I'm trying to have a mailto: body with multiple paragraphs and a URL. I should probably note this is for a mobile web application.
Is there a reason why I can't use \n (even inside JavaScript strings) for new lines? Instead, I'm using %0D%0A.
I'd like to enclose my URL in <>'s so email clients can properly identify it as a URL, but when I try to do that the entire URL doesn't show up at all in the body. Is it being escaped, or something? How do I fix this/use <>'s to wrap it?
Thanks!
have you tryed encoding the values with javascript?
eg
<a href="demo#email.com?subject='+encodeURI('emailSubject')+'&body='+encodeURI('emailBody')+'">
Related
I'm having one Rest API: /myApp/fetchData/User-Name/Password. User-Name and Password will be changed based on the request.
When i call the above restapi like this
/myApp/fetchData/srikanth/Abcdef#g123
the request is going like this:
/myApp/fetchData/srikanth/Abcdef
Basically in the URL text got removed from # character. Is there any way to solve?
Thanks,
Srikanth.
In a URI the # triggers the begins of the "fragment", and ends the path. The fragment usually specify a portion of the resource identified by the path.
When you are post-ing the request from the client, you have to escape special characters. Your request should be:
/myApp/fetchData/srikanth/Abcdef%23g123
There are different way to escaping urls, like the encodeURI or encodeURIComponent function in JS. For example, you may do:
var request = "/myApp/fetchData/srikanth/" + encodeURIComponent("Abcdef#g123");
Then the server have to decode back to the original request.
But: are you sure it is a good solution to send the password plain in that way?
I am building in invite/registration form for my site. The idea is that one user invites another user, which sends a code with a url to register with. The problem is that the code can have an encoded backslash in it. When that encoded backslash is processed in Angular, it seems to get decoded and ends up busting the routing.
http://localhost:54464/ang/register/owi0%2fCQCrjzBcwqEORVVHhrICIANGKxtxMJ2Kh91y%2bNhhB%2br06appZzEVPhpkP2C
becomes:
http://localhost:54464/ang/register/owi0/CQCrjzBcwqEORVVHhrICIANGKxtxMJ2Kh91y+NhhB+r06appZzEVPhpkP2C
How can I stop this behavior?
Try using a route like:
/register/*code
The code will contain the string with the slashes
source
It is typically used for path-like url arguments...but I don't see why this wouldn't work for your case.
I am sending a signup activation email containing a signup confirmation url with a confirmation token that points to an angular front end app:
...
Activate
...
Note that the token is a JWT and is fairly long.
This works find for most users, but for some clicking on the link takes them to https://domain/com only without the confirm-signup?token=...
It seems as though the mail client may be stripping off everything after the #, but I can't find any evidence of others having this problem, nor can I reproduce it.
My best guess so far is that some mail clients are seeing the # and somehow treating the trailing part as an internal anchor and stripping it...?
Has anyone else encountered this sort of problem? If so, have you found any solution short of replacing the whole mechanism with something else?
Some clients treat the hash-link just fine. Others don't. There's a conversation about Outlook being dirty about this here: Outlook strips URL hash from email
What we did to resolve this at our company is simply create a handler on our server that redirects. Your email link would become http://domain.com/email-link?url=https%3A%2F%2Fdomain.com%2F%23%2Fconfirm-signup%3Ftoken%3D1234 and your server side script would grab the query param url and immediately trigger a redirect.
You'd need to make sure that you find all links in your emails and replace them. Here's a PHP function for that, but you could do this in whatever backend language you're using. Regex here may be helpful at least.
function replaceLinks($html,$hash) {
return preg_replace_callback('/<a [^>]*href=[\"\']{1}(.+?)[\"\\\']{1}/', function($matches) use ($hash) {
return str_replace($matches[1],"http://domain.com/email-link?url=".rawurlencode($matches[1]),$matches[0]);
}, $html);
}
Yes I have encountered this issue before because of the #, I was trying to link to a anchor on a landingpage.. My solution ended up using a short.url service to "hide" the # from the html e.g. https://goo.gl/
Looks like you need percent encoding!
A lot of times when your href gets parsed (by angular in this case) it doesn't handle the special characters right, or strips them. Find your problem characters and replace them with %3F for ?, %26 for &, and %23 for #. The rest are in a chart in the link.
Once the encoded address hits the browser the url will be decoded in your url bar.
I'm running an app with Sinatra/backbone.
Let's say I visit the page http://localhost:3000/cases/1/read?name=Some%20Guy that is using the name parameter to display data on the page.
Does this present an XSS issue?
I'm just trying to send data from one page to another through a button click with the param data.
A quick test is to try the URL
http://localhost:3000/cases/1/read?name=<script>alert('foo');</script>
If the script executes and an alert popup appears, then XSS is definitely possible.
Other XSS patterns are possible too depending on where the name value is output.
You should output encode to prevent this type of attack. The encoding to use depends on the language context of your output (if is it JavaScript, HTML, or CSS, etc). e.g. " becomes " in HTML, but \x22 in JavaScript and JSON. The correct encoding prevents an attacker being able to escape out of the context and inject their own scripts. You should also set the charset to UTF-8 to prevent some UTF-7 filter evasion attacks.
Not necessary. All dependence on which way data shows to user. If you keep in mind, that data can be wrong and for example escape string before output - it will be ok.
I am using w3c validator with html5. I have an array afilter[]=abc I am passing in the href and I have tried escaping the brackets as follows:
<a href='slideshowform.php?x=y&afilter[]=abc'>phases of matter</a>
But I am still getting the error:
Bad value slideshowform.php?x=y&afilter[]=abc for attribute href on element a: Illegal character in query component.
How can I pass an array without getting errors - or did I escape the brackets incorrectly?
You have to URL encode it, not HTML encode it. Your URL would have to look like the following:
slideshowform.php?x=y&afilter%5B%5D=abc
Most programming languages have stuff like this built in (e.g. rawurlencode() in PHP or encodeURI in JavaScript) or you can simply use an online service like (no affiliation, just one of the first search results) http://www.url-encode-decode.com/
Of course it’s a good idea to encode the HTML reserved characters for outputting the link in an HTML document as well. So you’d end up with the following URL within your HTML document.
slideshowform.php?x=y&afilter%5B%5D=abc