Ajaxpage Security and php page graphics question

**bryandees** · 02-21-2006, 07:20 PM

Hi,

I recently found the ajaxpage script under: http://www.dynamicdrive.com/dynamici...jaxcontent.htm.

The script works great except for a couple of things. And I was hoping someone could help me out.

1 - Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu? If so, could someone please explain how this is done. Also, could someone please explain why this is an security issue in the first place?

2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.

The page works fine when I use frames which can be viewed under: https://zippo.homelinux.org/cgaux (click on the 'event calendar').

Could someone please explain why this isn't working?

These are my only blocking issues. I'm hoping one of you guru types can give me a hand.

Thanks,

Bryan Dees

**Twey** · 02-21-2006, 07:27 PM

Is there a way to disable the external page source limitations within the script so I can link external websites on my main menu?

No. This isn't a limitation to the script, but a security feature of all AJAX-supporting browsers. It is a security issue because it would open the user up to Cross-Site Scripting (XSS) attacks, whereby a client-side script on one domain transfers sensitive data stored on cookies only accessible by that domain to a server-side script on another domain which would not usually have access to said cookie data, which may store it for later use by a human or immediately attempt to take over your account by means of an automated script.

2 - The Icalendar php page doesn't render the calendar graphics when using the script. Please see my: https://zippo.homelinux.org/ajax/ (click on the 'event calendar') for an example.

It's probably because this stylesheet:

Code:

<link rel="stylesheet" type="text/css" href="templates/default/default.css">

isn't in the <head> of the page.

**bryandees** · 02-21-2006, 08:10 PM

Sweet! That fixed my calendar. And answered my question about the security issue.

Thank you very much Twey!

Sincerely,

Bryan Dees

**bryandees** · 02-24-2006, 05:20 PM

Hi,

I found another problem using the ajaxpage menu and phpicalendar.

If I load the phpicalendar page using ajaxpage menu the $default_path var doesn't work. So, if you were to goto my page: https://zippo.homelinux.org/cgaux/ (click on events calendar), then attempt to click on any of the calendar event links they resolve to: https://zippo.homelinux.org/cgaux/#

It should look like: https://zippo.homelinux.org/cgaux/calendar/month.php#

There is a config file under phpicalendar that you can set the $default_path var. but it doesn't change anything.

Again, if you go to the calendar directly: https://zippo.homelinux.org/cgaux/calendar
The links work fine. But if you attempt to load the calendar page using ajaxpage the links are bad.

Thanks again for your help!

Bryan Dees

**Twey** · 02-24-2006, 05:28 PM

What do you have $default_path set to?

**bryandees** · 02-24-2006, 05:44 PM

$default_path = ''; // The HTTP URL to the PHP iCalendar directory, ie. http://www.example.com/phpicalendar

I tried setting it using the following:
https://zippo.homelinux.org/cgaux/calendar
https://zippo.homelinux.org/cgaux/calendar/calendars (which is where the ics calendar is stored)

Theres another setting that I tried changing which is called:
$calendar_path = ''; // Leave this blank on most installs, place your full FILE SYSTEM PATH to calendars if they are outside the phpicalendar folder.

Which I entered the full path: /var/ww/html/cgaux/calendar or /var/www/html/cgaux/calendar/calendars/

I'd post on phpicalendar.net but the calendar works fine if I dont use ajaxpage. So, i'm afraid they'll just refer me back to you folks instead.

Thanks.