Advanced Search

Page 2 of 3 FirstFirst 123 LastLast
Results 11 to 20 of 25

Thread: Pass value to php with ajax

  1. #11
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    28,699
    Thanks
    43
    Thanked 3,132 Times in 3,096 Posts
    Blog Entries
    12

    Default

    My site and the demo from my last post are back up having passed host inspection, phew. So have a look:

    http://jscheuer1.comli.com/postedit/demo.htm
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  2. #12
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,508
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    My copy still dosen't work. I'll try to post a link soon.

  3. #13
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    28,699
    Thanks
    43
    Thanked 3,132 Times in 3,096 Posts
    Blog Entries
    12

    Default

    Well, perhaps I can save us both some time. In putting together that demo I realized that unless quotes are escaped, it could be used by another website to make their content appear to be on your domain. But escaping quotes also prevents inline attributes.

    Another drawback is - well I see your default starting code is:

    Code:
    <html>
    <head>
    </head>
    <body>
    </body>
    </html>
    But you cannot paste these as real tags into the Viewing Window, as they're invalid there. Most browsers will strip them automatically, or at the very least not respect them the way that they normally are when used as intended. You would need an iframe to properly do that.

    It is tempting. The contenteditable division allows you to enter tags and text, the other division could be used to display the result. All of this with minimal coding required - provided of course you have a host with PHP enabled.

    There already is a script for this sort of thing though:

    http://www.dynamicdrive.com/dynamici...itor/index.htm
    Last edited by jscheuer1; 02-17-2012 at 11:51 AM. Reason: add info
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  4. #14
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,508
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    Quote Originally Posted by jscheuer1 View Post
    Well, perhaps I can save us both some time. In putting together that demo I realized that unless quotes are escaped, it could be used by another website to make their content appear to be on your domain. But escaping quotes also prevents inline attributes.
    I don't understand what you mean. How could quotes let others show there pages on my domain???

    Quote Originally Posted by jscheuer1 View Post
    Another drawback is - well I see your default starting code is:

    Code:
    <html>
    <head>
    </head>
    <body>
    </body>
    </html>
    But you cannot paste these as real tags into the Viewing Window, as they're invalid there. Most browsers will strip them automatically, or at the very least not respect them the way that they normally are when used as intended. You would need an iframe to properly do that.
    This is definatly a problem. On this page http://jscheuer1.comli.com/postedit/postit_2_h.htm are you saving the file to the server when you click update? Because if you were you ould just use an Iframe...

    Quote Originally Posted by jscheuer1 View Post
    It is tempting. The contenteditable division allows you to enter tags and text, the other division could be used to display the result. All of this with minimal coding required - provided of course you have a host with PHP enabled.

    There already is a script for this sort of thing though:
    http://www.dynamicdrive.com/dynamici...itor/index.htm
    Isn't that a WYSIWYG editor. I'm not trying to do that. I still want to use html tags, but have a live preview as well.

    I hope that explains most of it.
    Keyboard1333

  5. #15
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    28,699
    Thanks
    43
    Thanked 3,132 Times in 3,096 Posts
    Blog Entries
    12

    Default

    Well, you cannot do this on my version because quotes are escaped. But if they were not, you could paste into the Edit Window:

    Code:
    <script type="text/javascript">
    (function(){
    document.write('anything at all, even an entire page of code');
    document.close();
    })();
    </script>
    And, anything you can paste into the Edit Window could be posted directly to the PHP page, requiring no user interaction other than clicking on a (perhaps cleverly disguised) submit button on another site to make it appear to be on your domain. If the person abusing this vulnerability were to study your site, they could even have the fake page they make link to other real and/or fake pages on your site. If those accept post or get input, the abuser would have total control over that, perhaps (and this would depend upon the sort of site you have) even getting passwords and other sensitive data from your unsuspecting users who think they are on your real site.

    You have me though on the other point. You could have a preview in the View Window without the invalid tags while at the same time saving the tags to a separate file where they could be valid, or you could just save to a separate file and show that in an iframe as a preview.

    I'd have to think about that one because it might fix the other problem. If the PHP file only writes to a file that shows in an iframe, that might remove the threat. As long as that file couldn't self execute and wasn't a PHP file, it should be fine.

    But that's pretty much what that other script does. Except it doesn't save a file. It just writes to the iframe document. Saving a file would be nice if you wanted your users to be able to download their work.

    I'm still not 100% sold on this. But tell me more of what you are envisioning.
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  6. #16
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,508
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    Quote Originally Posted by jscheuer1 View Post
    I'm still not 100% sold on this. But tell me more of what you are envisioning.

    Very well then.
    I dislike wysiwyg editors. While they may be easier/quicker to use, they have serveral disadvantages. They don't provide all the functionality of html. And I haven't seen any with javascript capabilities(correct me if I'm wrong). What I would like to do is create a html editor that still uses html, but provides a preview window for viewing the page without having to click save, minimize, refresh.

    Also I intend on adding more features at a future time. I just need help with the basic structure of the editor(mainly the ajax).

    I hope that is enough to convince you
    Keyboard1333

  7. #17
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    28,699
    Thanks
    43
    Thanked 3,132 Times in 3,096 Posts
    Blog Entries
    12

    Default

    If this is for your own use, I just use a good context highlighting text only editor like NotePad++ or EditPad Pro and preview in the browsers locally or on my WAMP server localhost. It's a much fuller featured setup than you could ever hope to achieve with javascript/AJAX/PHP.

    If its for a live web tool, I think there's CMS setups that include that sort of thing. You should checkout:

    http://www.tinymce.com/

    It's WYSIWYG, but I'm sure it must have text editing mode.

    All that said, I'd be happy to provide you with AJAX tips in response to specific questions.
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  8. #18
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,508
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    Thanks for your reply. I'd still like to have a go at this so I'm going to leave this thread as not resolved for a little while incase I run into any big problems. Could you please post/email/pm me the code for this page. (and the relivent php). I'd like to have a fiddle with it because it should answer this thread.
    Thanks for your time
    Keyboard1333

  9. #19
    Join Date
    Mar 2005
    Location
    SE PA USA
    Posts
    28,699
    Thanks
    43
    Thanked 3,132 Times in 3,096 Posts
    Blog Entries
    12

    Default

    You can get the source code of the page with your browser's 'view source'. It's a plain HTML page, all the script code on it is on the page except for the linked in jQuery library, which is hosted on Google. Here's the source code of the PHP page (postedit.php):

    PHP Code:
    <?php
    $field1value 
    = isset($_POST['field1value'])? $_POST['field1value'] : ''
    echo 
    html_entity_decode(strip_tags($field1value));
    ?>
    - John
    ________________________

    Show Additional Thanks: International Rescue Committee - Donate or: The Ocean Conservancy - Donate or: PayPal - Donate

  10. #20
    Join Date
    Mar 2011
    Location
    N 11 19' 0.0012 E 142 15' 0
    Posts
    1,508
    Thanks
    41
    Thanked 89 Times in 88 Posts
    Blog Entries
    3

    Default

    Just had a thought. If the only problem with quotes being enabled was document.write couldn't you just search the #window1 for document.write on the php page and if it returns true just write an alert. It would be a lot less restrictive than disableling all quotes.
    Keyboard1333

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •