I have a .jade view that contains this:
iframe(width='800', height='166', scrolling='no', frameborder='no', src= srcStr)
And I try to render it using an input source url from the user by doing this:
var string = req.body.code;
res.render('embedview', { srcStr: string});
Now, the rendered page will just show an iframe without any content, even though the iframe code looks correct (with a src="..." attribute) when I view its source. Almost seems like it first loads the iframe with src="" and then pastes the source url in without reloading.
It is not an issue with your jade markup or HTML markup generated. I got your snippet to work fine for me once I provided a url to a page that supports being iframed from a different domain.
www.google.com for example does not support this. You can see in the response below for curl -v http://www.google.com the header X-Frame-Options
< HTTP/1.1 200 OK
< Date: Wed, 22 Aug 2012 22:21:45 GMT
< Expires: -1
< Cache-Control: private, max-age=0
< Content-Type: text/html; charset=ISO-8859-1
...
< X-XSS-Protection: 1; mode=block
< X-Frame-Options: SAMEORIGIN
< Transfer-Encoding: chunked
You can turn this option off if you control the code for the page being served.
This is a security measure to prevent click jacking. You can read more about it here
https://developer.mozilla.org/en-US/docs/The_X-FRAME-OPTIONS_response_header
Related
I cannot seem to find any docs indicating that this is possible, is there a way to send a MIME formatted message using PHPMailer?
I'm not using $mail->setFrom, $mail->Subject, $mail->Body etc. because the content I have is already in mime format ie. a block of text similar to below
From: Some One <someone#example.com>
MIME-Version: 1.0
Content-Type: multipart/mixed;
boundary="XXXXboundary text"
Subject: This is a test
This is a multipart message in MIME format.
--XXXXboundary text
Content-Type: text/plain
this is the body text
--XXXXboundary text
Content-Type: text/plain;
Content-Disposition: attachment;
filename="test.txt"
this is the attachment text
--XXXXboundary text--
Out of the box, no. It might be possible if you wrote a new client class that made use of the low-level SMTP class, but this is really not PHPMailer's purpose and it won't do this in its current form. You might be better off using Symfony's or Laminas' email components.
I have the below code in the controller.
The parameters base64String, fileName are being sent from the browser.
var fileContent = Convert.FromBase64String(base64String);
return File(fileContent, contentType, fileName);
How do I address the XSS threat here?
The above code is based on a fix recommended here
Kendo UI Grid Export to Excel / PDF not working on IE9
I'm assuming you are not returning HTML to your users (you are returning PDFs or Excel files, or something else for download by the browser instead of for render).
The general guidelines are as follows:
Set the correct Content-Type header.
Set the following response header: X-Content-Type-Options: nosniff. Browsers such as Internet Explorer will try and auto detect the content type and ignore the one you've just set.
Set the Content-Disposition header so the browser downloads the file rather than displaying it: Content-Disposition: attachment; filename="bar.pdf"
Following the above should ensure that any script code contained in the file is not executed by your browser. Be aware that IE (again!) can sometimes process script in XML files, so you should test for this.
I am not able to get compressed html pages in my browser even though I am 100% sure mod_deflate is activated on my server.
My htaccess file has this code snippet :
<IfModule mod_deflate.c>
<Files *.html>
SetOutputFilter DEFLATE
</Files>
</IfModule>
A non compressed excerpt of my content is:
<div>
<div>
Content
</div>
</div>
With the htaccess code I am using, I would expect to get the output below in my browser (no space and no tabs at the beginning of each line):
<div>
<div>
Content
</div>
</div>
Is there something wrong with the code I am using in the htaccess file?
Is keeping all tabs in front of each html line after compression the normal behavior of mod_deflate?
If so, would you recommend that I switch tabs with spaces in my html code to get the desired effect?
Thanks for your insights on this
For the Deflate output filter to compress the content
Your content should be at least 120 bytes; compressing lesser bytes increases the output size.
The http client making the request should support gzip/deflate encoding.
Most modern Web browsers support gzip encoding and automatically decompress the gziped content for you. So what you are seeing using a Web browser's View Page Source option is not the compressed content. To verify if your browser received a compressed content, hit the F12 Key, select the Network tab and your requested page. If the response header has Content-Encoding: gzip, you can be sure the compression worked.
In Firefox, you can remove support for gzip,deflate by going to about:config and emptying the value for network.http.accept-encoding. Now with no support for gzip, Firefox will receive uncompressed content from your Apache server.
Alternatively, if you want to see the compressed content, you can use a client that does not automatically decompress the contents for you (unless you use --compressed option).
You can use curl for this:
curl -H "Accept-Encoding: gzip,deflate" http://example.com/page.html > page.gz
I've just rolled out a major update to my work site.
Some of the resources are still being called from cached versions, such as the style sheets and javascript files. Some visitors to the site will still see the old resources.
Is there a htaccess command to force all assests to re-cache from a set date
What I do instead of messing with my .htaccess rules every time I do an update, is I append the name of the styles and js files I changed with a random number or the date/time I changed it.
That way the browser see's it as a new file, loads it and caches the new version.
For example in your tag, add a version query string.
style.css?version=3.2 or use a hash style.css?version=V6CbUlTe7M94ol8
This can be done with your JS files too. Much easier and better to do then messing with your Apache config. Anytime you make an update just change the version and it will be re-cached for all.
FYI, StackOverflow uses the same technique. Look at the source code
for this page.
<link rel="stylesheet" type="text/css" href="//cdn.sstatic.net/stackoverflow/all.css?v=dc5a5d7ef830">
I found a solution
<FilesMatch "\.(html|htm|js|css|php)>
FileETag None
Header unset ETag
Header set Cache-Control "max-age=0, no-cache, no-store, must-revalidate"
Header set Pragma "no-cache"
Header set Expires "Wed, 11 Jan 1984 05:00:00 GMT"
</FilesMatch>
I'm dynamically generating a text file in PHP, so it has a .php extension but a text/plain MIME type. All browsers display the file as nicely preformatted text, except IE8.
Googling tells me that they've added security where if the HTTP header content type doesn't match the expected content type (I think based on the extension and some sniffing) then it forces the file to be downloaded. In my case I have to open it, and also give it permission to open the file I just told it open! That's probably a Win7 annoyance though. Serving a static plain text file works fine, of course.
So can I stop IE8 from downloading the file and get it to view it normally? The code has to run on multiple shared hosting environments, so I think I'm stuck with the .php extension.
Add this to your HTTP header:
X-Content-Type-Options: nosniff
It's an IE8 feature to opt-out of its MIME-sniffing.
Source
Alternatively, you can "trick" IE8 into thinking that it is indeed serving up a text file. These 2 lines do it for me and don't involve using non-standardized "X-" headers:
Header("Content-Type: text/plain");
Header("Content-Disposition: inline; filename=\"whatever.txt\"");