Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: Ajaxpage Security and php page graphics question

  1. #1
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default Ajaxpage Security and php page graphics question

    Hi,

    I recently found the ajaxpage script under: http://www.dynamicdrive.com/dynamici...jaxcontent.htm.

    The script works great except for a couple of things. And I was hoping someone could help me out.

    1 - Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu? If so, could someone please explain how this is done. Also, could someone please explain why this is an security issue in the first place?

    2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.

    The page works fine when I use frames which can be viewed under: https://zippo.homelinux.org/cgaux (click on the 'event calendar').

    Could someone please explain why this isn't working?

    These are my only blocking issues. I'm hoping one of you guru types can give me a hand.

    Thanks,

    Bryan Dees

  2. #2
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu?
    No. This isn't a limitation to the script, but a security feature of all AJAX-supporting browsers. It is a security issue because it would open the user up to Cross-Site Scripting (XSS) attacks, whereby a client-side script on one domain transfers sensitive data stored on cookies only accessible by that domain to a server-side script on another domain which would not usually have access to said cookie data, which may store it for later use by a human or immediately attempt to take over your account by means of an automated script.
    2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.
    It's probably because this stylesheet:
    Code:
    <link rel="stylesheet" type="text/css" href="templates/default/default.css">
    isn't in the <head> of the page.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  3. #3
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Sweet! That fixed my calendar. And answered my question about the security issue.

    Thank you very much Twey!

    Sincerely,

    Bryan Dees

  4. #4
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Hi,

    I found another problem using the ajaxpage menu and phpicalendar.

    If I load the phpicalendar page using ajaxpage menu the $default_path var doesn't work. So, if you were to goto my page: https://zippo.homelinux.org/cgaux/ (click on events calendar), then attempt to click on any of the calendar event links they resolve to: https://zippo.homelinux.org/cgaux/#

    It should look like: https://zippo.homelinux.org/cgaux/calendar/month.php#

    There is a config file under phpicalendar that you can set the $default_path var. but it doesn't change anything.

    Again, if you go to the calendar directly: https://zippo.homelinux.org/cgaux/calendar
    The links work fine. But if you attempt to load the calendar page using ajaxpage the links are bad.

    Thanks again for your help!

    Bryan Dees

  5. #5
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    What do you have $default_path set to?
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  6. #6
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    $default_path = ''; // The HTTP URL to the PHP iCalendar directory, ie. http://www.example.com/phpicalendar

    I tried setting it using the following:
    https://zippo.homelinux.org/cgaux/calendar
    https://zippo.homelinux.org/cgaux/calendar/calendars (which is where the ics calendar is stored)

    Theres another setting that I tried changing which is called:
    $calendar_path = ''; // Leave this blank on most installs, place your full FILE SYSTEM PATH to calendars if they are outside the phpicalendar folder.

    Which I entered the full path: /var/ww/html/cgaux/calendar or /var/www/html/cgaux/calendar/calendars/

    I'd post on phpicalendar.net but the calendar works fine if I dont use ajaxpage. So, i'm afraid they'll just refer me back to you folks instead.

    Thanks.

  7. #7
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    I tried setting it using the following:
    But what is it now?
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  8. #8
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Nothing its blank.

    I didn't want to corrupt your testing. Shall I add the full path back or?

  9. #9
    Join Date
    Jun 2005
    Location
    英国
    Posts
    11,876
    Thanks
    1
    Thanked 180 Times in 172 Posts
    Blog Entries
    2

    Default

    Yes, set it to its original (working, I presume) setting.
    Twey | I understand English | 日本語が分かります | mi jimpe fi le jbobau | mi esperanton komprenas | je comprends français | entiendo español | tôi ít hiểu tiếng Việt | ich verstehe ein bisschen Deutsch | beware XHTML | common coding mistakes | tutorials | various stuff | argh PHP!

  10. #10
    Join Date
    Feb 2006
    Posts
    17
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Default

    Okay, that would be 'nothing' then. Which works if you load the page directly:
    https://zippo.homelinux.org/cgaux/calendar/

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •