I am using struts2 jquery grid in my current project.The dataType used in jquery grid is json. Everything works like charm. There was a security audit of my application and they pinpointed the JSON Hijacking vulnerability. I searched the internet for mitigating the json hijacking in general & solution in struts2. I quite fing good documentation.
Json Hijacking
Prevent Struts2 from JSON Hijacking
I used the prefix param set to true in json result type in struts.xml. All is working fine , i got the json data prefixed with {}&&. As described in Link 2 this is used to mitigate the json hijacking.
The problem i faced is that jQuery Grid is not able to load Data.
My struts.xml
<action name="myjson" class="action.JsonTable">
<result type="json">
<param name="prefix">true</param>
</result>
The grid is not able to populate.Wen i remove <param name="prefix">true</param> from the action defnition, everything works fine. But it is vulnerable :(
Related
Hi I'm new to restfulyii
I'm having a problem with the json response a tag is being prepended
Refer to the code below
(just assume that there are '<>' for the link tag)
<link rel="stylesheet" type="text/css" href="/assets/e5ba1689/srbac.css" />{"success":true,"message":"Record(s) Found","data":{"totalCount":1,"share":[{"id":"0","elementid":"1","type":"video","suid":"1","duid":"5","permissions":"superuser"}]}}
this coming from api/ under GET method and same with other rest verbs
I can't parse my JSON data because of the prepended line.
Please help..
reference:
localhost/api/ - method: GET/POST/PUT/DELETE
Everything is working fine with restful yii except that json response format...
Thanks in advance!
Ohmel Paguirigan
The problem seams to be that YII is not recognizing that your request is an actual Ajax request.
Search in srbac/components/Helper.php for:
if (!Yii::app()->request->isAjaxRequest){
Yii::app()->clientScript->registerCssFile($cssFile);
}
You will notice that SRBAC is checking if your request is an actual Ajax request.
Yoshi on the Yii Forms says that:
yii checks if there is a X-Requested-With HTTP header set (which
should result in an $_SERVER['HTTP_X_REQUESTED_WITH'] server variable)
and whether it contains the string 'XMLHttpRequest'. But this is a
custom header set by most javascript libraries (and so does jQuery).
There are e.g. some proxies which drop these custom headers (mainly
for security reasons) and therefore your application can't recognize
whether it's an ajax request or not. It's not 100% reliable.
Therefore, you must make sure that your javascript library is injecting this Header.
To do this in Javascript, in your app.run
add the following:
$http.defaults.headers.common['X-Requested-With'] = 'XMLHttpRequest';
Then, all of y our http requests in angular will send the header yii needs to discern that an AjaxRequest is being sent!
Hope this helps!
first off, i'm new to Struts and i have been following the tutorial here. I understand the set-up of files, and web.xml.
index.jsp:
<%# taglib uri="http://struts.apache.org/tags-logic" prefix="logic" %>
<logic:redirect forward="helloWorld"/>
However, when it comes to the opening of index.jsp, i am at quite a loss. From index.jsp, how does it call the class com.vaannila.action.HelloWorldAction? I know that index.jsp calls the forward=helloWorld but does it mean that it looks for a forward name="helloWorld", which is in <global-forwards>?
Let me know how I can further improve my question, since this is my first.
Correct; it redirects to whatever forward is named "helloWorld".
In this case, that's a forward that runs an action that sticks a value into a form.
You'll likely want to refer to the Struts 1 tag docs, it'll be quicker than asking here every time.
If you can avoid learning Struts 1, I would: it's pretty antiquated on almost all fronts. Frameworks like Struts 2 and Spring MVC dominate Java-framework-based web apps, while things like Grails, Play, Ruby on Rails, etc. dominate JVM-based web apps.
Line 17 of the config file in the tutorial you link to starts:
<action path="/helloWorld"
type="com.vaannila.action.HelloWorldAction"
name="helloWorldForm">
<forward name="success" path="/helloWorld.jsp" />
</action>
I have an iWidget that is deployed outside the Connections environment.
This iWidget is working in WebSphere Portal 8, the iWidget Wrapper.
The iWidget can be added to a community and the initial text is loaded.
The onView() or other events are never invoked, resulting in the iWidget displaying the initial message and the 'div' never being replaced. I have change the src of the javascript in different ways, the ./javascript one, being the latest.
Firebug shows a succesful retrieval of the js (widget.xml) through the communities/proxy context root.
