Search Results

Search found 29619 results on 1185 pages for 'external script'.

Page 64/1185 | < Previous Page | 60 61 62 63 64 65 66 67 68 69 70 71  | Next Page >

  • perl: Run remote perl script through SSH and query environment variables on remote machine

    - by kakyo
    I'm running a perl script through SSH, in the perl script I query environment variables using $ENV{MY_VAR_NAME} and it works fine when run locally. But through SSH, all environment variables become unset. I also tried to run system("source ~/.bash_profile"); at the beginning of my script to no avail. Any tips? EDIT: Rephrasing my question. I have machine A and B. I ran my perl on machine B, trying to get the environment variables on B and it worked. Then I ssh from A to B running the same script, i.e., using this code ssh user@B perl myscript.pl This time the environment variables on B are all blank. Any tips? UPDATE: I found that running the above script, ~/.bashrc on Machine B was invoked, but after setting environment variables in ~/.bashrc, run the above command again and still I don't see any environment variables. Also, if my perl script contains only echo $ENV{PATH} Then I get /usr/bin:/bin:/usr/sbin:/sbin

    Read the article

  • Calling Python from Java through scripting engine (jython)?

    - by griffin
    I'm trying to call Jython from a Java 6 application using javax.script: import javax.script.ScriptEngine; import javax.script.ScriptEngineManager; import javax.script.ScriptException; public class jythonEx { public static void main (String args[]) throws ScriptException { ScriptEngineManager mgr = new ScriptEngineManager(); ScriptEngine pyEngine = mgr.getEngineByName("python"); try { pyEngine.eval("print \"Python - Hello, world!\""); } catch (Exception ex) { ex.printStackTrace(); } } } This is causing a NullPointerException: java.lang.NullPointerException at jythonEx.main(jythonEx.java:12) Does anyone have any idea what I'm doing wrong here? Edit: Thanks for the responses! I added jython.jar to the classpath and it runs properly: java -cp "./;jython.jar" jythonEx

    Read the article

  • Jquery broken by GetResponse (email marketing) web form script

    - by Jacob
    I'm working on a site that relies on quite a bit of javascript. The problem is, I'm not a javascript guru in the least. Yes, bit off more than I can chew, here. I'm using jquery for a spy effect, and use GetResponse for email signups. If I implement my GetResponse script, it breaks the area later in the page which depends on the jquery script. Pull the GetResponse script and it works just fine. Problem is, I need them both. ;) The trick, I suppose, is that the GetResponse script is actually another Jquery script, so it's getting called twice... Any help? The site is http://djubi.com/testserver Check out (urlabove)/nogetresponsescript.php to see it work without the GetResponse script. You should be able to see all the source just fine. Thanks everyone. jf

    Read the article

  • Executing <script> elements inserted with .innerHTML

    - by phidah
    I've got a script that inserts some content into an element using innerHTML. The content could for example be: <script type="text/javascript">alert('test');</script> <strong>test</strong> Problem is that the code inside the <script> tag doesn't get executed. I googled it a bit but there were no apparent solutions. If I inserted the content using jQuery $(element).append(content);the script parts got eval'd before being injected into the DOM. Has anyone got a snippet of code that executes all the <script> elements? The jQuery code was a bit complex so I couldn't really figure out how it was done.

    Read the article

  • Javascript HTML and Script injection issue in IE

    - by MartinHN
    Hi I have a javascript variable containing escaped HTML. There can be script tags inside the HTML, like this: var valueToInsert = "%3Cscript%20type%3D%22text/javascript%22%3Ealert%28%27test%27%29%3B%3C/script%3E%0A%3Cscript%20type%3D%22text/javascript%22%20src%3D%22http%3A//devserver/testinclude.js%22%3E%3C/script%3E%0A%3Cimg%20src%3D%22http%3A//www.footballpictures.net/data/media/131/manchester_united_logo.jpg%22%20/%3E" I want to append this to the DOM, and get all the javascript fired as expected. Right now I'm using this approach: var div = document.createElement("div"); div.innerHTML = unescape(valueToInsert); document.body.appendChild(div); In IE, at the time i set div.innerHTML - all script tags are removed. If I use jQuery to and do this: $(document.body).append(valueToInsert) It all works fine. Bad thing is, that I cannot use jQuery as this code will be added to sites I'm not in control of using some "already-implemented" script includes. Does someone have a trick? If jQuery can do it, it must be possible? I had another issue in Opera. I changed the injection script to be this: (still doesn't work in IE) var div = document.createElement("div"); div.innerHTML = unescape(valueToInsert); var a = new Array(); for (var i = 0; i < div.childNodes.length; i++) a.push(div.childNodes[i]); for (var i = 0; i < a.length; i++) { if (a[i].nodeName == "SCRIPT" && a[i].getAttribute("src") != null && a[i].getAttribute("src") != "" && typeof (a[i].getAttribute("src")) != "undefined") { var scriptTag = document.createElement("script"); scriptTag.src = a[i].getAttribute("src"); scriptTag.type = "text/javascript"; document.body.appendChild(scriptTag); } else if (a[i].nodeName == "SCRIPT") { eval(a[i].innerHTML); } else { document.body.appendChild(a[i]); } }

