PDA

View Full Version : Ajaxpage Security and php page graphics question



bryandees
02-21-2006, 07:20 PM
Hi,

I recently found the ajaxpage script under: http://www.dynamicdrive.com/dynamicindex17/ajaxcontent.htm.

The script works great except for a couple of things. And I was hoping someone could help me out.

1 - Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu? If so, could someone please explain how this is done. Also, could someone please explain why this is an security issue in the first place?

2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.

The page works fine when I use frames which can be viewed under: https://zippo.homelinux.org/cgaux (click on the 'event calendar').

Could someone please explain why this isn't working?

These are my only blocking issues. I'm hoping one of you guru types can give me a hand.

Thanks,

Bryan Dees

Twey
02-21-2006, 07:27 PM
Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu?No. This isn't a limitation to the script, but a security feature of all AJAX-supporting browsers. It is a security issue because it would open the user up to Cross-Site Scripting (XSS) attacks, whereby a client-side script on one domain transfers sensitive data stored on cookies only accessible by that domain to a server-side script on another domain which would not usually have access to said cookie data, which may store it for later use by a human or immediately attempt to take over your account by means of an automated script.
2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.It's probably because this stylesheet:
<link rel="stylesheet" type="text/css" href="templates/default/default.css">isn't in the <head> of the page.

bryandees
02-21-2006, 08:10 PM
Sweet! That fixed my calendar. And answered my question about the security issue.

Thank you very much Twey!

Sincerely,

Bryan Dees

bryandees
02-24-2006, 05:20 PM
Hi,

I found another problem using the ajaxpage menu and phpicalendar.

If I load the phpicalendar page using ajaxpage menu the $default_path var doesn't work. So, if you were to goto my page: https://zippo.homelinux.org/cgaux/ (click on events calendar), then attempt to click on any of the calendar event links they resolve to: https://zippo.homelinux.org/cgaux/#

It should look like: https://zippo.homelinux.org/cgaux/calendar/month.php#

There is a config file under phpicalendar that you can set the $default_path var. but it doesn't change anything.

Again, if you go to the calendar directly: https://zippo.homelinux.org/cgaux/calendar
The links work fine. But if you attempt to load the calendar page using ajaxpage the links are bad.

Thanks again for your help!

Bryan Dees

Twey
02-24-2006, 05:28 PM
What do you have $default_path set to?

bryandees
02-24-2006, 05:44 PM
$default_path = ''; // The HTTP URL to the PHP iCalendar directory, ie. http://www.example.com/phpicalendar

I tried setting it using the following:
https://zippo.homelinux.org/cgaux/calendar
https://zippo.homelinux.org/cgaux/calendar/calendars (which is where the ics calendar is stored)

Theres another setting that I tried changing which is called:
$calendar_path = ''; // Leave this blank on most installs, place your full FILE SYSTEM PATH to calendars if they are outside the phpicalendar folder.

Which I entered the full path: /var/ww/html/cgaux/calendar or /var/www/html/cgaux/calendar/calendars/

I'd post on phpicalendar.net but the calendar works fine if I dont use ajaxpage. So, i'm afraid they'll just refer me back to you folks instead.

Thanks.

Twey
02-24-2006, 05:52 PM
I tried setting it using the following: But what is it now?

bryandees
02-24-2006, 05:53 PM
Nothing its blank.

I didn't want to corrupt your testing. Shall I add the full path back or?

Twey
02-24-2006, 07:58 PM
Yes, set it to its original (working, I presume) setting.

bryandees
02-24-2006, 08:05 PM
Okay, that would be 'nothing' then. Which works if you load the page directly:
https://zippo.homelinux.org/cgaux/calendar/

bryandees
02-24-2006, 08:08 PM
I've tried setting various variables within the config file as well as setting the full path within the php scripts. But nothing seems to work.

Twey
02-24-2006, 08:13 PM
Right... you don't need to touch $filesystem_path. Try https://zippo.homelinux.org/cgaux/calendar/ as the $default_path (note the slash on the end).

bryandees
02-24-2006, 08:32 PM
Ah, sorry didnt' realize we added a second page here.

I added https://zippo.homelinux.org/cgaux/calendar/ to the $default_path var.
It didn't change the links.

Twey
02-24-2006, 09:09 PM
Hm... I think I'll need to see the source of this app. Can you zip it up?

bryandees
02-24-2006, 09:17 PM
https://zippo.homelinux.org/bryandees_cal.zip

Thanks Twey.

