When I set a cffunction's access to remote--so I can call it through AJAX--the call returns the HTML I have in my Application.cfm template.
Is there any way around this, or do I have to move the HTML out of Application.cfm?
This would be considered expected behavior. I'd suggest not outputting content within your Application.cfm. Consider using custom tags for wrapping your pages or better yet switch to using Application.cfc and use custom tags.
Related
Using this site as example:
Whenever I change a data filter on the form input elements, that change is added to the URL with the usual field=value syntax.
However, if I copy the URL with the filters I want to another browser window, the filters aren't applied anymore, forcing me to manual set them again.
Is this intended behaviour and, if so, is there a way around it?
I use an HTML helper that returns an IDisposable to create a specific DIV structure that I need very often in my application. The constructor of this class creates the open divs while the Dispose method created to closing Divs. Now I need to secure my application and I would like this structure not to be created in some condition but I also need that every kind of HTML that this produced between using and the end if its scope is also not rendered.
First thing I did was to replace the TextWriter found int he ViewContext with dummy :
_helper.ViewContext.Writer = new StringWriter(new StringBuilder());
Its working for each piece of code that directly uses the ViewContext Writer to render HTML but not for the others (raw HTML and other helper)
So the question is : How can we prevent a Asp.net view to render HTML within the scope of a using block ?
I am afraid that currently there's no way of preventing the contents of a using block to be rendered. That was not the original intent of this block anyway. If you want to prevent something from being rendered you might consider using an if statement instead.
I have no example code for you, and this idea is pretty hackish but may work if you have a zillion of these things you need to secure and don't have time to add condition logic.
What if you used the app's Response.Filter to strip out html? Then in your constructor and dispose methods, if the user isn't authorized to see the content, output some easy to find elements that you could either regex replace or use Html Agility Pack to parse/modify the DOM before the stream is sent to the browser.
I understand it's in theory possible to use system config to determine the layout of a page (with the ifconfig option), is it possible to do something similar with variables passed by get or post? Or a cookie value for that matter?
This is not possible in standard Magento.
Depending on your use case there are some ways:
Implement an own XML attribute, for example <action method="foo" ifrequestvar="..."> The modle Aoe_LayoutConditions could give you a starting point:
Add an own layout handle. i.e. you check your condition that should be meet in normal PHP code (that works if the condition, i.e. the value of your $_REQUEST var is always the same) and then you can use this layout handle in the layout XML. You can add layout handles in an observer as shown in N98_CustomLayoutHandles.
I have a text area in which I am trying to add youtube embed code and other HTML tags. $this->input->post is converting the <iframe> tags to < and > respectively but not the <h1> and <h2> tags.
Any idea how I can store these values?
If you only have a small number of forms that you need to allow iframes in, I would just write a function to restore the iframe (while validating that it's a valid YouTube embed code).
You can also turn off global_xss_filtering in your config (or not implement it if you're using it), but that's not the ideal solution (turning off all of your security to get one thing to work is generally a horrible idea).
$config['global_xss_filtering'] = FALSE;
To see all of the tags that get filtered out, look in the CI_Input class and search for the '$naughty' variable. You'll see a pipe-delimited list (don't change anything in this class).
Why don't you avoid CIs auto sanitizing and use something like htmlspecialchars($_POST['var']); ? Or make a helper function for sanitizing youtube urls...
Or you could either just ask for the video ID code or parse the code from what you are getting.
This would let you use both the URL or the embed code.
Also storing just the ID takes less space in you database, and you could write a helper function to output the embed code/url.
In this case, use $_POST instead of $this->input->post to get the original text area value, and then use HTML Purifier to clean the contents without losing the <iframe> tag you want.
You will need to check HTML Purifier documentation for details. Please, check this specific documentation page about "Embedding YouTube Videos".
Is there any way to fetch the raw contents of a CSS file?
Lets imagine that I wanted to fetch any vendor-specific css properties from a CSS file. I would need to somehow grab the CSS contents and parse them accordingly. Or I could just use the DOM to access the rules of a CSS file.
The problem is that in while using the DOM, mostly all browsers (except for <= IE8) tend to strip out all of the custom properties that do not relate to their browser engine (webkit strips out -moz and -o and -ms). Therefore it wouldn't be possible to fetch the CSS contents.
If I were to use AJAX to fetch the contents of the CSS file, then if that CSS file hosted on another domain, then the same origin policy would break and the CSS contents could not be fetched.
If one were to use a cross-domain AJAX approach then there would only be a JSONP solution which wouldn't work since we're not parsing any javascript code (therefore there is no callback).
Is there any other way to fetch the contents?
If a CSS file is on the same domain as the page you're running the script on, you can just use AJAX to pull in the CSS file:
$.get("/path/to/the.css", function(data) {/* ... */});
If not, you could try using Yahoo! Pipes as a proxy and get the CSS with JSONp.
As for parsing, you can check out Sizzle to parse the selectors. You could also use the CSS grammar (posted in the CSS standards) to use a JS lex/yacc parser to parse out the document. I'll leave you to get creative with that.
Good luck!
No, you've pretty much covered it. Browsers other than IE strip out unknown rules from their object models both in the style/currentStyle objects and in the document.styleSheets interface. (It's usually IE6-7 whose CSS you want to patch up, of course.)
If you wanted to suck a stylesheet from an external domain you would need proxy-assisted-AJAX. And parsing CSS from would be a big nasty job, especially if you needed to replicate browser quirks. I would strenuously avoid any such thing!
JSONP is still a valid solution, though it would hurt the eyes somewhat. Basically, in addition to the callback padding, you would have to add one JSON property "padding" and pass the CSS as a value. For example, a call to a script, http://myserver.com/file2jsonp/?jsonp=myCallback&textwrapper=cssContents could return this:
myCallback("cssContents":"body{text-decoration:blink;}\nb{text-size:10em;}");
You'd have to text-encode all line breaks and wrap the contents of the CSS file in quotes (after encoding any existing quotes). I had to resort to doing this with a Twitter XML feed. It felt like such a horrible idea when I built it, but it did its job.