I've got a flash file (that I can't edit) that is making erroneous requests to a file ending in a #. So the link where the file is being accessed is /files/flash/, so the requests are being made for /files/flash/#
Is there any way for me to detect the # in the link so that I can have those pages not load?
The fragment is not sent to the server, and therefore cannot be accessed via PHP.
In case you are unsure:
scheme://host.tld/file/path/filename.ext?uri#fragment
The only way to access the fragment is through Javascript or another client-side script.
Related
I am trying to implement some php on an Apache 2+ Server which I do not have root access of. One script has to receive variables in a URL, but the API, that sends me the data, generates a URL-String with a # character in it.
The URL in Question would look like this:
http://website.name.com/script.php#foo=1&bar=2
Is there any way for the foo and bar variables to reach the script.php? I've read in other answers that everything after # doesn't get parsed by the server, so I tried to use an .htaccess file with a RewriteRule to replace the hashtag, but I was unable to create a working RegEx command.
No, the thing isn't that it isn't parsed by the server, the issue is that it's never being sent to the server. Everything after # is a local anchor, and is only available inside the current browser context (so Javascript would be able to read it, as it runs in the current browser context).
Since it's never sent to the server, you can't rewrite it or read it (since it doesn't exist) on the server side.
What you can do, is create a small bit of Javascript on the resulting page in script.php, and then submit that back to the server side - either through a redirect or through a fetch or xmlhttprequest.
To recreate the request as a GET request with the same parameters as given in the local anchor, you can use location.hash and remove the #:
location.href = 'realscript.php?' + location.hash.substring(1);
.. but I would consider parsing the hash yourself and then doing whatever is necessary in Javascript explicitly instead of redirecting like that.
I have a Javascript bookmarklet that POSTs to a PHP script, and I need PHP to know the filename of the page that the bookmarklet is POSTing from. I'll be using that filename with file_put_contents(), so I need it to be a real file.
The PHP will also be running on the same server as the page being POSTed from.
For example:
script.php is placed in the root of an arbitrary server (http://site.com/)
The operator browses to an arbitrary page on the server (http://site.com/foo/bar/baz) before executing the bookmarklet.
The bookmarklet sends some data to http://site.com/script.php.
script.php now needs to make some modifications to the file corresponding to http://site.com/foo/bar/baz, but can't resolve the URL to a filename.
There's location.href in Javascript and $_SERVER[ 'HTTP_REFERER' ] in PHP, but in the case of a rewritten URL (via mod_rewrite or whatever) these won't contain the real filename.
Is there any way to find the real filename of a URL in PHP or Javascript?
There's location.href in Javascript and $_SERVER[ 'HTTP_REFERER' ] in
PHP, but in the case of a rewritten URL (via mod_rewrite or whatever)
these won't contain the real filename.
Is there any way to find the real filename of a URL in PHP or
Javascript?
In Javascript: Client side Javascript has no idea about server side code unless the server passes that information to the client. Short answer: not unless you make it possible.
In PHP: I think that realpath will translate a URL to a physical file on the local drive (in ASP it is Server.MapPath), BUT, I don't know if that will work for rewritten URLs. I very much doubt it. If I am correct that it will not, then there could possibly be a related function specific to whatever framework you are using, if one is being used. If you are simply using mod_rewrite or similar without a framework, then you would have to code up your own function which knows how to translate from the virtual path to a real one.
You can't use $_SERVER["HTTP_REFERER"] because the client may choose not to send it, and this seems to be an essential bit of data.
In JavaScript you can only know the URL as it is displayed to the user (via document.location.href). If you want to know the filepath of the php script that handles that URL, just have PHP output the filepath somewhere on the page (in JS source) so JS can pick it up and pass it on.
I have Javascript updating my URI as below:
/index.php?page=list#page=news
But I would like to make page=news accessible somehow from my server so that when the URI is copied and pasted, it would go to the news page. What is the best way to do this?
I tried $_SERVER['REQUEST_URI'] but everything stored in $_SERVER is before the hash tag.
You can't. That data, called the fragment, is reserved for client side processing and thus is never sent to the server.
The only way to utilize the fragment is to have Javascript intervene at some point. This probably means checking for a hash-tag on the page onload, and then displaying the proper data.