This is the iWidget XML:
<iw:iwidget id="365DocsWidget" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xmlns:iw="http://www.ibm.com/xmlns/prod/iWidget" supportedModes="view edit" mode="view" lang="en" iScope="365DocsWidgetScope" sandbox="false" allowInstanceContent="true"><iw:itemSet id="pref"><iw:item id="documentlist" value="https://fire3ice.sharepoint.com/sites/demo4if/_api/Web/Lists(guid'cca56100-1f15-461b-92f3-d1da80ba1ca8')"/></iw:itemSet><iw:resource src="./javascript/365DocsWidget.js" /> <iw:content mode="view"><![CDATA[<div id="ROOT_DIV">Hello World, last time this widget was updated: 2013-01-04 16:07:17</div>]]></iw:content><iw:content mode="edit"><![CDATA[<div id="EDITMODE_DIV">Hello Edit World</div><div><input type="button" name="selectDocumentList" value="selectDocumentList" onclick="iContext.iScope().changeDocumentList()" /> </div> ]]></iw:content></iw:iwidget>
The widget.xml is publically accessible here:
https://eog-fire-ice.appspot.com/365DocsWidget.jsp
This might be caused by the Javascript resource for the iWidget not being recognised as Javascript and therefore not being loaded.
Can you set a Content-Type of application/javascript on the response for the JS file?
I've also seen this when I have a typo in the JavaScript file. Please go through the JavaScript file and make sure there are no missing commas or semi-colons.
There is a mismatch between your xml and js.
The iScope in your xml is "365DocsWidgetScope"
The Object declared in your js is "J365DocsWidgetScope" (in https://eog-fire-ice.appspot.com/javascript/365DocsWidget.js)
replace "J365DocsWidgetScope" to "365DocsWidgetScope" should be able to solve the problem.
I have ActiveX control done in VC++/MFC. It embeds into html web page. Now I need to be able to configure it by providing parameters in html tag. like:
The question is how do I read those parameters during my ActiveX initialization? My research revealed that it has to be done through IPersistPropertyBag interface, but I could really use some code examples to figure that out.
Any examples in VC++ please?
Thanks,
Mike
I will answer my own question...
Basically from ActiveX point of view those HTML parameters are "persistent storage" parameters.
So in your HTML file:
<OBJECT ID="activex1" WIDTH=300 HEIGHT=200
...
<PARAM NAME="ServerAddress" VALUE="192.168.1.1:1234">
...
</OBJECT>
And in your MFC ActiveX control:
void Cubcam_activexCtrl::DoPropExchange(CPropExchange* pPX)
{
ExchangeVersion(pPX, MAKELONG(_wVerMinor, _wVerMajor));
COleControl::DoPropExchange(pPX);
// TODO: Call PX_ functions for each persistent custom property.
PX_String(pPX, _T("ServerAddress"), m_serverAddress, _T(""));
}
Interesting; I will have to try the method you describe. The way that I know of to do this is to implement the IPersistPropertyBag interface and implement the Load method.
I haven't used MFC, just ATL, but I implemented this by hand. I will have to look into the solution you provided to see if there are advantages to the underlying approach used by MFC.
I'm attempting to debug my web application with FireFox3. However, when a JSON feed comes from my application, Firefox wants to open up the "application/json" in a new program. Is there a way to configure FireFox3 to handle JSON like regular text files and open up the JSON in the current tab?
Thanks.
The JSONView Firefox extension is really nice.
It formats, highlights, etc...
The only drawback is that it requires the mime type to be set to "application/json".
But it is not really a drawback for you, because based on your "answer" (which shouldn't be an answer) your problem is that the mime type is "application/json" and as a result Firefox doesn't know what to do with it and downloads it instead of displaying.
(source: mozilla.net)
Try the Open in browser extension.
[edit 30.05.2010 - updated the link]
I would look into the preferences > applications list. What application is targeted for "application/*" ?
Apart from that, are you using FireBug? Absolutely essential, since you can look at the headers and response content within the network view.
Consider using a MIME type of text/javascript instead of application/json
I would just use Firebug - it'll let you drill down into a JSON object on its own, along with its other hundred useful features.
What is the content-type of the Json feed. Sounds like it may be some sort of application instead of text.
Change the content type of the feed to something that is text based and FireFox will no longer try to open it in another program.
Having JSON sent with an application/json mimetype is correct and changing that would be wrong.
text/javascript is considered obsolete.
This is a bit of an old question, but I discovered that Rails' respond_to method (at least as of 3.1) can be persuaded to render in a particular format by adding the query param 'format' to the resource in question. For example:
In the controller:
def show
#object = Object.find(params[:id])
respond_to do |format|
format.html
format.json { render json: #object }
end
end
In the browser:
/object/1 # => renders as html
/object/1?format=json # => renders as json
/object/1.json # => also renders as json
No change to the rails app is necessary to cause this to happen. It's Like Magic.