I'm using the Windows Forms WebBrowser control, and getting it to display a document that I create on the fly and set using the DocumentText property. The document that I create references a script file in the same directory as my executable. Trouble is, when the WebBrowser control displays the page, the scripts aren't enabled.
Now I know that IE7 introduced a new security feature that impacted on this scenario. I remember having to do something about setting a FEATURE_BLOCK_LMZ_SCRIPT key somewhere in the registry under the IE Key, but I can't figure out exactly where. Does anybody have instructions for this.
Even better, is there a way of enabling my Scenario without changing the registry? I don't really want to have to supply an installer with my executable.
Please check the Mark of the Web.
You will need to mark your "page". Just after the html tag, put in:
<!-- saved from url=(0020)http://www.test.com/ -->
0020 is the length of the following url (including /)
This make sure the page you are viewing will be run in the internet security zone, thus, unless set otherwise, have script enabled.
Related
I have many legacy web pages (written in ASP) that are using an ActiveX control to provide programmatic spell checking functionality (these pages programmatically validate that the user has performed at least one spell check by interrogating the ActiveX object, before allowing the user to move on).
These pages all work fine currently when accessed by the enterprise nominated browser (IE). They don't work when browsed to using another application which embeds the ASP pages inside a WPF WebControl. Specifically, I see the following at the top of the browser window:
Is it possible to get this to work? My constraints are that I cannot re-write the legacy pages into modern tech.
What I have tried:
Putting the site in the trusted zone.
Disabling a mad-scientist amount of IE FeatureControl registry entries:
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet
Explorer\MAIN\FeatureControl\FEATURE_RESTRICT_ACTIVEXINSTALL]
among others. Perhaps I have missed the magic combination?
Notes:
If I right-click the page, it says it is in the trusted zone and it also says Protected Mode is Off.
Whenever i create a contact form in my Joomla! 3.3.6, some script appears in the the page's HTML code that contains many words Joomla in it. I'd like to change those Joomla words and replace them with another words (i.e. Foo) for some security issue. I'd like to know whether or not i'm able to do so and how.
That script is:
<script>(function(){var strings={"JLIB_FORM_FIELD_INVALID":"\u0641\u06cc\u0644\u062f \u0646\u0627\u0645\u0639\u062a\u0628\u0631: "};if(typeof Joomla=='undefined'){Joomla={};Joomla.JText=strings;}
else{Joomla.JText.load(strings);}})();</script>
I have no idea whether a plugin or an extension creates it or not.
Thank you
Regards
This script seems to be translating some text required for the form to use in its javascript, eg validation messages. It does this using a javascript version of JText, which is part of core Joomla. There is some info on how that works here. Weirdly, there seems to be little information in the official Joomla documentation about it.
The main JText function it is calling appears here: media/system/js/core.js
I'm sure it would be possible to write a plug-in to remove this script before the page is rendered and then to translate any untranslated text with your own scripts. However, I'm not sure I see any security benefit in doing this so it seems a waste of time.
Ultimately, someone sniffing a site for what it is built in is far more likely to see if core files exist by going direct to places like media/system/js/core.js, rather than to scan the code for the word "Joomla" - which would trigger a lot of false-positives (any site which just mentions Joomla) and negatives (any page which doesn't have a form on it). It also does not reveal the version of Joomla, which is the info a hacker would more likely be after.
I think you have to search for the script (i.e via Notepad++) in the whole directory. It must be a plugin for the contact form that has some inline script in it.
also do you use any special third party plugin or so? that might be the source of it.
PS: also i had some similar experience, i don't know exactly how i got rid of those words, but like you, i wanted to do that to hide the fact that i'm using joomla for security.
Its actually Joomla who add this, from the file: Joomlainstall/libraries/joomla/document/html/renderer/head.php
And load it globaly from:
Joomlainstall/libraries/cms/html/formbehavior.php
The developer ad that code by using the function, JText, for an example:
JText::_( 'COM_CONTACT_EMAIL_FORM' )
In my case it was the plugin ContactUs Form who add the javascript. If JText is not used, it is not loaded. If I disabled the plugin, the javascript was then not loaded. If you have that plugin enabled, my be try an other contact form?
For security reson it is bad programming by the developer off Joomla, for sure.
Background
I have to migrte a existing javascript application (one page app) to extjs. The display and behavior of the application depends on the users permission.
Current design
The application is divided into plugins, which represent a feature set to which permissions are granted. Each of those plugins consists of a single javascript file. A user can have permissions for one or more plugins. Depending on the permissions, those files are loaded in the head of the page. Each of these plugins will add its entries to the main menu and expose the methods used to drive the application.
The permissions are stored in a mysql database.
ExtJs's default design
In ExtJs the source files contain each a class. During the build process, all .js files are concatenated to yield one big .js file, that contains everything.