    Read the article

  • ssh script gives "key_read" error

    - by lugte098
    I'm using a script that connects to a cluster through ssh and sends some commands, then quits the connection. This script basically connects once using ssh, then executes a script in this session. This script loops through a list of commands a few times and after it is finished, the connection is terminated. So this script works fine, except for the fact that after a few loops it gives me the following error at loop 22. And then again at loop 32. The loops do exactly the same thing, so i cannot grasp the problem the script is facing. This is the error: key_read: uudecode AAAAB3NzaC1yc2EAAAABIwAAAQEAxmNx2hcXLpTjuaa3yKC3B9gbF7KprP2/ CH8fBgMbCyIcOB+ZMQDmEnbVTqedBwV/mxjZzorEpHTM8MX2WsTjFsxwzDgcpuxm+3cwfb0WSy9Y4Kb F8crAsRDbBIpUZ2n/iSdRcds9nTjk6PA61kTS24RLACHpqF18vudlO5WcbCOnAwa+DdUs0Raw29UiQc BaC6M4YPnApq9Ayy7a6qFI2uK6efkwfLTZIDivWlIdLpRLEyuBEpozQQhEd0mrGhR/ Gl1GevRvFMms14130xQ4A5UpJSn6CmrRIWBkcgp1TilqDGQ1F5xZOinnc4C00gFrbT3hkkQqY5A9p node023,10.141.0.31 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAxmNx2hcXLpTjuaa3yKC3 B9gbF7KprP2/CH8fBgMbCyIcOB+ZMQDmEnbVTqedBwV/mxjZzorEpHTM8MX2WsTjFsxwzDgcpuxm+ 3cwfb0WSy9Y4KbF8crAsRDbBIpUZ2n/iSdRcds9nTjk6PA61kTS24RLACHpqF18vudlO5WcbCOnAw a+DdUs0Raw29UiQcBaC6M4YPnApq9Ayy7a6qFI2uK6efkwfLTZIDivWlIdLpRLEyuBEpozQQhEd0m rGhR/Gl1GevRvFMms14130xQ4A5UpJSn6CmrRIWBkcgp1TilqDGQ1F5xZOinnc4C00gFrbT3hkkQqY5 A9pa0lQHFkSw==

    Read the article

  • how to install ipv4 via a cmd windows xp

    - by Kevin Babb
    I need to script a way to install IPV4 on windows xp the reason is i have many pc with a corrupt win sock registry so the fix Microsoft has is to delete the reg keys hklm/system/currentcontolset/services/winsock and winsock2 and then to run a netsch ip reset which creates the winsock2 part of the registry then the part i need to script is go to network adapter properties goto tcpip and install a new protocol and select tcp/ip and install it which uses the file c:\windows\inf\nettcpip.inf and then this creates the winsock part is there a way to script this part?? i have looked and cant find anything

    Read the article

  • Powershell 2.0 - Running scripts for the command line call vs. from the ISE

    - by Gromix
    Hi, After writing deployment scripts from within the ISE, we need our CI server to be able to run them automatically, i.e. from the command line or via a batch file. I have notice some significant differences between the following calls: powershell.exe -File Script.ps1 powershell.exe -Command "& '.\Script.ps1'" powershell.exe .\Script.ps1 Some simple examples: When using -File, errors are handled in the exact same way as the ISE. The other two calls seem to ignore the $ErrorActionPreference variable, and do not catch Write-Error in try/catch blocks. When using pSake: The last 2 calls work perfectly Using the ISE or the -File parameter will fail with the following error: The variable '$script:context' cannot be retrieved because it has not been set Could someone help me understand the implications of each syntax, and why they are behaving differently? I would ideally like to find a syntax that works all the time and behaves like the ISE. Thanks, Romain

    Read the article

  • embed a jquery script after jquery is loaded by widget

    - by matthew k
    http://stackoverflow.com/a/6065421 was helpful to see how to confirm jquery has been loaded. my widget will need a class that was written using jquery. may i have some assistance on embedding this other class built using jquery? thank you, below is the snippet from the above link with my code added in the final portion as noted in the code comments: (function(window, document, version, callback) { var j, d; var loaded = false; if (!(j = window.jQuery) || version > j.fn.jquery || callback(j, loaded)) { var script = document.createElement("script"); script.type = "text/javascript"; script.src = "/media/jquery.js"; script.onload = script.onreadystatechange = function() { if (!loaded && (!(d = this.readyState) || d == "loaded" || d == "complete")) { callback((j = window.jQuery).noConflict(1), loaded = true); j(script).remove(); } }; document.documentElement.childNodes[0].appendChild(script) } })(window, document, "1.3", function($, jquery_loaded) { //my code added below var script_tag = document.createElement('script'); script_tag.setAttribute("type","text/javascript"); script_tag.setAttribute("src", "http://mysite.com/widget/slides.jquery.js"); (document.getElementsByTagName("head")[0] || document.documentElement).appendChild(script_tag); $('#slides').slides({}); //this line gives an error. }); right now, i am trying the following based on the response(s) provided to this question (line that throws error is noted with a comment): //this function is called after jquery being embedded has been confirmed. {mysite} placeholder is nonexistent in actual code. function main() { jQuery(document).ready(function($) { var css_link = $("<link>", { rel: "stylesheet", type: "text/css", href: "http://mysite/widget/widget.css" }); css_link.appendTo('head'); $('#crf_widget').after('<div id="crf_widget_container"></div>'); /******* Load HTML *******/ var jsonp_url = "http://mysite/widget.php?callback=?"; $.getJSON(jsonp_url, function(data) { $('#crf_widget_container').html(data); $('#category_sel').change(function(){ alert(this.value); }); $.getScript("http://mysite/widget/slides.jquery.js", function(data, textStatus, jqxhr) { alert(1); //fires ok $('#slides').slides({}); //errors }); }); }); }

    Read the article

  • [PHP] - Lowering script memory usage in a "big" file creation

    - by Riccardo
    Hi there people, it looks like I'm facing a typical memory outage problem when using a PHP script. The script, originally developed by another person, serves as an XML sitemap creator, and on large websites uses quite a lot of memory. I thought that the problem was related due to an algorithm holding data in memory until the job was done, but digging into the code I have discovered that the script works in this way: open file in output (will contain XML sitemap entries) in the loop: ---- for each entry to be added in sitemap, do fwrite close file end Although there are no huge arrays or variables being kept in memory, this technique uses a lot of memory. I thought that maybe PHP was buffering under the hood the fwrites and "flushing" data at the end of the script, so I have modified the code to close and open the file every Nth record, but the memory usage is still the same.... I'm debugging the script on my computer and watching memory usage: while script execution runs, memory allocation grows. Is there a particular technique to instruct PHP to free unsed memory, to force flushing buffers if any? Thanks

    Read the article

  • executing php cURL script for long time without changing php.ini settings

    - by Pragati Sureka
    Scenario I have a old blog on blogger that contains thousands of images and posts, i have already imported the posts from blogger to wordpress using their import service (which does not import images) now i want to write a php cURL script that will download all the images off my old blogger blog to wordpress. Problem I have already written a script that goes through all the posts and find the image links of blogger and download the links recursively and store them local to wordpress installation but the problem is that the script stops if its taking longer than max_execution_time which is generally set to 30 secs. Now i dont want to change setting in php.ini file. Is there some way that i can keep my script executing for that long or some other alternative.... like executing in batch or something else... Reason for not changing php.ini settings is that i want to release this script as opensource plugin for wordpress, and not many have access to their php.ini file on the server and and many don't like changing settings for just one script that might run just once. Thank You for helping....

