In backbonejs documentation it has been said that we can load bootstrapped models under loading bootstrapped models
So I did the same as there like
employeeCollection.reset(<%= #employees.to_json %>);
But I threw a error
Uncaught SyntaxError: Unexpected token &
When I clicked that error it took me to
employeeCollection.reset([{"address":"Madhyapur thimi 13, wamunae tole","fired":false,"first_name":"Gagan Shrestha","id":1,"last_name":"Shrestha","phone":"9841971919"},{"address":"Madhyapur thimi 13, wamunae tole","fired":true,"first_name":"Prem Krishna","id":2,"last_name":"Shrestha","phone":"9841755640"},{"address":"sdgd","fired":false,"first_name":"fdsfs","id":3,"last_name":"sfdsf","phone":"5345435"},{"address":"sdfsf","fired":true,"first_name":"dsfsd","id":4,"last_name":"fsd","phone":"sfdsf"},{"address":"Madhyapur thimi 13, wamunae tole","fired":false,"first_name":"Prafulla","id":5,"last_name":"Shrestha","phone":"9841971919"},{"address":"South africa","fired":false,"first_name":"ram","id":6,"last_name":"krishna","phone":"86879979"},{"address":"sdfdsf","fired":true,"first_name":"fs","id":7,"last_name":"sdfdsfdsf","phone":"sdfdsfds"},{"address":"juj","fired":true,"first_name":"rfr","id":8,"last_name":"hgtg","phone":"9898"},{"address":"gthy","fired":true,"first_name":"olo","id":9,"last_name":"plo","phone":"6766"},{"address":"rfrf","fired":true,"first_name":"uyuy","id":10,"last_name":"uyuy","phone":"7676"},{"address":"madhyapur thimi 12","fired":true,"first_name":"shuvam1","id":11,"last_name":"shrestha","phone":"1234556778"},{"address":"dodale","fired":true,"first_name":"sarita2","id":12,"last_name":"prajapati","phone":"985757"},{"address":"kathmandu","fired":false,"first_name":"hello","id":13,"last_name":"world","phone":"0155675432"}]);
I guess the error is due to escaping of json data, but not quite sure.
Do I need to do additional thing so that I can load necessary data when page loads, so that I need not fire ajax request to get those data from servers
Thanks
Rails is HTML encoding your JSON. There are a few ways around this, but be aware that there are security implications (XSS) to just using something like html_safe.
How to Securely Bootstrap JSON in a Rails View gives a good overview of one way to do this safely (the author chooses to overwrite json_escape).
You probably need to replace all " with a single quote "'", this is not valid javascript otherwise.
Related
Not sure if this is the appropriate place for this question, but when I simply updated my Angular script from 1.4.8 to 1.5.11, the UI bombs out and throws an error when attempting to do an angular.bootstrap(...):
https://code.angularjs.org/1.5.11/docs/error/$injector/modulerr?p0=ckwy4037000003e8twhn1wp0a&p1=Error: [$injector:modulerr] http://errors.angularjs.org/1.5.11/$injector/modulerr?p0=sn.common.attachments&p1=Error: [$injector:nomod] http://errors.angularjs.org/1.5.11/$injector/nomod?p0=sn.common.attachments
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:9:426
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:28:235
at b (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:27:282)
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:28:20
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:43:17
at q (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:10:371)
at g (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:42:382)
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:43:34
at q (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:10:371)
at g (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:42:382)
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:9:426
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:43:292
at q (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:10:371)
at g (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:42:382)
at http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:43:34
at q (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:10:371)
at g (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:42:382)
at fb (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:46:381)
at c (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:24:19)
at Object.Gc [as bootstrap] (http://localhost:8080/scripts/angular_includes_1.5.11.jsx?v=Wed_Dec_08_12_09_54_PST_2021:24:332
...wondering if anyone else has come across this issue, and if they have an idea of what's going on?
I'm not really familiar with Angular, but from looking at the docs, when I compare between v1.4.8 and v1.5.11, the only difference I see is the two yellow banners - one in particular that says:
Note: Do not bootstrap the app on an element with a directive that
uses transclusion, such as ngIf, ngInclude and ngView. Doing this
misplaces the app $rootElement and the app's injector, causing
animations to stop working and making the injector inaccessible from
outside the app.
This looks related, but I'm not 100% certain that that may be...
Fixed in the comments:
Are you still providing sn.common.attachments, per your error URL?
you were right! It was a bad path (changed the version number in the path, but that path doesn't exist for that version)... Thank you!!!!
Angular employs a technique where its error messages are encoded as URLs, which enables more-informative and translatable error messages without bloating the production app size. Consequently, that first https://code.angularjs.org/ URL actually contains the real $injector:nomod error that the URL target describes. From there it's easier to see that the bootstrap failed due to the absence of a module, here sn.common.attachments specifically.
I'm trying to load an external page using JSONP, but the page is an HTML page, I just want to grab the contents of it using ajax.
EDIT: The reason why I'm doing this is because I want to pass all the user information ex: headers, ip, agent, when loading the page rather than my servers.
Is this doable? Right now, I can get the page, but jsonp attempts to parse the json, returning an error: Uncaught SyntaxError: Unexpected token <
Sample code:
$.post('http://example.com',function(data){
$('.results').html(data);
},'jsonp');
I've set up a jsfiddle for people to test with:
http://jsfiddle.net/8A63A/1/
http://en.wikipedia.org/wiki/JSONP#Script_element_injection
Making a JSONP call (in other words, to employ this usage pattern),
requires a script element. Therefore, for each new JSONP request, the
browser must add (or reuse) a new element—in other words,
inject the element—into the HTML DOM, with the desired value for the
"src" attribute. This element is then evaluated, the src URL is
retrieved, and the response JSON is evaluated.
