Comment blocks around JSON responses - security

I've noticed that some web applications return AJAX responses with JSON data embedded within a comment block. For example, this would be a sample response:
/*{
"firstName": "John",
"lastName": "Smith",
"address": {
"streetAddress": "21 2nd Street",
"city": "New York",
"state": "NY",
"postalCode": 10021
},
"phoneNumbers": [
"212 555-1234",
"646 555-4567"
]} */
What is the benefit of embedding the JSON data in a comment block? Is there some sort of security exploit which is avoided by doing this?

It's done to avoid a third party site hijacking your data using a <script> tag and overriding the Object constructor to grab the data as it is built.
When the JSON data is surrounded by comments, it no longer is directly executable via a <script> tag, and thereby "more secure".
See the PDF at http://www.fortifysoftware.com/servlet/downloads/public/JavaScript_Hijacking.pdf for more information (with examples)

Related

Expecting two different responses, accepting one?

I have a similar problem to this one: Two Different Response in Retrofit
However, both things that I've tried have not worked. I'm new to this and can't seem to find any other sources that are of use. I'm so so sorry if this is a dumb question, but I've been struggling with this for a week now.
Important information: I am coding in Jetpack Compose and using Retrofit2. To test data calls, I am using postman.
Success Response: [ Info changed for identification purposes, it responds with actual user data ]
{
"data": {
"id": 0,
"name": "First Last",
"first_name": "First",
"last_name": "Last",
"email": "name#yup",
"is_verified": true,
"created_at": 1666202587,
"meta": {
"image": "avatarImage",
"username": "",
"rng": " ",
"date_of_birth": null,
"city": null
}
},
"token": "correct token"
}
Error Response:
Error response
Data class:
Data class
In my first attempt, I made two data classes and split up the different responses. However, that just led to them both being null regardless of what I input. Once I moved them to once data class, it allows the user to sign in just fine, but the error is never caught and instead just crashes my app.

Docusign does not let me add Recipients to Templates

I created a Template on the UI and uploaded a doc. I then added a Recipient from the UI and mapped a few fields in the document.
I want to create an envelope based on this template and populate some of the fields before sending for a signature. The idea is, we have a portal where a user can fill up a form and a document is sent to him for signing.
Looking at the docs here. I am supposed to send and populate it like so:
{
...
"templateId": "68a89cdc-xxxx-xxxx-xxxx-fa2ab60713e3",
"recipients": {
"signers": [
{
...
"name": "Example Name",
"email": "examplename#example.com",
"roleName": "Signer One",
}
]
...
},
...
}
This however gives me an error back:
Status: 400 INVALID_REQUEST_PARAMETER: The request contained at least one invalid parameter. 'recipients' may not be specifed when 'templateId' is set. Use 'templateRoles'.
I proceeded to use templateRoles as suggested:
{
"accountId": "301424",
"emailSubject": "API Example - Populating Data in Templates",
"templateId": "44D9E888-xxxx-xxxx-xxxx-7071BC87A0DA",
"templateRoles": [{
"email": "john.doe#email.com",
"name": "John Doe",
"roleName": "Customer",
"tabs": {
"textTabs": [{
"tabLabel": "CustomerAddress",
"value": "123 Main St. San Francisco, CA 94105"
},
{
"tabLabel": "CustomerSSN",
"value": "12-345-6789"
}]
}
}],
"status": "sent"
}
But this did not populate any of the fields with the data I supplied.
What am I missing here?
I recently came across this issue and got hold of their support team. The docs using templateId and Recipients are just basically wrong. It will always fail. I think they'll change that soon.
{
"accountId": "301424",
"emailSubject": "API Example - Populating Data in Templates",
"templateId": "44D9E888-xxxx-xxxx-xxxx-7071BC87A0DA",
"templateRoles": [{
"email": "john.doe#email.com",
"name": "John Doe",
"roleName": "Customer",
"tabs": {
"textTabs": [{
"tabLabel": "CustomerAddress",
"value": "123 Main St. San Francisco, CA 94105"
},
{
"tabLabel": "CustomerSSN",
"value": "12-345-6789"
}]
}
}],
"status": "sent"
}
I created a Template on the UI and uploaded a doc. I then added a
Recipient from the UI and mapped a few fields in the document.
Apparently, you can supply an empty Recipient name and email despite the UI showing a red asterisk on the input field, as if implying it was required.
You only need to define the role field and you're good to go. So in this example, in your template (from the UI):
And you should be good to go.
Your JSON looks pretty good to me.
You don't need the accountId or emailSubject attributes and I'd recommend you leave them out.
Double-check that your tabLabel values are the exact same as the UI's Data Label setting.
As a test, you could also download the template by using the API. See Templates::get
Here's a PHP code example that sets template tab values.