    Read the article

  • What is the best way to include Javascript?

    - by Paul Tarjan
    Many of the big players recommend slightly different techniques. Mostly on the placement of the new <script>. Google Anayltics: (function() { var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true; ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js'; var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s); })(); Facebook: (function() { var e = document.createElement('script'); e.async = true; e.src = document.location.protocol + '//connect.facebook.net/en_US/all.js'; document.getElementById('fb-root').appendChild(e); }());: Disqus: (function() { var dsq = document.createElement('script'); dsq.type = 'text/javascript'; dsq.async = true; dsq.src = 'http://' + disqus_shortname + '.disqus.com/embed.js'; (document.getElementsByTagName('head')[0] || document.getElementsByTagName('body')[0]).appendChild(dsq); })(); (post others and I'll add them) Is there any rhyme or reason for these choices or does it not matter at all?

    Read the article

  • (illustrator scripting) how to release objects to layers(sequence) but retain object's name?

    - by Eugene
    Hi, I've asked the same question to adobe scripting forum. but seems there are not many forum users there, and I'm asking the same question here. I was writing my first illustrator script to export all layers to png files with layer structure converted to file structure. I found there are many layers that my script can't detect and found out that they are not actually layers but objects(or groups). Found a layer menu (release to layers), but doesn't quite solve the problem perfectly. initially I have this layer 001 object 01 object 1 object 2 release to layers(sequence) on object 01 gives layer 001 layer 91(whatever the layer number illustrator gives when release to layers are performed) layer 92 object 1 layer 93 object 2 now I need to convert them to (so that layer can retain the name of the object) layer 001 layer 01 layer 1 object 1 layer 2 object 2 I have hundreds of layer 001, and couple thousands of object 01, and wonder if anything can be done with script to do this... If it's possible to detect object in a script, I could rewrite the 'release to layers' functionality in script maybe. Any help would be greatly appreciated.

    Read the article

  • Security of PHP script, embedded or otherwise

    - by typoknig
    Hi all, I am curious about the security of PHP on an HTML webpage where PHP code is embedded (a webpage that would exist on the server as "webpage.php") or on a PHP script that may be referenced by an HTML page (that is, a PHP script that is not actually part of a webpage that exists on the server as "something.php" and is referenced by "webpage.html"). Getting to the point, let us say that if the source code of my PHP script is known by anyone it would be a very big problem. I know that when you view the source of a PHP page in a browser the PHP script is not shown, but what if the PHP server failed and the HTML still loaded (is this even possible), would a user be able to see the PHP script? To be more general, is there ANY possible way that a user could access the source of a PHP script from a web browser, and if so, how do I prevent it?

    Read the article

  • What environment variables available while starting the script using init.d boot process

    - by raj_arni
    My problem is like this (OS is Sun Solaris): 1) At the boot time I want to start a process using a specific script. I am doing this by putting this script in /etc/init.d (and following other K and S rules) 2) The program which will be called by the script is located at $HOME/xxx/yyy location. 4) I am using 'su - {myuser} -c "{full path of the program}"' in order to execute the script as {myuser} 3) I dont want to hardcode the value of $HOME in the script but want to use the $HOME env variable only. How can I get this $HOME env variable in the shell script? Also what other variables will be available to me?