What would be the best design approach?
I considered to use custom compilation with sencha cmd, and create that way a .js file for each plugin. Then I could load these plugins the same way I do it now. But this results in a complicated build and deployment process.
I also thought about creating one and only .js file with a standard Ext build process. I would then load the permissions from the server via ajax in order to construct the menu. All the objects and methods would exist, but only those are accessible where the user has permissions.
In my opinion, the second approach is much easier maintainable, but it seens to have a security problem, because everyone could look at the source and find out about the data interfaces exposed on the server and consumed by ajax.
Any comments, ideas or advices are welcome. Thanks !
Number two would be the way to go. If you keep your server side permissions in check (while updating data etc) you only need ExtJS to show/hide menu items based on permissions. That way, malicious users can turn certain plugins/items on or off, but they can never execute something that requires more permissions then they would normally have.
I'm trying to make a custom column (for a custom list), where the users can upload files without overwriting the previous - this way they can keep past versions of the files and upload newer ones and the new ones append. There already exist "append only" comment columns and file upload columns that I can see.
I'm working with Sharepoint designer 2007 (2010 doesn't work with the site), and I'm referencing this code I found online somewhere (http://pastebin.com/raw.php?i=0qN89meu), trying to research the Sharepoint documentation on MSDN. I can open the site in designer, but don't know where to go from there (it's already running on a web server, not opening it locally).
I'm just not clear on how to start, I thought there'd be a simple "right+click -> new column" feature but I can't find it. If someone could point me in the right direction to where I could start creating columns on the site, that would be great. Thanks!
An untested idea :
Create a document library with a lookup column to the custom list.
Create an event receiver (ItemAdded and ItemUpdated) than will take the attached files and move them to the other list (with the correct lookup value). --> Code with Visual Studio
Grant to this document library only read permissions.
Adapt the view to display the related documents in the dispform of the custom list.
Advantages:
this seems to answer to your need
you gain all the usability of a document library (nothing prevent you to grant edit rights to other users, force check out, etc.)
Disadvantages:
you have to play with lookup. Can be tricky sometimes, if you play with features
you split one business entity to two entities. You will have to deal with cascading delete (if you need it).
I have a Silverlight solution that has multiple silverlight projects (Views) that all compile to their own .Xap file.
There is one "master" project that handles the dynamic downloading of the Xap files, which works pretty well.
But now I need to make sure that all the references are set to CopyLocal=false in all the View Projects. Only the "master" project can have CopyLocal=true.
This means that the Xap files generated by the Views stay rather small.
What I would like to do is check post or during the build process to see if any of the View projects have a reference with CopyLocal=true.
What would be a smart way of doing this? Using an external tool in the Post Build event? Or perhaps an addin for Visual Studio ? Or creating a macro in Visual Studio for this?
I have looked at using .extmap with assembly caching, but since you have to specify the assemblies in that, this does not solve my problem. I just need to know if there is a reference with the wrong setting and report that. Fixing it is not the question, that will still be done manually. It's just the notification I need.
Solution has 35 projects now, so dont want to check them all by hand every time.
I found a question similar to this one, but it lists msbuild as a possible solution. I would like to know if there is a way to do this using "code" (be it prebuilt in a tool/addin or otherwise)
I have chosen to go the Addin path. I created an addin that listens to : BuildEvents.OnBuildBegin
Whenever that event fires I create a list of all projects in the current solution. Doing a bit of recursive searching since there are also Solution folders that make life in DTE world a bit harder.
Then I loop through all the projects and cast them to a VSProject so I can loop through all the references.
Anytime I come accross a reference that is wrong, I create an ErrorTask where I set the Document property to the full solution path of the reference. To do this I Build the path for the project this reference is in, all the way up to the root of the solution.
The ErrorTask is then sent to an ErrorListHelper class I created, that handles the ErrorTasks and also performs navigation.
If I'm done with all the projects and I found any errors, I cancel the current build and show the Error List window, where my ErrorListHelper holds all the Reference Errors I created.
Whenever I want to navigate to the Reference in question, I activate the Solution Explorer window and get the root of it using an UIHierarchy.
Then I walk the path from the root on down, step by step, using the UIHierarchy to get to the UIHierarchyItems and expand them. Until I get to the deepest level (the reference) and I Select that.
Since I only need it for a certain solution and within that solution for certain projects (.Views.* and .ViewModels.*) I also have some checking for those in place during buildup of the Error List.
It works like a charm, already found 12 "wrong" References in 35 projects where I tought all were well.
I am using a different path now to do this. I have a base class that I can use to write unit tests that have access to the DTE2 object. This way I dont need an addin. This also works for Silverlight projects since the test class does not actually need access to the Silverlight projects, just being in the solution is enough to be able to iterate through the projects and check the references.