Twey
02-24-2006, 09:22 PM
Um... that's missing the contents of the "functions" directory.
/EDIT: Never mind that, I just realized that this has nothing to do with the problem. The links use Javascript to open a new window; however, in the AJAX-included version, you're missing this codeblock:
<script language="JavaScript" type="text/javascript">
<!--
function openEventWindow(num) {
// populate the hidden form
var data = document.popup_data[num];
var form = document.forms.eventPopupForm;
form.elements.date.value = data.date;
form.elements.time.value = data.time;
form.elements.uid.value = data.uid;
form.elements.cpath.value = data.cpath;

// open a new window
var w = window.open('', 'Popup', 'scrollbars=yes,width=460,height=275');
form.target = 'Popup';
form.submit();
}

function EventData(date, time, uid, cpath) {
this.date = date;
this.time = time;
this.uid = uid;
this.cpath = cpath;
}

function openTodoInfo(vtodo_array) {
var windowW = 460;
var windowH = 275;
var url = "includes/todo.php?vtodo_array="+vtodo_array;
options = "scrollbars=yes,width="+windowW+",height="+windowH;
info = window.open(url, "Popup", options);
info.focus();
}

document.popup_data = new Array();
//-->
</script>... which is present normally.

bryandees
02-25-2006, 12:26 AM
I added the code block to my index.html but the links still aren't working. Or perhaps i'm misunderstanding how it should be implemented?

Twey
02-25-2006, 12:34 AM
No... one of these objects:
function EventData(date, time, uid, cpath) {
this.date = date;
this.time = time;
this.uid = uid;
this.cpath = cpath;
}also needs to be instantiated and added to an array for each calender event like this:
var eventData = new EventData('20060207', '1900', 'KOrganizer-471597887.799','');
document.popup_data[15] = eventData;That last value (before the null string) seems to be some sort of ID, making me think this should be being generated by the server-side script, but isn't.

bryandees
03-09-2006, 06:32 PM
Twey,

Does this go in the date_functions.php to replace the existing:

var eventData = new EventData('$escaped_date', '$escaped_time', '$escaped_uid','$cpath');
date_functions.php.backup: document.popup_data[$popup_data_index] = eventData;

Thanks.

Bryan

Twey
03-09-2006, 07:20 PM
No, it's there now. Either I didn't see it before, or you've since modified the page. Anyway, the script still isn't working, so I was wrong there too. However, I believe I have the problem.
Each of these little script blocks is being loaded into the HTML, but it isn't being executed.
As such, try this:
function setPopupData() {
var lom = document.getElementsByTagName("script");
for(var walrus=0;walrus<lom.length;walrus++)
if(lom[walrus].innerHTML.indexOf("document.popup_data[") > -1)
eval(lom[walrus].innerHTML);
}Call this after the calendar has loaded. This made the script work for me; however, a 404 results, probably due to some server-side misconfiguration.

bryandees
03-09-2006, 07:29 PM
Sorry, where do I load this? Which file?

Twey
03-09-2006, 08:26 PM
It just needs to be called after the calendar page has finished loading; it doesn't matter which file it's in so long as it's part of that page when the final output is sent to the client.

bryandees
03-09-2006, 08:34 PM
I added the function you gave me in the functions/event.js file.

Then called it at the end of the month.php (which sources in the above file) like this: setPopupData();

Which didn't work.

Twey
03-09-2006, 08:47 PM
Aha, there you have it. Any <script> elements in the included file won't be executed; this is precisely the problem we face. I made a typo in that last post, sorry. I meant to say "client," not "server." Now then: the AJAX-called page isn't part of the output sent to the client originally, so it won't work for our purposes.

bryandees
03-09-2006, 10:13 PM
Hmm. That is wierd. I added the function directly to the month.php and then called it at the end of the page. But the page isn't loading.

bryandees
03-09-2006, 10:19 PM
Should there be an ending bracket on this?

document.popup_data["

like: document.popup_data[]"

Twey
03-10-2006, 07:32 AM
No, because it's never accessed as document.popup_data[] (unsurprisingly). What we're doing with that if is checking whether the script contains a reference to one of document.popup_data's elements (hence the [), and if so, executing it. It's a simple string operation, nothing fancy.

bryandees
03-10-2006, 03:01 PM
am I calling the function correctly?

bryandees
03-13-2006, 06:05 PM
Twey, could you please send me the files you changed in order to get the calendar to work? I'm still having problems with this. I rewrote everything using tables, but this method will be an administrative nightmare.

I really dont want to give up on this cool menu.

Thanks,

Bryan