I want to be able to read the cookies from Apache's HTTP_COOKIE string and then add includes based on the contents of that string.
I've got this far:
<!--#set var="cookies" value="HTTP_COOKIE" -->
<p>COOKIES: <!--#echo var="$cookies"--></p>
which gives me a string with all the cookies in it.
Now I want to be able to parse the string for something like Name=Bob.
I thought I'd be able to do this:
<!--#if expr="$cookies = /Name=([a-zA-Z]+)/"-->
<p>Your name is <!--#echo var="$1"--></p>
<!--#endif-->
But it doesn't seem to work. What should I be doing -- or isn't this possible?
This is definitely possible -- see the get_include_var function of mod_include.c.
Perhaps your regular expression needs some tweaking.
Related
I want to forward this URL
https://demo.example.com/page1?v=105
to
https://www.example.com/page1
It's not working if I set so:
But if I remove the ?v= part, it works:
Is there any way to include the ?v= part in this page rule?
The rule you mentioned works only for that exact URL: https://demo.example.com/page1?v=105. If it has any additional query parameter or even an additional character, eg https://demo.example.com/page1?v=1050, it won't match the rule.
If you need to use complicated URL matches that require specific query strings, you might need to use bulk redirects or a Cloudflare worker.
So I have a set of strings, with some "custom markdown" that I have created. My intention is to render these strings as HTML in the frontend. Let's say, I have this string:
This is a string <color>that I need</color> to\nrender <caution>safely in the browser</caution>. This is some trailing text
I would be expecting to get something like:
This is a string <span class="primaryColor">that I need</span> to<br>render <div class="caution">safely in the browser</div>. This is some trailing text
And the way I do it right now is with some basic Regex:
toHtml = text
.replace(/<color>(.*)<\/color>/gim, "<span class='primaryColor'>$1</span>")
.replace(/\\n/g, "<br>")
.replace(/<caution>(.*)<\/caution>/gims, "<div class='caution'>$1</div>")
This works fine and returns the correct string. And then for printing, in the template I just:
<div id="container" v-html="result"></div>
My problem is that at some point I expect users to be able to enter this strings themselves, and that would be displayed to other users too. So for sure, I am gonna be vulnerable to XSS attacks.
Is there any alternative I can use to avoid this? I have been looking at https://github.com/Vannsl/vue-3-sanitize which looks like a good way of just allowing the div, span and br tags that I am using, and set the allowed attributes to be only class for all the tags. Would this be safe enough? Is there something else I should do?
In that case, I believe it will not be necessary to sanitize it in the backend too, right? Meaning, there will be no way for the web browser to execut malicious code, even if the string in the server contains <script>malicious code</script>, right?
My problem is that at some point I expect users to be able to enter this strings themselves
So, Do we have a form input for the users to enter the string which you mentioned in the post ? If Yes, My suggestion is that you can sanitize the user input at first place before passing to the backend. So that in backend itself no malicious code should be stored.
Hence, By using string.replace() method. You can first replace the malicious tags for ex. <script>, <a, etc. from the input string and then store that in a database.
Steps you can follow :
Create a blacklist variable which will contain the regex of non-allowed characters/strings.
By using string.replace(), replace all the occurrence of the characters available in the string as per the blacklist regex with the empty string.
Store the sanitized string in database.
So that, You will not get worried about the string coming from backend and you can bind that via v-html without any harm.
I want to use the value of my variable in Go template as-is but Go is adding extra quotes around it. E.g., for a Go template like
{{.Site}}:{{.Port}}/{{.Path}}
I want to get the output as
Mysite:3000/from/here
but the template is giving me the following instead:
"Mysite":"3000"/"from/here"
So,
How can I fix it (get rid of all the extra quotes or better suspend them all)? See https://play.golang.org/p/uKpgXdLv5gM
Go template also changed "orgId=1&refresh=30s" to orgId=1\u0026refresh=30s, how to avoid that?
