Double encoding of HTML with third party integration tool - encode

We integrate a third-party app, using a javascript code that we need to send an email and name.
This email and name come from a previous step registration form.
Because we need to print on the page that email and name we encode it.
some.survey({
email: "test#test.pt",
name: "Mon & Sons",
properties: {"one":"123","two":"345"}
});
The issue is that the third party before printing is encoding again our string, showing in the browser like: "Mon & Sons".
Does anyone know how to get around this?

Here's a way (based on https://stackoverflow.com/a/784698):
function DecodeHTML(txt) {
var el = document.createElement("div");
el.innerHTML = txt;
return el.innerText;
};
DecodeHTML("Mon & Sons");
//"Mon & Sons"
Edit: watch out for XSS attacks, however. It is possible that the third-party app is doing this to escape any ' into ' and " into ", so you may want to build on the above idea to prevent this, depending on your needs. For example, if you're going to display this information on a HTML page, do so by only setting innerText of an element in that page, e.g. nameelement.innerText = nametext;

sbgib was almost right about how this would work. So, we now output the string as encoded, and decode it with Javascript, before sending it to the external service.
function DecodeHTML(txt) {
var el = document.createElement("div");
el.innerHTML = txt;
return el.innerText;
}
some.survey({
email: "test#test.pt",
name: DecodeHTML("Mon & Sons"),
properties: {"one":"123","two":"345"}
});

Related

Include multiple incoming SMS messages/responses with Twilio functions

I'm working on a project now within Twilio, using Twilio Functions, where I'm trying to set up SMS messaging so that if we receive an incoming keyword, we respond with a specific message, including a URL. The plan is to have multiple incoming keywords, with different responses so if someone sends an SMS to one of our numbers, depending on that key word, we respond with a basic message and a URL. I'm trying to figure out the best way to handle this within Twilio Functions.
I have this working for a single incoming keyword/response, as seen below.
if (incomingMessage.includes('testpark')) {
twiml.message('StartMyParking:\n\nTo start your parking, please click this link: https://blahblah.com');
} else if (incomingMessage.includes('bye')) {
twiml.message('Goodbye!');
} else {
twiml.message('Please check your zone/code and try again.');
}
While that works, I want to add in more incoming words, along with responses, such as an incoming message of 'testpark2' and a response of 'StartMyParking:\n\nTo start your parking, please click this link: https://blahblah2.com'.
Then I would want to include another one with 'testpark3' and a response of 'StartMyParking:\n\nTo start your parking, please click this link: https://blahblah3.com' and so on, all within the same script.
Can someone help me understand how to achieve this?
There are a lot of ways to achieve your desired outcome, but here's the most straightforward to begin with.
Instead of creating an else if statement for every possible keyword, you could define the keyword/response pairs up front using a JavaScript Map.
The keys of the Map will be your keywords, the values of the Map will be your responses:
const keywordResponseMap = new Map([
['testpark2', 'StartMyParking:\n\nTo start your parking, please click this link: https://blahblah2.com'],
['testpark3', 'StartMyParking:\n\nTo start your parking, please click this link: https://blahblah3.com'],
['testpark', 'StartMyParking:\n\nTo start your parking, please click this link: https://blahblah.com'],
]);
const keywords = Array.from(keywordResponseMap.keys());
let keyword;
if (incomingMessage.includes('bye')) {
twiml.message('Goodbye!');
}
else if (keyword = keywords.find(k => incomingMessage.includes(k))) {
const response = keywordResponseMap.get(keyword);
twiml.message(response);
} else {
twiml.message('Please check your zone/code and try again.');
}
Also note that I'm putting the bye case up front because it is more performant than looking for the keywords in the incomingMessage, thus you avoid unnecessarily doing that processing when a user says bye.
You can use find to search for any keyword that is in the incomingMessage, then you can use the keyword that you found to retrieve the response from the map.
If your response will always be the same except for the URL, you could further optimize this by only storing the URL in the map and using string interpolation like this:
const keywordUrlMap = new Map([
['testpark2', 'https://blahblah2.com'],
['testpark3', 'https://blahblah3.com'],
['testpark', 'https://blahblah.com'],
]);
const keywords = Array.from(keywordUrlMap.keys());
let keyword;
if (incomingMessage.includes('bye')) {
twiml.message('Goodbye!');
}
else if (keyword = keywords.find(k => incomingMessage.includes(k))) {
const url = keywordUrlMap.get(keyword);
twiml.message(`StartMyParking:\n\nTo start your parking, please click this link: ${url}`);
} else {
twiml.message('Please check your zone/code and try again.');
}
It is also important to note that I'm putting testpark last in the map because testpark matches to testpark2 and testpark3. If you'd put it first, it would always resolve to testpark even with a user submits testpark2 or similar values.
Also, I'm using the Map type because it guarantees the order in which the keys are returned, which is again important for the previous point.
When you have a lot more keywords and responses, you may have to start looking at a solution to store them externally like a database, and query the database by keyword to resolve the response.
Good luck, we can't wait to see what you build!

