.
It's 2:01 am PT and I'm Sleepless in Seattle :)
I was under the impression, data in text-fields are displayed as is, and need minimal or no-XSS checking
Your impression was wrong. Any user input into an HTML document needs to be considered for XSS. It must be either:
Escaped
Passed through a really good white listing filter
From a trusted source (and that means trusted to not be malicious, and to write code without accidently writing something dangerous, and to not copy/paste code they don't understand).
The characters "/> come after the text-field, rendered as text on the page, not inside the text-field. What changed here?
You added a " character. A " ends an attribute value.
Then you added a >. Inside a tag, but outside of an attribute value, a > ends the tag.
The "/> that were in the original document (i.e. the ones that are not part of the user input) no longer have an attribute and tag to close (because the "> from the user input did that) so are rendered as text.
I have a simple wordpress plugin that will take one or two inputs and display a chunk of HTML using a few pieces of meta data from custom posts in Wordpress (within the plugin admin menu).
I have it displaying the HTML output just fine on a new blank page, as well as displaying the input from $_POST when I tested it, although when I try and use get_post_meta() function using my $_post variables within that html output it draws a blank.
I'm using one PHP file, and the code is:
<?php
if (!isset($_POST['submit'])) {
?>
<h1>My Plugin</h1>
<form action="<?php echo plugin_dir_url( __FILE__ ).'myplugin.php'?>" method="post" >
Enter input:<input type="text" name="info" size="30">
<p><input type="submit" name="submit" value="Go">
</form>
<?php
}
else {
?>
<html>
<head>
<style type="text/css">
</style>
</head>
<body>
<?php
$info = $_POST['info'];
?>
Information based on your input is:<?php echo get_post_meta($info, '_info', true); ?>
</body>
</html>
<?php } ?>
I'm a beginner at PHP and plugin development, so apologies for all the silly mistakes that are sprinkled in their most likely.
From my scouring on SO and other wordpress forums, I've got a hint that I might be taking the output out of the wordpress 'Sandbox' and therefore direct wordpress functions wouldn't work. So my question would be, what is the best way to generate my chunk of html with dynamic php on a separate blank page that still works with get_post_meta()?
I should mention that the code works correctly if I put it all on the first plugin page with no forms, and just force a few test variables to pull from the DB.
I have just started to learn HTML and PHP, but have run into a road block while following beginner tutorials. I am attempting to have the user input numbers into a form on the HTML page, then press submit to redirect to a PHP page that displays the values. The PHP page shows up and successfully displays prepared text but displays nothing for the values.
HTML code:
<html>
<body>
<head>
<title>Practice Page</title>
</head>
<h1>Numbers</h1>
<p>Put numbers in the boxes</p>
<form action="welcome.php" method="post">
NumOne: <input type="text" name="oynumone"><br>
NumTwo: <input type="text" name="oynumtwo"><br>
<input type="submit" value="Submit" id="SubmitRegister" name="submit" />
</form>
</body>
<html>
PHP code:
<html>
<body>
Number one is <?php echo $_POST["oynumone"]; ?><br>
Number two is <?php echo $_POST["oynumtwo"]; ?>
</body>
</html>
Both of the files are simply in the same folder in my documents. I understand that I need a server to host PHP content; I have downloaded MAMP for this, but I don't yet understand how to use it.
Any help would be most appreciated.
Store both file name with .php extension AND/OR update Welcome.php like below -
Welcome.php
<?php
if isset($_POST['submit'])
{
$oynumone = $_POST['oynumone'];
$oynumtwo = $_POST['oynumtwo'];
echo "Number one is ".$oynumone;
echo "Number two is ".$oynumtwo;
}
?>
Also check this