Moreover, if I add https:// to the front of my url, the output is truncated. How to fix that as well?
Finally, is it possible to escape "`" within "`"?
As per Go HTML template doc:
HTML templates treat data values as plain text which should be encoded so they can be safely embedded in an HTML document. The escaping is contextual, so actions can appear within JavaScript, CSS, and URI contexts.
The security model used by this package assumes that template authors are trusted, while Execute's data parameter is not. More details are provided below.
It means JavaScript escaping is enabled whenever the go HTML template engine detects that it is within a <script> tag, (i.e., it has nothing to do with whether using regular " or not as the first commenter thinks). So
to get the output as
Mysite:3000/from/here
instead of:
"Mysite":"3000"/"from/here"
Do not wrap it with <script> & </script> tag.
Do the concatenation after template Execute().
Again, with <script> & </script> tag wrapped around, I'm getting:
var url = `"Mysite":"3000"/"from/here"/${othervars}?"orgId=1\u0026refresh=30s"`
vs. without <script> & </script> tag wrapped around it, I'm getting:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
Just what I need.
However, my actual case is that I'm using go HTML template engine to process my .html template files, so I cannot really do the concatenation afterwards, as everything is defined in the .html template file. So, just as Martin Gallagher has shown in his code, for such case, using template function seems to be the only option.
But even that might not be a viable option, as this is what I'm getting out of Martin's code:
var url = "Mysite:3000\/from\/here?orgId=1\u0026refresh=30s"
It is still not exactly what I wanted:
var url = `Mysite:3000/from/here/${othervars}?orgId=1&refresh=30s`
So maybe with such case, it indeed has no ideal solution.
I'm trying to parse my URL with wildcards. The problem appears when I try to parse long strings with a wildcard. For example, my URL looks like this:
http://testapi.com/v1/cards/%s/reissue?DesignId=%s&Comment=%s
and this is my code:
get_object.setRestUrl(String.format(url, card_id, design_id, comment))
When comment = "Something" it works, but when comment = "Something something", it goes on an error and says that it is "Unable to parse HTTP request".
How is it possible to make suitable my code with long strings with wildcards? I know that when typing long string it gives URL that looks like this:
http://testapi.com/v1/cards/1/Block?reasonId=1&comment=Something%20like%20that%20example
Just needed to modify with comment.replace(" ", "%20"), and now it works fine, even when there are no spaces.
Source : https://forum.katalon.com/t/getting-an-error-unable-to-parse-http-request/17685
P.S
If it is not allowed to post answer from another site, I will remove it.
You could try it:
get_object.setRestUrl(String.format(url, card_id, design_id, comment.replace(" ", "%20")))
More information could be found at https://forum.katalon.com/t/getting-an-error-unable-to-parse-http-request/17685
I'm trying to get a web page using vb.net and HtmlAgilityPack with this code:
Dim mWPage As New HtmlAgilityPack.HtmlDocument
Dim wC As New WebClient()
mWPage.Load(wC.OpenRead(mUrl))
My problem is to get text from a table but, when I extract InnerText, i get something like this:
Modificat<!--span-->i dati
instead of (Note that I wrote the same string and below it's displayed correctly):
Modificati dati
I've tryed to use the answer here but it doesn't work in this case (or I wasn't able to make it works)
I noticed that contents changes when I change "User-Agent", so I tryed various "User-Agent" but I never got a perfect text.
So my questions are:
can I use the code that is indicated in the answer to solve the problem?
if not, can I get a perfect text using the right "User-Agent"?
If so, how can I find the right "User-Agent"?
If not, how can I fix the receivedstring?
The response from the server based on a new User-Agent is fully dependent on the server so we will not be able to predict which one will yield the response you're looking for.
But... You will be able to use the HttpUtility.HtmlDecode method to get rid of the encoded HTML and turn it into teh string you're looking for.
To filter out the HTML comment you may need to change the XPath you're using. If you append //text(), you should get only the text elements that match the rest of your expression.