How to delete specific object under document in DocumentDB?

I am using documentDB as backend for my project.
I have created a collection named ResellerCollection.
Under it I added document as Reseller with Id's assign to it.
Now under Reseller document I have added a list of Customer and now I wanted to delete customer of reseller document by specific Id.
My JSON generated in documentDB is as follow.
{
"id": "73386791-5895-4a56-9108-df4a773331fe",
"Name": "Nadeem",
"PrimaryContact": "1234",
"Address": "bhusari clny",
"City": "pune",
"State": "maharashtra",
"Country": "india",
"ZipCode": "222",
"Telephone": "45234343",
"Email": "abc#xyz.com",
"Website": "asdfsd.com",
"Customer": [
{
"id": "4acf3ca9-f9e4-4117-a471-7ce8f905baec",
"FullName": "Test Cust1",
"Company": "safds",
"JobTitle": "sadf",
"Email": "abcd#xyz.com",
"Address": "asdfsaf",
"City": "sdf",
"State": "sdf",
"Country": "sadf",
"ZipCode": "2343",
"Telephone": "45234343",
"MerchantID": "232",
"IdentificationNo": "2342343",
"IsActive": true,
"CustomerGroupID": "34",
"ResellerID": "73386791-5895-4a56-9108-df4a773331fe"
},
{
"id": "e0d6d099-3d5d-4776-9b84-14b7ae0b9911",
"FullName": "Test Cust2",
"Company": "safds",
"JobTitle": "sadf",
"Email": "abcd#xyz.com",
"Address": "asdfsaf",
"City": "sdf",
"State": "sdf",
"Country": "sadf",
"ZipCode": "2343",
"Telephone": "sadf",
"MerchantID": "232",
"IdentificationNo": "2342343",
"IsActive": true,
"CustomerGroupID": "34",
"ResellerID": "73386791-5895-4a56-9108-df4a773331fe"
}
],
"UserId": "f807f027-2e21-45b1-b786-e4d2b3d677cb",
"_rid": "+JBQAOQWHQENAAAAAAAAAA==",
"_self": "dbs/+JBQAA==/colls/+JBQAOQWHQE=/docs/+JBQAOQWHQENAAAAAAAAAA==/",
"_etag": "\"0a004764-0000-0000-0000-583bd8b50000\"",
"_attachments": "attachments/",
"_ts": 1480317104
}
Please suggest me how to write delete function for customer in MVC. Whether I should write delete for it to delete specific customer or whether I have to update the whole customer list?
Two ways of doing this.
Implement "AddCustomer" and "RemoveCustomer" stored procedures in DocumentDB. These stored procedures will read the reseller document, then append or remove the new customer passed in as argument. Then just call ExecuteStoredProcedureAsync within your controller.
Instead of the stored procedure approach, perform three steps within the controller. Read the document, make changes, and replace the document.
In both implementations, you'll probably want to use the ETag to perform a conditional write to avoid any clobbering across multiple clients/writers.
As Larry and David pointed out, you should also consider different JSON modeling options such as storing the customers data as separate documents, or by storing only the IDs within the array vs. all relevant customer data.
The only way to delete an element of an array (or any other change to the document) is to fetch the entire document, modify it, then create/upsert the entire document. You can do this client-side or in a stored procedure.
Try not to think of collections as tables in traditional databases or collections in MongoDB. I used to say, think of them as "partitions" but with partitioned collections, even that distinction is not useful. I use a single partitioned collection for everything now. I distinguish document types by having an element in each document: isReseller = true or isCustomer = true for your example. Alternatively, you can do type = 'Reseller' or type = 'Customer'. However, if the customer of one reseller is ever a reseller themselves, the former will allow you to add both is___ = true and the latter will not.
What David Makogon says is definitely a worry. Unless Resellers are restricted to a small number of Customers, you are better off storing them separately and having a foreign key link them. That way, deleting or adding one is a single step. However, getting the Reseller and all its Customers will be two round trips.