    Read the article

  • Security Issues with Single Page Apps

    - by Stephen.Walther
    Last week, I was asked to do a code review of a Single Page App built using the ASP.NET Web API, Durandal, and Knockout (good stuff!). In particular, I was asked to investigate whether there any special security issues associated with building a Single Page App which are not present in the case of a traditional server-side ASP.NET application. In this blog entry, I discuss two areas in which you need to exercise extra caution when building a Single Page App. I discuss how Single Page Apps are extra vulnerable to both Cross-Site Scripting (XSS) attacks and Cross-Site Request Forgery (CSRF) attacks. This goal of this blog post is NOT to persuade you to avoid writing Single Page Apps. I’m a big fan of Single Page Apps. Instead, the goal is to ensure that you are fully aware of some of the security issues related to Single Page Apps and ensure that you know how to guard against them. Cross-Site Scripting (XSS) Attacks According to WhiteHat Security, over 65% of public websites are open to XSS attacks. That’s bad. By taking advantage of XSS holes in a website, a hacker can steal your credit cards, passwords, or bank account information. Any website that redisplays untrusted information is open to XSS attacks. Let me give you a simple example. Imagine that you want to display the name of the current user on a page. To do this, you create the following server-side ASP.NET page located at http://MajorBank.com/SomePage.aspx: <%@Page Language="C#" %> <html> <head> <title>Some Page</title> </head> <body> Welcome <%= Request["username"] %> </body> </html> Nothing fancy here. Notice that the page displays the current username by using Request[“username”]. Using Request[“username”] displays the username regardless of whether the username is present in a cookie, a form field, or a query string variable. Unfortunately, by using Request[“username”] to redisplay untrusted information, you have now opened your website to XSS attacks. Here’s how. Imagine that an evil hacker creates the following link on another website (hackers.com): <a href="/SomePage.aspx?username=<script src=Evil.js></script>">Visit MajorBank</a> Notice that the link includes a query string variable named username and the value of the username variable is an HTML <SCRIPT> tag which points to a JavaScript file named Evil.js. When anyone clicks on the link, the <SCRIPT> tag will be injected into SomePage.aspx and the Evil.js script will be loaded and executed. What can a hacker do in the Evil.js script? Anything the hacker wants. For example, the hacker could display a popup dialog on the MajorBank.com site which asks the user to enter their password. The script could then post the password back to hackers.com and now the evil hacker has your secret password. ASP.NET Web Forms and ASP.NET MVC have two automatic safeguards against this type of attack: Request Validation and Automatic HTML Encoding. Protecting Coming In (Request Validation) In a server-side ASP.NET app, you are protected against the XSS attack described above by a feature named Request Validation. If you attempt to submit “potentially dangerous” content — such as a JavaScript <SCRIPT> tag — in a form field or query string variable then you get an exception. Unfortunately, Request Validation only applies to server-side apps. Request Validation does not help in the case of a Single Page App. In particular, the ASP.NET Web API does not pay attention to Request Validation. You can post any content you want – including <SCRIPT> tags – to an ASP.NET Web API action. For example, the following HTML page contains a form. When you submit the form, the form data is submitted to an ASP.NET Web API controller on the server using an Ajax request: <!DOCTYPE html> <html xmlns="http://www.w3.org/1999/xhtml"> <head> <title></title> </head> <body> <form data-bind="submit:submit"> <div> <label> User Name: <input data-bind="value:user.userName" /> </label> </div> <div> <label> Email: <input data-bind="value:user.email" /> </label> </div> <div> <input type="submit" value="Submit" /> </div> </form> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { user: { userName: ko.observable(), email: ko.observable() }, submit: function () { $.post("/api/users", ko.toJS(this.user)); } }; ko.applyBindings(viewModel); </script> </body> </html> The form above is using Knockout to bind the form fields to a view model. When you submit the form, the view model is submitted to an ASP.NET Web API action on the server. Here’s the server-side ASP.NET Web API controller and model class: public class UsersController : ApiController { public HttpResponseMessage Post(UserViewModel user) { var userName = user.UserName; return Request.CreateResponse(HttpStatusCode.OK); } } public class UserViewModel { public string UserName { get; set; } public string Email { get; set; } } If you submit the HTML form, you don’t get an error. The “potentially dangerous” content is passed to the server without any exception being thrown. In the screenshot below, you can see that I was able to post a username form field with the value “<script>alert(‘boo’)</script”. So what this means is that you do not get automatic Request Validation in the case of a Single Page App. You need to be extra careful in a Single Page App about ensuring that you do not display untrusted content because you don’t have the Request Validation safety net which you have in a traditional server-side ASP.NET app. Protecting Going Out (Automatic HTML Encoding) Server-side ASP.NET also protects you from XSS attacks when you render content. By default, all content rendered by the razor view engine is HTML encoded. For example, the following razor view displays the text “<b>Hello!</b>” instead of the text “Hello!” in bold: @{ var message = "<b>Hello!</b>"; } @message   If you don’t want to render content as HTML encoded in razor then you need to take the extra step of using the @Html.Raw() helper. In a Web Form page, if you use <%: %> instead of <%= %> then you get automatic HTML Encoding: <%@ Page Language="C#" %> <% var message = "<b>Hello!</b>"; %> <%: message %> This automatic HTML Encoding will prevent many types of XSS attacks. It prevents <script> tags from being rendered and only allows &lt;script&gt; tags to be rendered which are useless for executing JavaScript. (This automatic HTML encoding does not protect you from all forms of XSS attacks. For example, you can assign the value “javascript:alert(‘evil’)” to the Hyperlink control’s NavigateUrl property and execute the JavaScript). The situation with Knockout is more complicated. If you use the Knockout TEXT binding then you get HTML encoded content. On the other hand, if you use the HTML binding then you do not: <!-- This JavaScript DOES NOT execute --> <div data-bind="text:someProp"></div> <!-- This Javacript DOES execute --> <div data-bind="html:someProp"></div> <script src="Scripts/jquery-1.7.1.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { someProp : "<script>alert('Evil!')<" + "/script>" }; ko.applyBindings(viewModel); </script>   So, in the page above, the DIV element which uses the TEXT binding is safe from XSS attacks. According to the Knockout documentation: “Since this binding sets your text value using a text node, it’s safe to set any string value without risking HTML or script injection.” Just like server-side HTML encoding, Knockout does not protect you from all types of XSS attacks. For example, there is nothing in Knockout which prevents you from binding JavaScript to a hyperlink like this: <a data-bind="attr:{href:homePageUrl}">Go</a> <script src="Scripts/jquery-1.7.1.min.js"></script> <script src="Scripts/knockout-2.1.0.js"></script> <script> var viewModel = { homePageUrl: "javascript:alert('evil!')" }; ko.applyBindings(viewModel); </script> In the page above, the value “javascript:alert(‘evil’)” is bound to the HREF attribute using Knockout. When you click the link, the JavaScript executes. Cross-Site Request Forgery (CSRF) Attacks Cross-Site Request Forgery (CSRF) attacks rely on the fact that a session cookie does not expire until you close your browser. In particular, if you visit and login to MajorBank.com and then you navigate to Hackers.com then you will still be authenticated against MajorBank.com even after you navigate to Hackers.com. Because MajorBank.com cannot tell whether a request is coming from MajorBank.com or Hackers.com, Hackers.com can submit requests to MajorBank.com pretending to be you. For example, Hackers.com