I discovered a bug in my mediawiki.
When I try to open a page with a + or a & in the name, it end up in a "The Site can't be reached"-Error. In the logs i can see, that i get a high number of HTTP 301 Codes when reaching such a Page. It also translates the characters:
+ into %2B
& into %26
But is does seem like it's not getting translated back? I'm also not using any mod_rewrite Code, well atleast none that I know of.
https://www.mediawiki.org/wiki/Manual%3aShort_URL#URL_like_-_example.com.2FPage_title
This describes my Problem (under Troubleshooting), but / works fine. But as I mentiond, I don't use any URL rewriting.
I would appreciate some help, thanks :)
Edit: I've just tested some more characters that are legal for pagetitles, seems like = isn't working either.
It's translated from = into %3D
Related
Im trying to configure a copy link to clipboard in my home page in blogger for each different article (data:post.url), at the end of other links to social webs, but I've not luck with the sintaxis.
This is what I would like to obtain:
<a href='javascript:getlink("https://www.venalacocina.com");'>
And this is the code what I'm trying to write to obtain those result
<a class='copi' expr:href='"javascript:getlink(\""+ data:post.url + "\");' id='btnCopiar'>
I'm lost with the appropriate use of " and " ¿how many and where should I use them to set the correct code?
¿Would someone give me the correct code correctly written?
thanks a lot in advance
In the end I did it; it was just a question of time.
I just changed and simplified the expression calling directly getlink() function and this is the result working perfectly for me:
<a class='copi' expr:onclick='"getlink('"+ data:post.url + "');"' id='btnCopiar'>
My Project Client wants all the application to be Veracode Compliant....After giving it for Veracode Staic Scan found that there are 326 flaws which are needed to be fixed as a part of Cross Site Scripting Error.
The application for which Scan was given is basically built using ASP Classic (VBScript).
some of the lines reported are:
<td <%=feltfarve%> nowrap><%=tabeltekst_start%><%=rsDBox("filnavn")%><%=tabeltekst_slut%></td>
<a onmouseover="EnterContent('ToolTip','<%=f(33)%>','<% if sagerRS("dkrerefnr") <> "" then Response.Write (replace(f(34),"%1", sagerRS("dkrerefnr"))) else Response.Write(replace(f(34),"%1", f(35))) end if%>'); Activate();" onmouseout="deActivate()" href="javascript:void(0)"><img src="/secure/images/rolloverknap/gray_e.gif" border="0" WIDTH="12" HEIGHT="12"></a>
Response.Write " <a onmouseover=""EnterContent('ToolTip','"& f(36) &"','" & kretxt & "'); Activate();"" onmouseout=""deActivate()"" href=""javascript:void(0)""><img src=""/secure/images/rolloverknap/gray_i.gif"" border=""0"" WIDTH=""12"" HEIGHT=""12""></a> "
What type of fix can be applied to solve these Cross Scripting Flaws??
Looking at your code there are several variables that could create problems. I'm not exactly sure how Veracode checks for problems, but if any of these variables come from a user supplied value, they pose a risk.
First the basics, if you allow > and < in any variable, especially combined with allowing " and ', everything is a thread. They can insert pretty much anything.
In your case allowing " and ' is enough to create problems, because a lot of variables are already inserted inside Javascript code like onmouseover and onmouseout
Besides that feltfarve could always cause a problem, even if you don't allow these charactors.
feltfarve in <td <%=feltfarve%> nowrap> is inside a tag without qoutes or anything. If somebody could modify the value to onmouseover=doBadStuff() your in trouble. If they combine it with style they could even make it full screen, so almost anybody would hover it.
Keep in mind that if you directly insert values from your database, what %=rsDBox("filid")%> is doing I think, then you must be 100% sure that you properly check them on insert.
Since DB best practise is to insert data as provided (not encoded), you should always check these values before you put them in your HTML.
I think we should use Server.HTMLEncode to fix XSS (cross site scripting) threat.
I am playing with http://suggestqueries.google.com/complete/search to make some google suggest queries.
It works fine with "mykeyword" & "mykeyword a" or "mykeyword b". I got good results.
But I would like to make some queries with a prefix, eg : "a mykeyword" in order to get some suggests that start with a 'a" & contains "mykeywords. It works on the google page but not via the API
Any suggestions?
To separate words use %20 or + between them. For a mykeyword:
http://suggestqueries.google.com/complete/search?output=toolbar&hl=en&q=a%20mykeyword
or
http://suggestqueries.google.com/complete/search?output=toolbar&hl=en&q=a+mykeyword
I want to implement url rewriting with intelligencia.urlrewriter.problem is when clean URL Contains special characters such as % : * & and more.in this case I get a bad request,because the cleaned url does not contain ? sign. I work with .net 3.5 .
Is there a solution for this problem?
thanks friends
I have the following:
tmpArray[cTerms++] = "[sclenka] CONTAINS \"*" + sessionScope.sclenka +"*\"";
(With the help of Per Henrik Lausten)
Which should result in: "*term*"
But it doesn't, I get this instead: "term"
So, my question is how do I use wildcard full text search?
Thank you!
If you want to use a wildcard search, then generate the following query string:
tmpArray[cTerms++] = "[sclenka] = \"*" + sessionScope.sclenka +"*\"";
This should generate a search on "*search query*".
In general, this is a good way of performing a search since the user probably expect your search to work like that.
Source: http://www-10.lotus.com/ldd/ddwiki.nsf/dx/Searching_for_Documents#Full-text+Search
If your string is correct and you are getting no results, then test the same string in the Notes client FTI search.
You can also use the following debug on the server.
DEBUG_FTV_SEARCH=1
Then check the output on the domino console when you do a search.
So if I understand you, the result is an escaped form of the search term in which the asterisks have been removed?
Could you use the construct:
tmpArray[cTerms++] = "[sclenka] CONTAINS \"" + String.fromCharCode(42) + sessionScope.sclenka + String.fromCharCode(42) + "\"";
At least that should avoid escaping?
I think you have missed a bit of escaping characters in the String you are generating.
tmpArray[cTerms++] = "[sclenka] CONTAINS \"" + sessionScope.sclenka +"\"";
leyrer, is it possible -- just possible -- that you're doing this in a browser and your session is not authenticated? If so, you may be searching the database as "anonymous" where when you test from the browser you're searching as "leyrer".
It's just a thought - but I used to see that all the time when people would start using my NCT Search tools. They'd swear they were getting no results, and when I'd dig I'd always find that they were using the browser as anonymous rather than as a logged in session.
#GKIDD
I just tested this on my own site. I have NCTSearch setup. I accepts the search term from the the web and runs database.ftsearch() as part of its job from within lotuscript.
I searched on "data*" and got at least as many results as when I searched on "database".
Based on that, I think something else is going on.
From my earlier comment on other answer, try this: Create another agent that does JUST the search. Have it grab the search term from agent context as if it were a docid. Call the agent from the first agent using "agent.runonserver(searchterm)" see if you can fool it
Andrew, I'm getting the results with Anonymous user, but not with the wildcard. Here goo.gl/YVtXm on the first line, it says that CONTAINS or contains or = does not work when searching from the web.