I have a page upon which a user can choose up to many different paragraphs. When the link is clicked (or button), an email will open up and put all those paragraphs into the body of the email, address it, and fill in the subject. However, the text can be too long for a mailto link.
Any way around this?
We were thinking about having an SP from the SQL Server do it but the user needs a nice way of 'seeing' the email before they blast 50 executive level employees with items that shouldn't be sent...and of course there's the whole thing about doing IT for IT rather than doing software programming. 80(
When you build stuff for IT, it doesn't (some say shouldn't) have to be pretty just functional. In other words, this isn't the dogfood we wake it's just the dog food we have to eat.
We started talking about it and decided that the 'mail form' would give us exactly what we are looking for.
A very different look to let the user know that the gun is loaded
and aimed.
The ability to change/add text to the email.
Send a copy to themselves or not.
Can be coded quickly.
By putting the data into a form, I was able to make the body around 1800 characters long before the form stopped working.
The code looked like this:
<form action="mailto:youremail#domain.com">
<input type="hidden" name="Subject" value="Email subject">
<input type="hidden" name="Body" value="Email body">
<input type="submit">
</form>
Edit: The best way to send emails from a web application is of course to do just that, send it directly from the web application, instead of relying on the users mailprogram. As you've discovered, the protocol for sending information to that program is limited, but with a server-based solution you would of course not have those limitations.
Does the e-mail content need to be in the e-mail? Could you store the large content somewhere centrally (file-share/FTP site) then just send a link to the content?
This makes the recipient have an extra step, but you have a consistent e-mail size, so won't run into reliability problems due to unexpectedly large or excessive content.
Related
I am trying to use VBA to automate orders in Internet Explore. At this point, I have trouble using the commands like "getElementsByClassName", "getElementByID" and so on. I searched about those commands, read and tested some examples, but I still can't figure out how they work. I will state my goal and my doubts.
The HTML code:
<div class="z-row-content" id="s0GQm-cell">
<input class="form-control z-textbox" id="s0GQm" type="text" value="">
</div>
My goal: I just need the id "s0GQm" to point my orders. However, this id is partially dynamic and changes everytime I reset the window. The first 4 characters will change and only the "m" will stand. These dynamic characters repeat for all over the HTML code, so if I get it from anywhere I just needed to update all the id's and everything would run fine.
Therefore, I would like to understand how these functions can be used to identify this exact dynamic code. More specifically, what do these codes do exacly? What is the ".item(0)" or length of "getElementsByClassName"?
I appreciate any help.
Dear Wordpress developers
I have been unable to find a clear answer to this question, which is inspired by this post by jared about sanitization and this article by Theme Foundation about the Theme Customizer. Particularly, here is a quote from the latter:
If the input is a 1 (indicating a checked box) then the function
returns a one. If the input is anything else at all, the function
returns a blank string. This prevents anything harmful from being
saved to the database.
That last line about preventing harmful things from being saved to the database is something we can all agree to, I guess. But what I don't get is how you can get harmful anything from a checkbox - unless you make programming errors - since there are only two possible values?
So if sanitization in such cases are there to prevent just that: "data corruption" due to programming errors, I don't know if it is a good or a bad thing.
I think it only makes sense to sanitize data when your inputs are text or textfields - at least when protection against harmful stuff is your goal. I get that you sometimes need to format the data to make them useful, but that is a different subject.
That last line about preventing harmful things from being saved to the
database is something we can all agree to
The thing is that "harmful" is very much about context. JavaScript in the database isn't harmful on its own - it is only "harmful" if output to HTML in another user's session. The upshot of it is that this type of vulnerability (XSS) is better dealt with via output encoding. That is, when the content is output to the page then it should be HTML encoded. This would make a script tag be output as <script;> which does nothing more than actually output the literal <script> to the displayed page.
But what I don't get is how you can get harmful anything from a
checkbox - unless you make programming errors - since there are only
two possible values?
Not if an attacker manipulates the POSTed data. For example, if your checkbox is defined as
<input type="checkbox" name="agreeToTCs" />
this would send agreeToTCs=on to your application when checked.
