I'm developing a website, but stuck at some point, where i needed to detect outgoing links on my website, and either forbid the links, or accept that, i don't know how facebook is doing this, but they can do it through facebook.com/l.php that if the link is marked spam, users will get notified about it.
I don't know if that's a php or htaccess, it worked in php using the DOMDOCUMENT, but it's not a real solution for this.
This is not something that you solve on the Apache or .htaccess level. Basically, whenever you're outputting a link, check if it's external, and if it is, change the destination to your redirector.
The redirector can then just check the URL passed, and if it's marked as malicious, it can show a message, and if it's not, then it can either automatically redirect or display some kind of notice that you're leaving the website.
I'm not 100% sure how Facebook is implementing it, but what I would recommend is to use JQuery (or another javascript library) to rewrite all external links to a validating PHP script (e.g. Facebook's l.php script), w/ the intended url getting passed as a GET parameter.
Using JQuery, it might look like:
$('a[href]').each(function(){
var safe_href = 'http://yourdomain.com/yourscript.php?url='+$(this).attr('href');
$(this).attr('href', safe_href);
});
You can can then do a database lookup in yourscript.php based on the variable $_GET['url'], and redirect to that url if it's safe or display a message if it isn't.
l.php is a script that reads links via $_GET['u']. With the url in the your hand you decide where you want the client to be redirected.
So as it looks, you want the users to teach your application what is spam and what not. For that you will need a button "report spam" beside the url.
Related
Lately i have been working on php-Browser-alike program. The goal of this program is to use this php-browser platform to browse only 'safe' web sites. the capabilities will be to track an adult site and not displaying it.
unfortunately , there are two major problems:
Cookies - user can't log-in their users in different sites while using this platform.
Security redirecting - some sites check the url either in PHP or JS and then redirect to their page.
So , simply i though about plain B:
i was thinking about using iFrame and build the whole program in JavaScript and Ajax! but unfortunately , iFrame is super secured and i can't touch anything in it!
- and there is gone plain B.
My question is: is there anything you can think of / advices that can help building PHP/javascript+ajax browser alike program?
For the PHP side you'll need to use curl. You'd probably want to change the html on the server side. Take a look at this Is there a PHP HTML tag library?.
For checking if the site is adult. You should just pass the domain through a database of adult sites.
For javascript I don't know of any pre-made browsers. You'll probably have to block it in yourself, it shouldn't be to hard.
Update
basic structure:
js client makes ajax request to php server using GET or POSt (ex "url=site.com/page/foo.html")
Php gets url using GET or POST
php uses curl to get page contents
php parses through html and changes urls or js prevent link press and send href="" to server via ajax (back to top) : Is it possible to stop redirection to another link page?
php echos out the page
javascript places it in display
I know my ans is too late, posting for so that anyone get help. There is a simple solution for creating complete php browser. Here is the link: http://sourceforge.net/projects/snoopy/
i've a jquery script which post/get data to .php script. but i wanna prevent direct access to the php script. for example if the user look at the html source code,they will be able to access the php script directly by copying the url from the js file and i dont want that. how do i prevent users from doing that?? i want the user to use it via the html UI. i've google but found no link on this. however, i did notice that some popular websites are able to do that. how should i go about doing this??
It seems like a simple redirect is what you're looking for here.
Add something like this to the top of your php file. This will prevent the page from being accessed if the proper post has not been made. Of course you'll have to change the post and redirect to content more relevant to your project.
if (!isset($_POST['data'])) {
header('Location: your-redirect-location');
}
You may also be able to redirect based on the $_SERVER['HTTP_REFERER'] variable.
EDIT: I was going to explain this in a comment but it's too long. I should note that this is a simple solution. It will keep people from accidentally accessing your script. It's really difficult to create a 100% secure solution for your issue, and if somebody really wants to access it, they will be able to. If you don't have anything secure in the script in question, this will be fine. Otherwise, you'll have to look for an alternative.
Here is one solution:
<?php
if(isset($_POST["post_var]))
{
//to the code you want to do when the post is made
}
else
{
//do what you want to do when the user views the post page
}
?>
how do i prevent users from doing that?
You can't - all you can do is mitigate the risk people can fiddle with your script. Making sure you have the right HTTP_REFERER and/or POST data are both useful in that regard: a "malicious" user would need more than pointing her browser to the URL.
More techniques can be used here:
using session variables: you might not want users that are not logged in - if applicable - to use the URL.
using a one-time challenge (token): you can place a value in the HTML page and have the JS code send this value along with the POST request. You store this value in the session when it is generated. Checking the POSTed token against the session token guarantees the user has at least "seen" the HTML page before submitting data - this can also be useful to prevent duplicate submissions.
However, remember that anything a browser can do, people can do it as well. All these techniques can prevent the curious from doing harm, but not the malicious.
All you can do is making sure nobody can really harm you, and in this regard, your Ajax URL is no different than any other URL of your site: if it's publicly reachable, it has to be secured using whatever technique you already use elsewhere - sessions, user rights, etc.
After all, why should you care that users use this URL not using a browser ? You might want to think of it in terms of an API call that, incidentally, your page happens to use.
