I'm using Google Docs Viewer (https://docs.google.com/viewer) to display the contents of documents in my app. I support many different types of document (e.g. PDF, Microsoft Word, Plain Text, HTML, etc.). Everything works well except for HTML. Google Docs Viewer treats HTML as text and displays the source.
Is there any way to get Google Docs Viewer to render the HTML?
Here's an example:
https://docs.google.com/viewer?url=http%3A%2F%2Fwww.google.com&embedded=true
Instead of rendering the Google home page, it shows the HTML mark-up.
I'm hoping I can use the Google Docs Viewer for all types of documents and not have to treat HTML differently.
Imagine an attacker uploads an HTML file of google's sign page
Makes the html public and sends it over the email to your gf with the subject
Flash Fashion Sale Discount Coupons
Your gf will obvious click the link and won't be surprised to see Fake google sign in page on a docs.google.com domain .
She will convincingly enter her real credentials and will be redirected to attacker's server and then some real google docs page to remove suspicion.
So to prevent users from phishing attacks google stopped rendering HTMLS
source
Related
I have a document in my Google drive, which I want somebody else to download from a Google Sites website I have created. But I don't want the person viewing the document to know my identity, and I don't want to be able to know the identity of anybody viewing the document. This is because the document is part of a paper submission to an academic conference, where the reviewers will be downloading and viewing this document, and the conference requires strict anonymity between the authors and the reviewers.
I have created a public link to the document on my Google Sites webpage, so that anybody who visits the webpage can download the file. And I have tried logging out of my Google account, and downloading the file, which shows no sign of my name. But I would just like to double check that if anybody downloads this file, they will definitely not be able to know my identity (e.g. my Google account name). I know that there may be ways to find out the document's author by looking in the meta-data, but I have been careful with this already. I am specifically interested to know if there is any loss of anonymity by sharing the link through Google Drive.
Here are the specific steps I took to make the document available for download:
Created a Google Sites webpage
Created a document called "test_document.pdf"
Uploaded this document to my Google Drive
In Google Drive, after clicking on this document, I did Share->Get Link->Anyone on the internet with this link can view->Copy link.
In my Google Sites webpage, I create text saying "Download document here"
After highlighting this text, I clicked on "Insert link".
I then pasted the link from before.
When viewing the webpage, you can then click on the "Download document here" text, and it downloads the document, and saves is as file "test_document.pdf".
I have found the answer myself, which is Yes, downloading a document from Google Drive can reveal the document's owner. If you open the document within the Google Drive environment, and then click on the three buttons, then click on Details, it reveals who the owner is. If you just download the file without inspecting the details within Google Drive, then it doesn't reveal the owner, but I don't know how to force a direct download without allowing somebody to open the file within Google Drive.
I want to use google drive to store the files, but allow the users of my website to be able to edit them transparently, so that they don't have to go to google drive's website.
Is this possible with the current API? Thus far I have only seen how to create an app for them to install in google drive, or doing something like DrEdit (https://developers.google.com/drive/examples/), which parses the files to JSON and uses the ACE editor, which is definitely not what I want.
EDIT:
I believe it is not possible to do this with Google Drive, I've decided to go with Zoho Docs instead.
Yes it's possible. The biggest consideration is how much formatting you want to support. Eg. if it's plain text, it's very simple. If you want to support character or layout formatting, it becomes more complex.
I don't believe its possible to embed the editor (or even embed a preview!) using an iframe, because if you look at how the google docs page loads, it first redirects you to the login page, and that automatically logs you in if you are already logged in, and redirects you back to the docs editor.
This means that the iframe would have to at least pass through the login page, even if the user doesn't need to enter anything. However, google's login page has the x-frame-option header set to SAMEORIGIN (or deny?), and thus, the browser refuses to display it, and thus you can't actually get logged in!
The only way I've found to enable just preview embedding (not editing), is to publish the document first (via the File->publish to web menu item).
I just had an idea to have a collaboratively worked-on public Google Drive document's contents displayed on my Web site. I was hoping this would be straightforward, as I am only going to extract simple text and the document is public, so no authentication shenanigans will bar my way.
I have looked at Google Drive REST API, but turns out I can only get file metadata and/or the entire document file. Not just the document content.
I do not wish to spend a day coding to do this, I thought it would be nice to have, but can live with just linking into the file directly from my Web site. Anyone tried this before? Anyone experimented with Google Drive API and has a feel for how much work would be involved?
If you are thinking of getting the content of a native Google document (like a Google spreadsheet or a Google doc), this is currently possible with the Drive API.
In the Drive API, for Google native document types you will have a series of 'exportLinks' as part of the metadata of the file. Each of these export URLs allow you to download the content of the Google document in a specific export format (like RTF, plain text, HTML, PDF etc...). Updating my answer...
See the documentation for this: https://developers.google.com/drive/manage-downloads#downloading_google_documents
I have made an html form. What i want to happen is when the user clicks submit for the page to be emailed as a pdf (like the pdf that comes up if you print the webpage). I've been looking a all sorts of script but nothing seems to do what I want.
You will have to have a server-side component that takes the values, creates the PDF, and then e-mails it appropriately.
You'll be surprised to hear that not all browsers can easily make pdfs out of web pages. Hence, there is no universal JavaScript command that simply taps into a browser's capabilities. That leaves you with options:
Generate the pdf on the server (using, say, pdfbox, and send the email right from the server (using good old sendmail).
Generate the pdf on the server, have the user download it, and then transfer it all to his email client. (Might just work, see on Stackoverflow).
Generate the PDF in the browser, cross-platform. There are some Javascript-only libraries that can generate PDF.
Use Safari's PDF capabilities. Safari can make PDFs just in the print dialog. Explain that to your users and call window.print().
Our software manages libraries, museums, archives etc. We'd like to let the users (namely the catalogers, not the visitors) add some embedded content such as Google maps, YouTube videos etc. We'd like the solution to be as flexible as possible, as each embedded content provider has it's own format. OTOH, we'd rather not allow the users to enter raw HTML, as this will impose both a XSS security risk and in case of erroneous HTML might screw up our surrounding web page.
I started looking into Google Maps today, and couldn't find a way to handle it. I don't want to let the users just copy the embedding HTML snippet into an item; I can't embed the link URL provided, as Google won't allow it; and I can't let the user specify the coordinates, as I don't want to use the Google Maps JS API (which means providing a built-in solution which we'll have to maintain).
The question in not specifically about Google Maps, but Google Maps is quite representative. I'd love to hear suggestions for a flexible-yet-secure HTML embedding technique.
Thanks,
Eran
Would Caja work for you?
Caja (pronounced "KA-ha") is "virtual
iframes": it allows you to put
untrusted third-party HTML and
JavaScript inline in your page and
still be secure. Caja
gives stricter control over what the code can do:
no redirects to phishing pages: the window object the untrusted code has is a fake one created by the containing page
no malware: all requests to URLs are proxied
no XSS: dynamic HTML sanitization
allows the untrusted code more power than is safe to give to code currently in iframes. Here are some possibilities:
floating frames ("info windows")
frames don't have to be rectangular
frames can communicate without the current awkward protocols
a reader could broadcast geographic information about the current article; a maps gadget jumps to the location, while a news gadget gets local stories and a weather gadget pulls up the weather
similarly for financial info or entertainment info
an extensible syntax highlighter could have plugins that can mark up text but not leak the contents to another website
can be a bit channel (can only send information) or a code channel (can send functions)
hosting page can control who talks to whom
markdown or other lightweight markup language for markup; custom macros for embedding allowed snippets (see like it is done on wordpress.com to embed youtube videos)