display computed text in JSON format

In an xpage I have several calls to collect data in json format from several notesviews via java class files.
To check or visualize the data I have a "debug mode" option to display this data in computed fields.
The data is json but I would like to have it formatted in the computed text so it is easier to read.
Does anyone know how I can format the display to it is easier to read in stead of one line of text?
e.g. from
{"locationName":"","gender":"Male","companyName":"","name":"Patrick Kwinten","docUNID":"845AB7AF45FF1260C1257E88003DACFA","notesName":"CN=Patrick Kwinten\/O=quintessens","branchName":"Quintessens Global Services","phone": ["+49 1525 161 223"],"info": ["IT Specialsit"],"sourceUNID":"","pictureURL":"http:\/\/dev1\/apps\/banking\/ServiceData.nsf\/0\/845AB7AF45FF1260C1257E88003DACFA\/$FILE\/PortalPicture.jpg","mail": ["patrickkwinten#ghotmail.com"],"reportsTo":"CN=Eva Fahlgren\/O=quintessens","job":"Managaer","departmentName":"Collaboration Services"}
to
{
"locationName": "",
"gender": "Male",
"companyName": "",
"name": "Patrick Kwinten",
"docUNID": "845AB7AF45FF1260C1257E88003DACFA",
"notesName": "CN=Patrick Kwinten\/O=quintessens",
"branchName": "Quintessens Global Services",
"phone": [
"+49 1525 161 223"
],
"info": [
"IT Specialsit"
],
"sourceUNID": "",
"pictureURL": "http:\/\/dev1\/apps\/banking\/ServiceData.nsf\/0\/845AB7AF45FF1260C1257E88003DACFA\/$FILE\/PortalPicture.jpg",
"mail": [
"patrickkwinten#ghotmail.com"
],
"reportsTo": "CN=Eva Fahlgren\/O=quintessens",
"job": "Managaer",
"departmentName": "Collaboration Services"
}
I do it in a different way. I use Google Postman to fire the request (with headers or whatever you need) and then I get the result back in Postman and can view it as "pretty" - this way I don't have to build anything like this into the application - and I also prefer to see the "raw" data and not risk changing anything on manipulating it prior to displaying it the way you suggest :-)
Really can't live without this utility once I discovered it.
/John

Instagram API returns only 4 likes data

I'm using the Instagram API to fetch images with a certain hashtag that have been liked by my organization. But when the API makes the get call, the response comes back with data like this, where the like count is 83 (!) and the actual like data returned only shows 4 (!). I've seen postings here that indicate that Instagram returns about 120 data for likes. How come I'm only getting four?
The api call I'm using is:
https://api.instagram.com/v1/tags/mytag/media/recent/?client_id=myclientID
"likes": {
"count": 83,
"data": [
{
"username": "something",
"profile_picture": "picture",
"id": "idhere",
"full_name": "namehere"
},
{
"username": "",
"profile_picture": "",
"id": "",
"full_name": ""
},
{
"username": "",
"profile_picture": "",
"id": "",
"full_name": ""
},
{
"username": "",
"profile_picture": "",
"id": "",
"full_name": ""
}
]
},
When you fetch medias from Instagram using these endpoints:
/users/<user-id>/media/recent
/tags/<tag-name>/media/recent
You wouldn't have all likes in the response; same for comments. It's just limit set by Instagram. I think it might be really expensive to return all (or a lot) likes/comments in each media users fetch.
But don't worry, If you get medias you want, you will have their id and you could use this endpoint:
/media/<media-id>/likes
And then you will have all likes (use pagination to fetch them all) and do a great stuff with them.
Hope it helps you.
This could be three things:
1) A bug, but that's unlikely (ha a pun!)
2) Pagination. You need to ask for more data in another call with MIN_TAG_ID and/or MAX_TAG_ID set.
3) Privacy. Instagram users have privacy settings on their profiles. Described here. This would definitely lower the count even with pagination.

Resources