can post an HTML form from Hackers.com to MajorBank.com and change your email address at MajorBank.com. Hackers.com can post a form to MajorBank.com using your authentication cookie. After your email address has been changed, by using a password reset page at MajorBank.com, a hacker can access your bank account. To prevent CSRF attacks, you need some mechanism for detecting whether a request is coming from a page loaded from your website or whether the request is coming from some other website. The recommended way of preventing Cross-Site Request Forgery attacks is to use the “Synchronizer Token Pattern” as described here: https://www.owasp.org/index.php/Cross-Site_Request_Forgery_%28CSRF%29_Prevention_Cheat_Sheet When using the Synchronizer Token Pattern, you include a hidden input field which contains a random token whenever you display an HTML form. When the user opens the form, you add a cookie to the user’s browser with the same random token. When the user posts the form, you verify that the hidden form token and the cookie token match. Preventing Cross-Site Request Forgery Attacks with ASP.NET MVC ASP.NET gives you a helper and an action filter which you can use to thwart Cross-Site Request Forgery attacks. For example, the following razor form for creating a product shows how you use the @Html.AntiForgeryToken() helper: @model MvcApplication2.Models.Product <h2>Create Product</h2> @using (Html.BeginForm()) { @Html.AntiForgeryToken(); <div> @Html.LabelFor( p => p.Name, "Product Name:") @Html.TextBoxFor( p => p.Name) </div> <div> @Html.LabelFor( p => p.Price, "Product Price:") @Html.TextBoxFor( p => p.Price) </div> <input type="submit" /> } The @Html.AntiForgeryToken() helper generates a random token and assigns a serialized version of the same random token to both a cookie and a hidden form field. (Actually, if you dive into the source code, the AntiForgeryToken() does something a little more complex because it takes advantage of a user’s identity when generating the token). Here’s what the hidden form field looks like: <input name=”__RequestVerificationToken” type=”hidden” value=”NqqZGAmlDHh6fPTNR_mti3nYGUDgpIkCiJHnEEL59S7FNToyyeSo7v4AfzF2i67Cv0qTB1TgmZcqiVtgdkW2NnXgEcBc-iBts0x6WAIShtM1″ /> And here’s what the cookie looks like using the Google Chrome developer toolbar: You use the [ValidateAntiForgeryToken] action filter on the controller action which is the recipient of the form post to validate that the token in the hidden form field matches the token in the cookie. If the tokens don’t match then validation fails and you can’t post the form: public ActionResult Create() { return View(); } [ValidateAntiForgeryToken] [HttpPost] public ActionResult Create(Product productToCreate) { if (ModelState.IsValid) { // save product to db return RedirectToAction("Index"); } return View(); } How does this all work? Let’s imagine that a hacker has copied the Create Product page from MajorBank.com to Hackers.com – the hacker grabs the HTML source and places it at Hackers.com. Now, imagine that the hacker trick you into submitting the Create Product form from Hackers.com to MajorBank.com. You’ll get the following exception: The Cross-Site Request Forgery attack is blocked because the anti-forgery token included in the Create Product form at Hackers.com won’t match the anti-forgery token stored in the cookie in your browser. The tokens were generated at different times for different users so the attack fails. Preventing Cross-Site Request Forgery Attacks with a Single Page App In a Single Page App, you can’t prevent Cross-Site Request Forgery attacks using the same method as a server-side ASP.NET MVC app. In a Single Page App, HTML forms are not generated on the server. Instead, in a Single Page App, forms are loaded dynamically in the browser. Phil Haack has a blog post on this topic where he discusses passing the anti-forgery token in an Ajax header instead of a hidden form field. He also describes how you can create a custom anti-forgery token attribute to compare the token in the Ajax header and the token in the cookie. See: http://haacked.com/archive/2011/10/10/preventing-csrf-with-ajax.aspx Also, take a look at Johan’s update to Phil Haack’s original post: http://johan.driessen.se/posts/Updated-Anti-XSRF-Validation-for-ASP.NET-MVC-4-RC (Other server frameworks such as Rails and Django do something similar. For example, Rails uses an X-CSRF-Token to prevent CSRF attacks which you generate on the server – see http://excid3.com/blog/rails-tip-2-include-csrf-token-with-every-ajax-request/#.UTFtgDDkvL8 ). For example, if you are creating a Durandal app, then you can use the following razor view for your one and only server-side page: @{ Layout = null; } <!DOCTYPE html> <html> <head> <title>Index</title> </head> <body> @Html.AntiForgeryToken() <div id="applicationHost"> Loading app.... </div> @Scripts.Render("~/scripts/vendor") <script type="text/javascript" src="~/App/durandal/amd/require.js" data-main="/App/main"></script> </body> </html> Notice that this page includes a call to @Html.AntiForgeryToken() to generate the anti-forgery token. Then, whenever you make an Ajax request in the Durandal app, you can retrieve the anti-forgery token from the razor view and pass the token as a header: var csrfToken = $("input[name='__RequestVerificationToken']").val(); $.ajax({ headers: { __RequestVerificationToken: csrfToken }, type: "POST", dataType: "json", contentType: 'application/json; charset=utf-8', url: "/api/products", data: JSON.stringify({ name: "Milk", price: 2.33 }), statusCode: { 200: function () { alert("Success!"); } } }); Use the following code to create an action filter which you can use to match the header and cookie tokens: using System.Linq; using System.Net.Http; using System.Web.Helpers; using System.Web.Http.Controllers; namespace MvcApplication2.Infrastructure { public class ValidateAjaxAntiForgeryToken : System.Web.Http.AuthorizeAttribute { protected override bool IsAuthorized(HttpActionContext actionContext) { var headerToken = actionContext .Request .Headers .GetValues("__RequestVerificationToken") .FirstOrDefault(); ; var cookieToken = actionContext .Request .Headers .GetCookies() .Select(c => c[AntiForgeryConfig.CookieName]) .FirstOrDefault(); // check for missing cookie or header if (cookieToken == null || headerToken == null) { return false; } // ensure that the cookie matches the header try { AntiForgery.Validate(cookieToken.Value, headerToken); } catch { return false; } return base.IsAuthorized(actionContext); } } } Notice that the action filter derives from the base AuthorizeAttribute. The ValidateAjaxAntiForgeryToken only works when the user is authenticated and it will not work for anonymous requests. Add the action filter to your ASP.NET Web API controller actions like this: [ValidateAjaxAntiForgeryToken] public HttpResponseMessage PostProduct(Product productToCreate) { // add product to db return Request.CreateResponse(HttpStatusCode.OK); } After you complete these steps, it won’t be possible for a hacker to pretend to be you at Hackers.com and submit a form to MajorBank.com. The header token used in the Ajax request won’t travel to Hackers.com. This approach works, but I am not entirely happy with it. The one thing that I don’t like about this approach is that it creates a hard dependency on using razor. Your single page in your Single Page App must be generated from a server-side razor view. A better solution would be to generate the anti-forgery token in JavaScript. Unfortunately, until all browsers support a way to generate cryptographically strong random numbers – for example, by supporting the window.crypto.getRandomValues() method — there is no good way to generate anti-forgery tokens in JavaScript. So, at least right now, the best solution for generating the tokens is the server-side solution with the (regrettable) dependency on razor. Conclusion The goal of this blog entry was to explore some ways in which you need to handle security differently in the case of a Single Page App than in the case of a traditional server app. In particular, I focused on how to prevent Cross-Site Scripting and Cross-Site Request Forgery attacks in the case of a Single Page App. I want to emphasize that I am not suggesting that Single Page Apps are inherently less secure than server-side apps. Whatever type of web application you build – regardless of whether it is a Single Page App, an ASP.NET MVC app, an ASP.NET Web Forms app, or a Rails app – you must constantly guard against security vulnerabilities.