Your problem is similar to and has the same problems as a cross site request forgery.
To reduce your risk, you can check the request method, check the referrer, and check the origin if set. The best way is to have a secret token that was generated on the server that the client transmits back in every request. Since you're dealing with friendly users who have access to your live code, they may be able to debug the script and find the value, but it would only be for one session and would be a real hassle.
Is there any way of registering clicks to a callto: link with the use of PHP? I've set up a site for a friend of mine and what I would like to do is to create a log of some sort to show who called who eg. if the current user clicks the callto: link I'd like to add a row to the database like "userX called numberY at hh:mm" but I've noticed you cant set variables in the callto: link as you would in ordinary links with just appending $var1=val etc...
I figured you could make use of the onclick()-method of the a-tag but I'd rather skip javascript at the moment and just use PHP. Anyone got any ideas for this? Is it possible to use the header()-function and "redirect" to the callto: link?
callto: is not http:, which means these links are not to be followed by a browser when you click them, but instead trigger activation of some program on the client computer associated with that protocol, right?
Which means no HTTP request is made, so you can't point them to a PHP script.
Which means the only way you're going to intercept these clicks is with JavaScript or by modifying the client software the browser launches itself.
I just did a proof of concept doing a redirect (in .NET), and it seems to work ok in Chrome, but it puts the following in FireFox (might be an artifact of .NET actually):
Object moved to here.
I guess you would do something like this: The user clicks on link to /docall.php?callto=blahblah. The contents of docall.php looks like this:
$callto = $_GET['callto'];
// log the call to $callto in the database
// send back the callto protocol response to the user.
header("location:callto:$callto");
I am working on "Email this page" Popup page. I want to send url of base page as an email, but it should be a popup window.
I have used HTTP_REFERER, it is working fine on Firefox, but not working on Internet Explorer.
I am getting the url of current page but I want that url in new popup window page.
Is there any alternative than HTTP_REFERER.
On the page you wish to grab the URL of, you can use $_SERVER['REQUEST_URI'] to get the requested URI (except the scheme & hostname; in other words, you get the path and query string). Pass this to your other page either using a query string or sessions. The former is preferable, as the latter isn't RESTful. There may be times when it's OK to break REST's rule against server side state, but this probably isn't it.
There is no way unless you store it or send it yourself. This page has one example of how to do it, but only really if you set it beforehand. If the site is your own then you should be ok. If not then you will struggle.
That happens because the HTTP_REFERER is sent by the client browser, which means that it's value can be totally manipulated or can even be null. This means that this variable isn't very reliable. But if the site is yours, there are other solutions.
You can send the url or any other identification like an ID by QueryStrings. So you'll have the link URL like this the_send_page_name.php?ref=index.php
Be aware that this method only works if you're opening the Pop-up in a site that's yours.
I have a Google calendar embedded on a webpage, with events related to activities the site is organizing. Some calendar events have links that redirect the user to a page, within the same website, which has more information and the option to enroll in the event.
The problem however, is that since the end of last month, Google imposed a redirect notice that doesn't even automatically redirect. The links I create on events are changed by Google and, once a user clicks on a link, a new tab opens leading to a page with a redirect warning that the user must click. Since I am providing the users with a link to within the same website this is very inconvenient and makes no sense at all.
I'd want the users to be able to click a link on the calendar and go through to the webpage with the relevant data.
Do you guys know how I can go around this warning?
My thought process:
Initially, I thought of using JS to rewrite the links but since the calendar's iframe is in a different domain, the browser won't allow it due to XSS exploits (AFAIK).
I could build my own AJAX calendar and sync it with Google's using the API, but that's a hell of a lot of work because of stupid "feature" that makes no sense. I like Google's calendar and I'd like to use it.
The third thing that I though of was that, instead of having an iframe with the calendar I could use AJAX to fetch the entire code on the frame's url. Then I'd just rewrite the links on the that code with JS. Could this work?
I would be REALLY thankful for any help. This is driving me insane!
Using Jon Cram's input I created a php script that parses the code and makes the adjustments. However I could only get that working for the html version. No AJAX for me. =(
The same origin policy will prevent JavaScript served from your domain from interacting with data served from a different domain.
You are therefore right in saying that option 1 won't work.
The same origin policy also applies to option 3 as you have stated it. JavaScript served from your domain won't be able to make a direct HTTP request to whichever domain serves the calendar code.
You will need to acquire and modify the calendar code, neither of which can be achieved with JavaScript using today's most commonly used browsers. When FireFox 3.1 and IE8 are in common use and Google serves the correct HTTP Access Control headers this could be achieved with JavaScript alone.
To modify code served from another domain, you will need to utilise some form of server-side process.
A server-side script will be able to request the calendar code. The same script can then modify the code as needed and output it in whatever form you require.
If it is a private internal site you could install greasemonkey on all clients (if they use firefox) and make a short script that fixes the urls. That only works if the original url is contained within google's redirecturl though.
If I had this problem I wound change the calendar provider, that's probably the easiest solution. I did a google search and found Kiko, looks like they might have what you need?
Simply remove the "http://" part of the URL. I am not sure why this works but it does!