An attacker could manipulate the POST request though and change this to agreeToTCs=evil. This is the equivalent of specifying
<input type="checkbox" name="agreeToTCs" value="evil" />
in the HTML and the box being checked.
Why is it recommended to sanitize Wordpress Customizer select boxes,
check boxes and radio buttons?
All this boils down to is that your application should only be handling valid data. As a quick example imagine a system that lets you select a user level for a new user when creating one. Part of the system design only lets you specify a user equal or lower than yourself. This is to prevent a low level of user from creating an admin account then gaining full privileges. Say if you are logged in as a medium level user the HTML for the drop down may be rendered as follows:
<select name="userLevel">
<option value="low">low</option>
<option value="medium">medium</option>
</select>
and when this is POSTed to the server e.g. userLevel=medium is sent. However, an attacker may be able to manipulate the POSTed data to userlevel=admin and create themselves an admin user. "Sanitizing" the checkbox again on postback makes sure that your application is only accepting valid values.
For web sites that have username/password text input fields, the browser usually handily offers to remember them for you (in my case, Safari puts them in my OS X keychain).
This simply does not happen with certain web sites. The first example that comes to mind is vBulletin forums. Meaning you can't use a complex/random password unless you're willing to copy and paste it from somewhere each time.
Are browsers detecting when to offer to remember these by "does this look like a username/password" heuristics and failing sometimes?
How does this work behind the scenes?
Edit: Fellow Safari users, check out this combo:
http://8-p.info/greasekit/
http://userscripts.org/scripts/show/8021
http://userscripts.org/scripts/show/28696
There's an 'autocomplete="off"' attribute on form (not officially in HTML4, but generally supported).
Try this:
<form id="loginForm" action="login.cgi" method="post" autocomplete="off">
You could use <FORM METHOD="post" ACTION="action.cgi" AUTOCOMPLETE="off"> but this only works in IE I think.
You could also use a random string for the password field ID so that the browser cannot be sure that a previously entered password is authenticating the same page this time round.
Another strategy would be to not use type="password" as the browser uses this to identify a field as a password - however, this is not a good idea as the password would not be blanked out when the user types it into the form. Any javascript to emulate this would not be executed if JS was disabled.
I think using the first two techniques would probably be as good a solution as is possible without resorting to advising your users to not allow the browser to store passwords.
I am considering allowing users to post to my site without having them register or provide any identifying information. If each post is sent to a db queue and I then manually screen these posts, what sort of issues might I run into? How might I handle those issues?
Screening every post would be tedious and tiresome. And prone to annoying admin spam. My suggestion would be to automate as much of screening as possible. And besides, providing any identifying information does nothing to prevent spam (a bot will just generate it).
A lot of projects implement recognition system: first the user has to post 1-2 posts that are approved, then by IP and (maybe) a cookie he's identified as a trusted poster, so his posts appear automatically (and later can be marked as spam).
Also some heuristics on the content of the post could be used (like amount of links in the post) to automatically discard potential spam posts.
The most obvious issue is that you'll get overwhelmed by the number of submissions to screen, if your site is sufficiently popular.
I would make sure to add some admin tools, so you can automatically kill all posts from a particular IP address, or that match a particular regex. That should help get rid of obvious spam faster, but again, you'd have to be behind the wheel for all of that.
Tedium seems to be the greatest concern – screening posts manually is effective against spam (I'm assuming this is what you want to weed out) but very boring.
It could be best fixed with a cup of coffee and nice music to listen to while weeding?
I've found that asking for the answer to a simple question sent the browser as an image (like "2 + 3 - 4 =", a varient of a 'captcha' but not so annoying), with a wee bit of Javascript does quite well.
Send your form with the image and answer field, and a hidden field with a "challenge" (some randomly generated string). When the user submits the form, hash the challenge and the answer, and send the result back to the server. The server can check for a valid answer before adding it to the database for review.