Now look at your error:
Uncaught SyntaxError: Unexpected token <
< is the first character of any html tag, probably this is the start of <DOCTYPE, in this case, which is, of course, invalid JavaScript.
And NO, you can't use JSONP for fetching html data.
I have done what you want but in my case I have control of the server side code that returns the HTML.
So, what I did was wrapped the HTML code in one of the Json properties of the returned object and used it at client side, something like:
callback({"page": "<html>...</html>"})
The Syntax error you are facing it's because the library you're using expects json but the response is HTML, just that.
I've got three words for you: Same Origin Policy
Unless the remote URL actually supports proper JSONP requests, you won't be able to do what you're trying to. And that's a good thing.
Edit: You could of course try to proxy the request through your server …
If you really just want to employ the client to snag an HTML file, I suggest using flyJSONP - which uses YQL.. or use jankyPOST which uses some sweet techniques:
jankyPOST creates a hidden iframe and stuffs it with a form (iframe[0].contentWindow.document.body.form.name).
Then it uses HTML5 (watch legacy browsers!) webMessaging API to post to the other iframe and sets iframe's form elements' vals to what u specified.
Submits form to remote server...done.
Or you could just use PHP curl, parse it, echo it, so on.
IDK if what exactly ur using it for but I hope this helps.
ALSO...
I'm pretty sure you can JSONP anything that is an output from server code. I did this with ClientLogin by just JSONPing their keyGen page and successfully consoleLogged the text even though it was b/w tags. I had some other errors on that but point is that I scraped that output.
Currently, I'm trying to do what you are so I'll post back if successful.
I don't think this is possible. JSONP requires that the response is rendered properly.
If you want another solution, what about loading the url in an iframe and trying to talk through the iframe. I'm not 100% positive it will work, but it's worth a shot.
First, call the AJAX URL manually and see of the resulting HTML makes sense.
Second, you need to close your DIV in your fiddle example.
I recently went through the www.clementinejs.com tutorial as I'm trying to learn the MEAN stack. I was able to complete it and understand most of it. However when i'm trying to repeat the process with mongoose and get slightly more data, I keep failing.
What i'm trying to do:
When page loads angular performs get request to '/api/entries' which searches mongo(via mongoose) and returns all docs in the collection, then load those docs into a div via angular ng-repeat.
If I insert dumby data into an object in the controller file I have no problem getting the data to show on the page, but when I try with the database I messed up somewhere. Even the angular curly brackets show up when I try to do it that way.
Here is my repo.
https://github.com/nickolaskg/journal
Should I just use mongo instead of mongoose? I'm not sure if i've set it up correctly.
Any help is greatly appreciated. I've been stuck for days trying so many different approaches, at this point I have no doubt there is multiple problems in the code.
Entry.get(function(result){
$scope.entries = result;
})
get() expects single object in the response.
Please read $resource's docs
Use:
Entry.query({field1: 'criterion'}) for queries and multiple resources.
Entry.get({_id: 'someid'}) for a single resource.
Entry.save({my: 'properties'}) for saving existing resource or creating a new resource.
Entry.delete({_id: 'someid'}) for deleting a single resource.
Also next time please post relevant code (IE your $resource calls) directly.
I'm running an app with Sinatra/backbone.
Let's say I visit the page http://localhost:3000/cases/1/read?name=Some%20Guy that is using the name parameter to display data on the page.
Does this present an XSS issue?
I'm just trying to send data from one page to another through a button click with the param data.
A quick test is to try the URL
http://localhost:3000/cases/1/read?name=<script>alert('foo');</script>
If the script executes and an alert popup appears, then XSS is definitely possible.
Other XSS patterns are possible too depending on where the name value is output.
You should output encode to prevent this type of attack. The encoding to use depends on the language context of your output (if is it JavaScript, HTML, or CSS, etc). e.g. " becomes " in HTML, but \x22 in JavaScript and JSON. The correct encoding prevents an attacker being able to escape out of the context and inject their own scripts. You should also set the charset to UTF-8 to prevent some UTF-7 filter evasion attacks.
Not necessary. All dependence on which way data shows to user. If you keep in mind, that data can be wrong and for example escape string before output - it will be ok.
Using DotNetNuke 5.
I am using the EventLogController along with LogInfo to add custom messages to the event logs in dot net nuke.
Within LogInfo we have a method to Add a Property/Value. I am under the assumption that the Controller.AddLog(logInfo) converts the properties & vlaues into XML using the LogInfo->Serialize method for DNN to store it.
My problem is that I want linebreaks in my message. Is there anyway I can add a newline. "\r\n" wouldn't work, wouldn't work, CDATA escaped wouldn't work. Everything gets escaped through the Log function.
How do I pretty print the log message myself?
Regards, V
Sadly, due to the HTML encoding that is done on all messages, you are going to be out of luck trying to do this in the DNN event Log.
Depending on what/where you are, you have a few options.
You can add them as individual detail lines using properties, see my example below.
You could report on something yourself, using a custom log table or something similar
If you are in the context of a Scheduled Job, you can log to that history, which is NOT escaped.
Examples
Log Properties
objLog = new DotNetNuke.Services.Log.EventLog.LogInfo();
objLog.AddProperty("SecureMyInstall", "Phase 2 Error Processing User Accounts");
objLog.LogTypeKey = DotNetNuke.Services.Log.EventLog.EventLogController.EventLogType.HOST_ALERT.ToString();
objLogger.AddLog(objLog);
The content of the logs is displayed as HTML, so you should be able to put <br /> to add line breaks.