In application I'm testing the authenticity token is changed after user logs in - so I have to extract the token twice (once while login in, second after login). I use the Regular Expression Extractor.
At first time (during login) it works fine.
At second time (after login) it does not extract the new token - subsequent POST is sending given Reference Name (from Regular Expression Extractor) instead of extracted token.
I use different reference names in both extractors. Both pages have the same source and the tokens are defined in the same way:
<meta content="authenticity_token" name="csrf-param" />
<meta content="g/bsiegqqexUreoJdRbogKSpw6ZJ7O86fEUPESolrpc=" name="csrf token" />
So I use the same regular expression in both cases:
name="authenticity_token".*value="(.+)"
But, as I said, it works only for the first token.
Any help appreciated and thanks in advance
Simply don't use regular expressions to parse HTML. Any slight markup change in response, line break, whitespace, attributes order change, etc. and you get nothing.
You have two pretty PostProcessors designed for working with HTML response types:
CSS/JQuery Extractor
Relevant configuration will look like:
CSS/JQuery Expression: meta[name=csrf token]
Attribute Name: content
XPath Extractor
XPath Query will look something like://meta[#name='csrf token']/#content
If your response is not XHTML-compliant you may need to tick Use Tidy (tolerant parser) box
Related
So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
I am testing the photos.batchGet endpoint.
Per the API docs, it takes two URL parameters "view" and "photoIds". When I try the photoIds parameter, the request only works with one photoId. Using multiple photoIds fails.
I tried using a delimeter between the photoIds in the string (by using a comma, pipe, and space). I also tried not using a delimeter at all. Not using a delimeter returns a response for the last photoId in the string, but not for any of the other photoIds. In short, none of my requests appear to be working. Am I doing something wrong?
Also, depending on server configuration, I think it's recommended for the URL length to be under 2,000 characters. Anything above 30 photoIds would create URLs longer than this.
That being said, maybe it would be better to make this a POST request that accepts a JSON request body? Just a thought, but think this would be better suited. A lot of our tours are above 30 scenes, and we even had a tour with 700 scenes!
The description of the batchGet function was updated. Per the documentation you should pass photoIds as a string and the URL query parameter should be photoIds=<id1>&photoIds=<id2>.
I have xml that looks like
<AddResponse xmlns="http://www.test.com/webservices">
<ServerName>51</ServerName>
<Response Type="ERROR">
<ErrorDesc Type="VALIDATE" Number="215">We are sorry, that number is already in use. If it is your mobile number, we need to verify it with you. Please complete the one time verification by submitting your request at Contact Us using the keyword MYMOBILE</ErrorDesc>
</Response>
<ExternalInfo>
<![CDATA[?]]>
</ExternalInfo>
</AddResponse>
But when this is deserialized, it is returning just "using the keyword MYMOBILE" as ErrorDesc instead of the whole
We are sorry, that number is already in use. If it is your mobile number, we need to verify it with you. Please complete the one time verification by submitting your request at Contact Us using the keyword MYMOBILE
Can you please let me know why its omitting the first part and how to retain it?
Note: this works fine for rest of xml data that doesn't have html tags in it.
I imported the webservice and did my first transaction passed. I see the request and reply xml
Now I want to extract ton of field values from the reply xml that I got and need to pass into Request xml.
For one field I know how to do that. I use Xpath Extractor to extract like this
//*[local-name()='Data']/text()`.
In the next action, I can just use as ${Data} which is working fine.
But I need to extract the text content from ton of fields that need to be passed into the next action.
How to do that using Xpath Extractor?
If your XPath query matches multiple /Data/text fields they will be caught as
TEXT_1=first match
TEXT_2=second match
etc.
If you need to combine results from different queries it can be done via pipe sign - | like
//*[local-name()='Data']/text()` | //*[local-name()='Something else']/text()
In this case result will go to the single variable.
Third option is using as many XPath extractors as needed.
See XPath Tutorial for general language reference and Using the XPath Extractor in JMeter guide for more tips and tricks.
I am wondering if it is possible to prevent YQL from URL encoding a key for a datatable?
Example:
The current guardian API works with IDs like this:
item_id = "environment/2010/oct/29/biodiversity-talks-ministers-nagoya-strategy"
The problem with these IDs is that they contain slashes (/) and these characters should not be URL encoded in the API call but instead stay as they are.
So If I now have this query
SELECT * FROM guardian.content.item WHERE item_id='environment/2010/oct/29/biodiversity-talks-ministers-nagoya-strategy'
while using the following url defintion in my datatable
<url>http://content.guardianapis.com/{item_id}</url>
then this results in this API call
http://content.guardianapis.com/environment%2F2010%2Foct%2F29%2Fbiodiversity-talks-ministers-nagoya-strategy?format=xml&order-by=newest&show-fields=all
Instead the guardian API expects the call to look like this:
http://content.guardianapis.com/environment/2010/oct/29/biodiversity-talks-ministers-nagoya-strategy?format=xml&order-by=newest&show-fields=all
So the problem is really just that the / characters gets encoded as %2F which I don't want to happen in this case.
Any ideas on how this can be achieved?
You can also check the full datatable I am using:
http://github.com/spier/yql-tables/blob/master/guardian/guardian.content.item.xml
The URI-template expansions in YQL (e.g. {item_id}) only follow the version 3 spec. With version 4 it would be possible to simply (only slightly) change the expansion to do what you want, but alas not currently with YQL.
So, a solution. You could bring a very, very basic <execute> block into play: one which adds the item_id value to the path as needed.
<execute><![CDATA[
response.object = request.path(item_id).get().response;
]]></execute>
Finally, see the diff against your table (with a few other, minor tweaks to allow the above to work).