    Read the article

  • Multitouch script (using xinput) no longer working

    - by Pitto
    #!/bin/bash # # list of synaptics device properties http://www.x.org/archive/X11R7.5/doc/man/man4/synaptics.4.html#sect4 # list current synaptics device properties: xinput list-props '"SynPS/2 Synaptics TouchPad"' # sleep 5 #added delay... xinput set-int-prop "SynPS/2 Synaptics TouchPad" "Device Enabled" 8 1 xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Pressure" 4 xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Width" 9 # Below width 1 finger touch, above width simulate 2 finger touch. - value=pad-pixels xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Edge Scrolling" 1 1 0 # vertical, horizontal, corner - values: 0=disable 1=enable xinput --set-prop --type=int --format=32 "SynPS/2 Synaptics TouchPad" "Synaptics Jumpy Cursor Threshold" 250 # stabilize 2 finger actions - value=pad-pixels #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Tap Action" 0 0 0 0 1 2 3 # pad corners rt rb lt lb tap fingers 1 2 3 (can't simulate more then 2 tap fingers AFAIK) - values: 0=disable 1=left 2=middle 3=right etc. (in FF 8=back 9=forward) xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Two-Finger Scrolling" 1 0 # vertical scrolling, horizontal scrolling - values: 0=disable 1=enable #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Circular Scrolling" 1 #xinput --set-prop --type=int --format=8 "SynPS/2 Synaptics TouchPad" "Synaptics Circular Scrolling Trigger" 3 Hello everybody... The above script allowed me to use happily multitouch for a month... Now if I do a two fingers scrolling the mouse cursor just runs on the screen like possessed... Any hints?

    Read the article

  • Nginx routing script for NodeJS and Wordpress

    - by Nilay Parikh
    We are moving blogs and site from wordpress to nodejs and ready to move into production. However I'm not able to figure it out how to implement routing from front server (Nginx) to NodeJS (prefered web instance) and if data not synced yet into NodeJS website than (404 will throw by NodeJS) fall back to (using reverse proxy) to Wordpress and serve page, during the transformation period. Q1. Is the approach good for the scenario, or anyone can suggest better approach? Q2. Should NodeJS treat itself as Reverse proxy (using bouncy : https://github.com/substack/bouncy or similar package) in event of fall back or shoud stick with Nginx to do so using fastcgi approch. Both NodeJS and Wordpress are on single server only, In first scenario, /if resource available than serve directly User -> Nginx -> NodeJS (8080) \if resource not available then reverse query wordpress and serve content second scenario, /if resource available than serve directly User -> Nginx -> NodeJS (8080) \if resource not available then 404 to Nginx and Nginx script fallback to Wordpress (FastCGI PHP) Later we have plan to phase out Wordpress and PHP from the server environment completely. I'd like to see any examples of Nginx or Varnish scripts and/or NodeJS scripts if you have for me to refer. Thanks.

    Read the article

  • Controlling a GameObject from another GameObject's script component

    - by OhMrBigshot
    I'm creating a game where when starting the game, a Cube is duplicated GridSize * GridSize times when the game starts. Now, after the cubes are duplicated I want to attach a variable to them, say "Flag" which is a bool, from another script component (let's say I have a Prefab that generates the cloned cubes). In short, I have something like this: CreateTiles.cs : Attached to Prefab void Start() { createMyTiles(); // a function that clones the tiles flagRandomTiles(); // a function that (what I'm trying to do) "Flags" 10 random cubes } CubeBehavior.cs : Attached to each Cube public bool hasFlag; // other stuff Now, I want flagRandomTiles() to set a Cube's hasFlag property via code, assuming I have access to them via a GameObject[] array. Here's what I've tried: Cubes[x].hasFlag = true; - No access. Making a function such as Cubes[x].setHasFlag(true) - still no access. Initializing Cubes as a CubeBehavior object array, then doing the above - GameObjects can't be converted to CubeBehaviors - I get this error when I try to assign the Cubes into the array. How do I do this?

    Read the article

  • Script language native extensions - avoiding name collisions and cluttering others' namespace

    - by H2CO3
    I have developed a small scripting language and I've just started writing the very first native library bindings. This is practically the first time I'm writing a native extension to a script language, so I've run into a conceptual issue. I'd like to write glue code for popular libraries so that they can be used from this language, and because of the design of the engine I've written, this is achieved using an array of C structs describing the function name visible by the virtual machine, along with a function pointer. Thus, a native binding is really just a global array variable, and now I must obviously give it a (preferably good) name. In C, it's idiomatic to put one's own functions in a "namespace" by prepending a custom prefix to function names, as in myscript_parse_source() or myscript_run_bytecode(). The custom name shall ideally describe the name of the library which it is part of. Here arises the confusion. Let's say I'm writing a binding for libcURL. In this case, it seems reasonable to call my extension library curl_myscript_binding, like this: MYSCRIPT_API const MyScriptExtFunc curl_myscript_lib[10]; But now this collides with the curl namespace. (I have even thought about calling it curlmyscript_lib but unfortunately, libcURL does not exclusively use the curl_ prefix -- the public APIs contain macros like CURLCODE_* and CURLOPT_*, so I assume this would clutter the namespace as well.) Another option would be to declare it as myscript_curl_lib, but that's good only as long as I'm the only one who writes bindings (since I know what I am doing with my namespace). As soon as other contributors start to add their own native bindings, they now clutter the myscript namespace. (I've done some research, and it seems that for example the Perl cURL binding follows this pattern. Not sure what I should think about that...) So how do you suggest I name my variables? Are there any general guidelines that should be followed?