You could make your entire page loaded via Javascript. While it would kill compatability for anyone who turned off Javascript, it would ensure that the hash tag eventually gets sent to PHP
Basically, it would look something like this:
PHP Sends Page
Javascript reads the hastag
Make a URL with a hashtag parameter (loader.php?page=list&page=news)
(Note that in the above, page=list wil be overriden by page=news, so $_GET['page'] will be news.
AJAX call to PHP
Load the content into a div.
(And this question is very much a duplicate question)
I'm trying to store a url such as:
http://localhost/pro_print/index.php#page=home
in a variable, but I can't find a function that does that. I found plenty of solutions to store the index.php, but it doesn't include the hashmark and what follows it. Is there a PHP solution for this?
I did see that I can get the full url including hashmark with javaScript using document.write(document.url) or document.write(location.href) but how do I store that into my variable? Is there any way I can combine PHP with javaScript in some sort of solution like this?
<?php $url ="?><script>document.write(document.url)</script><?php "?>
The fragment identifier (the # and everything that appears after it) is handled entirely client side, and is not sent to the server when the URI is requested.
To make it available to PHP, you would have to:
Allow the page to load
Read the location with JavaScript
Send it to the server using an Ajax technique (e.g. XMLHttpRequest) or in a subsequent request
This won't make it available to the server at the time the original script runs, but nothing else can.
An alternative approach would be to duplicate the information in the fragment identifier somewhere else in the URI (e.g. the query string). This is used by this site when submitting an answer.
While cross-site scripting is generally regarded as negative, I've run into several situations where it's necessary.
I was recently working within the confines of a very limiting content management system. I needed to include database code within the page, but the hosting server didn't have anything usable available. I set up a couple bare-bones scripts on my own server, originally thinking that I could use AJAX to import the contents of my scripts directly into the template of the CMS (thus retaining dynamic images, menu items, CSS, etc.). I was wrong.
Due to the limitations of XMLHttpRequest objects, it's not possible to grab content from a different domain. So I thought iFrame - even though I'm not a fan of frames, I thought that I could create a frame that matched the width and height of the content so that it would appear native. Again, I was blocked by cross-site scripting "protections." While I could indeed load a remote file into the iFrame, I couldn't execute JavaScript to modify its size on either the host page or inside the loaded page.
In this particular scenario, I wasn't able to point a subdomain to my server. I also couldn't create a script on the CMS server that could proxy content from my server, so my last thought was to use a remote JavaScript.
A remote JavaScript works. It breaks when the user has JavaScript disabled, which is a downside; but it works. The "problem" I was having with using a remote JavaScript was that I had to use the JS function document.write() to output any content. Any output that isn't JS causes script errors. In addition to using document.write() for every line, you also have to ensure that the content is escaped - or else you end up with more script errors.
My solution was as follows:
My script received a GET parameter ("page") and then looked for the file ({$page}.php), and read the contents into a variable. However, I had to use awkward buffering techniques in order to actually execute the included scripts (for things like database interaction) then strip the final content of all line break characters (\n) followed by escaping all required characters. The end result is that my original script (which outputs JavaScript) accesses seemingly "standard" scripts on my server and converts their standard output to JavaScript for displaying within the CMS template.
While this solution works, it seems like there may be a better way to accomplish the same thing. What is the best way to make cross-site scripting work specifically for the purpose of including content from a completely different domain?
You've got three choices:
Create a server side proxy script.
Create a remote script to read in remote dynamic HTML. Use a library like jQuery to make this easier. You can use the load function to inject HTML where needed. EDIT What I originally meant for example # 2 was utilizing JSONP, which requires the server side script to recognize the "callback=?" param.
Use a client side Flash proxy and setup a crossdomain.xml file on your server's web root.
Personally, I would call to that other domain on the server and get and parse the data there for use in your page. That way you avoid any problems and you get the power of a server-side language/platform for getting and parsing the data.
Not sure if that would work for your specific scenario...hard to know even with your verbose description...
You could try easyXDM, by including very little code, you can pass data or method calls between documents of different domains.
I've come across that YDN server side proxy script before. It says it's built to work with Yahoo's Search APIs.
Will it work with any domain, if you simply trim the Yahoo API code out? Or do you need to replace it with the domain you want it to work with?
iframe remote content can be accessed by local javascript.
The remote server just have to set the document.domain of the page.
Eg:
Site A contain an iframe with src='Site B/home.php'
home.php looks like this :
[php stuff]...[/php]
[script type='text/javascript']document.domain='Site A'[/script]