It seems like a lot of work up front, but it will save hours of review time. Using jQuery:
<script type="text/javascript">
// Hash function to mask the answer
function answerMask()
{
var a = $('#a').val();
var c = $('#c').val();
var h = hex_md5(hex_md5(a) + c);
$('#a').val(h);
}
</script>
<form onsubmit="answerMask()" action="/cgi-bin/comment.py" method="POST">
<table>
<tr><td>Comment</td><td><input type="text" name="comment" /></td></tr>
<tr><td># put image here #</td><td><input id="p" type="text" name="a" size="30" /></td></tr>
<tr><td><input id="c" type="hidden" value="ddd8c315d759a74c75421055a16f6c52" name="c" /></td><td><input type="submit" value=" Go "></td></tr>
</p>
</form>
Edit update...
I saw this technique on a web site, I'm not sure which one, so this idea isn't mine but you might find it useful.
Provide a form with a challenge field and a comment field. Prefix the challenge with "Pick the third word from: glark snerm hork morf" so the words, and which one to pick, are easy to generate on the server and easy to validate when the form contents come back.
The point is to make the user do something, apply a few brain cells, and more work than it's worth for a script kiddie.
posts that attempt to look legit but aren't
the sheer volume
These are the issues that I see on my blog.
The website is almost entirely d/x/html, and is hosted on a linux/apache server.
While I'm not opposed to using a database, I've been told that I can implement a solution that parses through the html documents and returns my search results without mucking about too much with asp/php/cgi (which I am most certainly a novice in).
Is this possible? Is there a better way? Should I look to a specific third party application?
THANKS!!!
Instead of paying for search appliances, you can also pay Google to have it crawl your site and present customized search results. It's inexpensive and Google does a good job indexing everything (including PDFs). If I remember correctly its ad-supported version is free (i.e. you pay to remove the ads)
There are "spiders" that will crawl your site and generate some form of search index. How reliable these are and how well they perform I really can't say. We recently purchased two Google search appliances here at work and use one for our intranet and one for our external web. They do a very nice job of indexing exactly the content you want as well as setting up specialized "search zones" and even keyword mapping.
I highly recommend them: http://www.google.com/enterprise/mini/
Nicholas
The google search is the easiest route. The only thing I would suggest is that you add a google sitemap to your site. That way you can notify google of updates or new pages to make sure the search listing is as up-to-date as possible.
If you can write some code in your favorite programing language you can also have a look at Apache Solr (url). The concept is simple: You get a seperate Search-Server, already implemented and as a seperated program. You can put in Documents by Posting (HTTP-Post) them to the Search-Server. You can make searches by issuing a GET-Request and getting back a XML-File with the search results.
What you have to write is the code to send the files to the search-search (only some lines of code) and the parsing of the xml-search-results (can be done easily with xslt)
I dont know how many documents you are talking about but this solution scales very well, I currently use it with 2.5 Mio Pages in the Index and get results in under 50 ms.
Add a link to Google that only returns results for your domain (with a site: delimiter). I don't know how to do this but it shouldn't be hard
Thanks all! I'm currently looking into a google custom search engine. The search bars with logos are cumbersome, but if all google wants for the legwork on this is a watermarked search bar and a couple ads served, then that's the solution for me!
Here's how I did the search on my blog (using Google)... don't remember where I got this template from originally but from the comments I guess it originally came from javascriptkit.com. :)
<script type="text/javascript">
// Google Internal Site Search script- By JavaScriptKit.com(http://www.javascriptkit.com)
// For this and over 400+ free scripts, visit JavaScript Kit-http://www.javascriptkit.com/
// This notice must stay intact for use
//Enter domain of site to search.
var domainroot="ericasberry.com"
function Gsitesearch(curobj)
{
curobj.q.value="site:"+domainroot+" "+curobj.qfront.value
}
</script>
<form action="http://www.google.com/search" method="get"
onSubmit="Gsitesearch(this)">
<p>Search ericasberry.com:<br />
<input name="q" type="hidden" />
<input name="qfront" type="text" style="width: 180px" />
<input type="submit" value="Search" /></p>
</form>
Google Ajax Search API