    Read the article

  • Launching php script through comman line - keeping terminal window open after execution

    - by somethis
    Oh, my girlfriend really likes it when I launch php scripts! There's something special about them, she says ... Thus, I coded this script to run throught the CLI (Command Line Interface) - so it's running locally, not on a web server. It launches just fine through right click open run in terminal but closes right after execution. **Is there a way to keep the terminal window open? Of course I can launch it through a terminal window - which would stay open - but I'm looking for a one click action. With bash scripts I use $SHELL but that didn't work (see code below). So far, the only thing I came up with is sleep(10); which gives me 10 seconds for my girl to check the output. I'd rather close the terminal window manually, though. #!/usr/bin/php -q <?php echo "Hello World \n"; # wait before closing terminal window sleep(10); # the following line doesn't work $SHELL; ?> (PHP 5.4.6-1ubuntu1.2 (cli) (built: Mar 11 2013 14:57:54) Copyright (c) 1997-2012 The PHP Group Zend Engine v2.4.0, Copyright (c) 1998-2012 Zend Technologies )

    Read the article

  • Tweak Conky Layout via a script

    - by begtognen
    I'm using a script in Conky in order to display my new gmail on my desktop. It works beautifully, but is kind of ugly, and I'm not sure how to fix it. What I've currently got looks like this: And what I'd like is this: Any ideas for how to make that happen are much appreciated. Here's the script I'm currently using (I think I've snipped out the correct part, if I haven't please let me know.) #!/usr/bin/perl use Switch; use Text::Wrap; my $what=$ARGV[0]; $user="username"; #username for gmail account $pass="password"; #password for gmail account $file="/tmp/gmail.html"; #temporary file to store gmail #wrap format for subject $Text::Wrap::columns=65; #Number of columns to wrap subject at $initial_tab=""; #Tab for first line of subject $subsequent_tab="\t"; #tab for wrapped lines $quote="\""; #put quotes around subject #limit the number of emails to be displayed $emails=-1; #if -1 display all emails &passwd; #give password the proper url character encoding switch($what){ #determine what the user wants case "n" {&gmail; print "$new\n";} #print number of new emails case "s" { #print $from and $subj for new email &gmail; if ($new0){ my $size=@from; if ($emails!=-1 && $size$emails){$size=$emails;} #limit number of emails displayed for(my $i=0; $i$emails){print "$emails out of $size new emails displayed\n";} } } case "e" { #print number of new emails, $from, and $subj &gmail; if($new==0){print "You have no new emails.\n";} else{ print "You have $new new email(s).\n"; my $size=@from; if ($emails!=-1 && $size$emails){$size=$emails;} #limit number of emails displayed for(my $i=0; $i$emails){print "$emails out of $size new emails displayed\n";} } } else { print "Usage Error: gmail.pl \n"; print "\tn displays number of new emails\n"; print "\ts displays from line and subject line for each new email.\n"; print "\te displays the number of new emails and from line plus \n"; print "\t\tsubject line for each new email.\n"; } #didn't give proper option } sub gmail{ if(!(-e $file)){ #create file if it does not exists `touch $file`; } #get new emails `wget -O - https://$user:$pass\@mail.google.com/mail/feed/atom --no-check-certificate $file`; open(IN, $file); #open $file my $i=0; #initialize count $new=0; #initialize new emails to 0 my $flag=0; while(){ #cycle through $file if(//){$flag=1;} elsif(/(\d+)/){$new=$1;} #grab number of new emails elsif($flag==1){ if(/.+/){push(@subj, &msg);} #grab new email titles elsif(/(.+)/){push(@from, $1); $flag=0;} #grab new email from lines } } close(IN); #close $file } sub passwd{ #change to url escape codes in password #URL ESCAPE CODES $_=$pass; s/\%/\%25/g; s/\#/\%23/g; s/\$/\%24/g; s/\&/\%26/g; s/\//\%2F/g; s/\:/\%3A/g; s/\;/\%3B/g; s/\/\%3E/g; s/\?/\%3F/g; s/\@/\%40/g; s/\[/\%5B/g; s/\\/\%5C/g; s/\]/\%5D/g; s/\^/\%5E/g; s/\`/\%60/g; s/\{/\%7B/g; s/\|/\%7C/g; s/\}/\%7D/g; s/\~/\%7E/g; $pass=$_; } sub msg{ #THE HTML CODED CHARACTER SET [ISO-8859-1] chomp; s/(.+)/$1/; #get just the subject #now replace any special characters s/\&\#33\;/!/g; #Exclamation mark s/\&\#34\;/"/g; s/\"\;/"/g; #Quotation mark s/\&\#35\;/#/g; #Number sign s/\&\#36\;/\$/g; #Dollar sign s/\&\#37\;/%/g; #Percent sign s/\&\#38\;/&/g; s/\&\;/&/g; #Ampersand s/\&\#39\;/'/g; #Apostrophe s/\&\#40\;/(/g; #Left parenthesis s/\&\#41\;/)/g; #Right parenthesis s/\&\#42\;/*/g; #Asterisk s/\&\#43\;/+/g; #Plus sign s/\&\#44\;/,/g; #Comma s/\&\#45\;/-/g; #Hyphen s/\&\#46\;/./g; #Period (fullstop) s/\&\#47\;/\//g; #Solidus (slash) s/\&\#58\;/:/g; #Colon s/\&\#59\;/\;/g; #Semi-colon s/\&\#60\;//g; s/\>\;//g; #Greater than s/\&\#63\;/\?/g; #Question mark s/\&\#64\;/\@/g; #Commercial at s/\&\#91\;/\[/g; #Left square bracket s/\&\#92\;/\\/g; #Reverse solidus (backslash) s/\&\#93\;/\]/g; #Right square bracket s/\&\#94\;/\^/g; #Caret s/\&\#95\;/_/g; #Horizontal bar (underscore) s/\&\#96\;/\`/g; #Acute accent s/\&\#123\;/\{/g; #Left curly brace s/\&\#124\;/|/g; #Vertical bar s/\&\#125\;/\}/g; #Right curly brace s/\&\#126\;/~/g; #Tilde s/\&\#161\;/¡/g; #Inverted exclamation s/\&\#162\;/¢/g; #Cent sign s/\&\#163\;/£/g; #Pound sterling s/\&\#164\;/¤/g; #General currency sign s/\&\#165\;/¥/g; #Yen sign s/\&\#166\;/¦/g; #Broken vertical bar s/\&\#167\;/§/g; #Section sign s/\&\#168\;/¨/g; #Umlaut (dieresis) s/\&\#169\;/©/g; s/\©\;/©/g; #Copyright s/\&\#170\;/ª/g; #Feminine ordinal s/\&\#171\;/«/g; #Left angle quote, guillemotleft s/\&\#172\;/¬/g; #Not sign s/\&\#174\;/®/g; #Registered trademark s/\&\#175\;/¯/g; #Macron accent s/\&\#176\;/°/g; #Degree sign s/\&\#177\;/±/g; #Plus or minus s/\&\#178\;/²/g; #Superscript two s/\&\#179\;/³/g; #Superscript three s/\&\#180\;/´/g; #Acute accent s/\&\#181\;/µ/g; #Micro sign s/\&\#182\;/¶/g; #Paragraph sign s/\&\#183\;/·/g; #Middle dot s/\&\#184\;/¸/g; #Cedilla s/\&\#185\;/¹/g; #Superscript one s/\&\#186\;/º/g; #Masculine ordinal s/\&\#187\;/»/g; #Right angle quote, guillemotright s/\&\#188\;/¼/g; s/\¼\;/¼/g; # Fraction one-fourth s/\&\#189\;/½/g; s/\½\;/½/g; # Fraction one-half s/\&\#190\;/¾/g; s/\¾\;/¾/g; # Fraction three-fourths s/\&\#191\;/¿/g; #Inverted question mark s/\&\#192\;/À/g; #Capital A, grave accent s/\&\#193\;/Á/g; #Capital A, acute accent s/\&\#194\;/Â/g; #Capital A, circumflex accent s/\&\#195\;/Ã/g; #Capital A, tilde s/\&\#196\;/Ä/g; #Capital A, dieresis or umlaut mark s/\&\#197\;/Å/g; #Capital A, ring s/\&\#198\;/Æ/g; #Capital AE dipthong (ligature) s/\&\#199\;/Ç/g; #Capital C, cedilla s/\&\#200\;/È/g; #Capital E, grave accent s/\&\#201\;/É/g; #Capital E, acute accent s/\&\#202\;/Ê/g; #Capital E, circumflex accent s/\&\#203\;/Ë/g; #Capital E, dieresis or umlaut mark s/\&\#204\;/Ì/g; #Capital I, grave accent s/\&\#205\;/Í/g; #Capital I, acute accent s/\&\#206\;/Î/g; #Capital I, circumflex accent s/\&\#207\;/Ï/g; #Capital I, dieresis or umlaut mark s/\&\#208\;/Ð/g; #Capital Eth, Icelandic s/\&\#209\;/Ñ/g; #Capital N, tilde s/\&\#210\;/Ò/g; #Capital O, grave accent s/\&\#211\;/Ó/g; #Capital O, acute accent s/\&\#212\;/Ô/g; #Capital O, circumflex accent s/\&\#213\;/Õ/g; #Capital O, tilde s/\&\#214\;/Ö/g; #Capital O, dieresis or umlaut mark s/\&\#215\;/×/g; #Multiply sign s/\&\#216\;/Ø/g; #Capital O, slash s/\&\#217\;/Ù/g; #Capital U, grave accent s/\&\#218\;/Ú/g; #Capital U, acute accent s/\&\#219\;/Û/g; #Capital U, circumflex accent s/\&\#220\;/Ü/g; #Capital U, dieresis or umlaut mark s/\&\#221\;/Ý/g; #Capital Y, acute accent s/\&\#222\;/Þ/g; #Capital THORN, Icelandic s/\&\#223\;/ß/g; #Small sharp s, German (sz ligature) s/\&\#224\;/à/g; #Small a, grave accent s/\&\#225\;/á/g; #Small a, acute accent s/\&\#226\;/â/g; #Small a, circumflex accent s/\&\#227\;/ã/g; #Small a, tilde s/\&\#228\;/ä/g; #Small a, dieresis or umlaut mark s/\&\#229\;/å/g; #Small a, ring s/\&\#230\;/æ/g; #Small ae dipthong (ligature) s/\&\#231\;/ç/g; #Small c, cedilla s/\&\#232\;/è/g; #Small e, grave accent s/\&\#233\;/é/g; #Small e, acute accent s/\&\#234\;/ê/g; #Small e, circumflex accent s/\&\#235\;/ë/g; #Small e, dieresis or umlaut mark s/\&\#236\;/ì/g; #Small i, grave accent s/\&\#237\;/í/g; #Small i, acute accent s/\&\#238\;/î/g; #Small i, circumflex accent s/\&\#239\;/ï/g; #Small i, dieresis or umlaut mark s/\&\#240\;/ð/g; #Small eth, Icelandic s/\&\#241\;/ñ/g; #Small n, tilde s/\&\#242\;/ò/g; #Small o, grave accent s/\&\#243\;/ó/g; #Small o, acute accent s/\&\#244\;/ô/g; #Small o, circumflex accent s/\&\#245\;/õ/g; #Small o, tilde s/\&\#246\;/ö/g; #Small o, dieresis or umlaut mark s/\&\#247\;/÷/g; #Division sign s/\&\#248\;/ø/g; #Small o, slash s/\&\#249\;/ù/g; #Small u, grave accent s/\&\#250\;/ú/g; #Small u, acute accent s/\&\#251\;/û/g; #Small u, circumflex accent s/\&\#252\;/ü/g; #Small u, dieresis or umlaut mark s/\&\#253\;/ý/g; #Small y, acute accent s/\&\#254\;/þ/g; #Small thorn, Icelandic s/\&\#255\;/ÿ/g; #Small y, dieresis or umlaut mark s/^\s+//; return $_; }

    Read the article

  • How do I mount a "GPT Protective Partition" in Windows XP?

    - by Michael Haren
    I formatted an external USB harddrive while it was connected to a 32-bit Windows 2003 Server Std. edition server. After loading it up with files, I moved it to my Windows XP SP3 where it didn't show up automatically in My Computer. I opened up Computer ManagementDisk Management and see it listed as a "Health (GPT Protective Parititon)". What's up with that? Can I mount it?

    Read the article

  • USB 3 vs. eSATA

    - by Robert Nickens
    Will the full speed advantages of the future USB 3.0 be negated by the fact the most HD being mass produced are SATA 3? If so, what would you suggest a person do? For performance reasons go with eSATA or 1394 for external HDs. Why spend the money on USB 3.0 next year,even if the prices come down quickly. Given that SATA 6 is not here and may be a while.

    Read the article

< Previous Page | 60 61 62 63 64 65 66 67 68 69 70 71  | Next Page >