How to prevent xss

this is my native url:
127.0.0.1//myweb/home.php?u=daniel
now when I include this type of xss:
127.0.0.1//myweb/home.php/"><script>alert('hacked')</script>?u=daniel
it now appears to be hacked, how can I avoid this type XSS attack ?
ADDED
Here is the other codes: (I do not add the fetching the users the data)
require_once 'core/init.php';
$currentUser = new User();
$report = null;
if(!$currentUser->isLoggedIn()) {
Redirect::to('index.php');
}
You can always use php to filter away all the unnecessary part of the url.
This is your web site so you know what character is useless in your web site.
For example, I know that in my web site, the double quotes/" character is useless in my web site.
So, I can straight away filter out any part with double quotes/" character.
You can get your current url from the following code.
$url = $_SERVER['REQUEST_URI']
Then, you just ignore anything after double quotes character by using explode.
$safe_url = explode("\"", $url);
So, you will just use $safe_url[0] as your url.

Instagram API request single username

I'm using this way to get the username data from Instagram:
https://api.instagram.com/v1/users/search?q=[USERNAME]&client_id=[CLIENT ID]
It works fine, but has a flaw - the username search actually gets ALL usernames starting with the string you set.
Why/How is that happening ?
There is a limit of 52 username results, so is there a way to increase it, because if you search "asdasd" (which is an existing account!) you would get probably a million accounts ?
Is there a work-around, because I want to search for the exact username ?
So it seems there is only this API for this functionality. You can simply use this workaround: make your request as you are doing it right now, then you can filter out the single item you need. You can iterate through the list of users, and only keep the one, where the username is exactly the same as you have specified.
SOLUTION:
Put the username in quotations like this (username: asdasdasd):
https://api.instagram.com/v1/users/search?q="asdasdasd"&client_id=[CLIENT ID]
Which results in (the results that interests you is highlighted):
- if you don't use the quotations there's a big chance that the desired username won't appear in the results!
If there are more than one results use this code the iterate through the response data to find your one and get it's ID, full_name etc.
function getUserID() {
//send request for the user info on click
$('.btn-user-request').click(function(){
var searchTerm = $('.input-user-request').val();
if(searchTerm == ''){
$('.user-id-value').html('Enter a username!');
}
else{
$.ajax({
url: "https://api.instagram.com/v1/users/search?q=\"" + searchTerm + "\"&client_id=5fc90c90b885487485125d6df440fefd",
dataType: 'jsonp'
}).done(function(data) {
if(data.data[0] == []){
$('.user-id-value').html('No username found!');
}
else{
for(i=0;i<data.data.length;i++){
var userInformation = data.data[i];
if(userInformation.username == searchTerm){
$('.user-id-value').html(userInformation.id);
break;
}
}
}
});
}
});
//simulate the button click, on click of the Enter key
$(".input-user-request").on('keydown', function(){
if(event.keyCode == 13){
$(".btn-user-request").click();
}
});
}
See JSFiddle
(for some reason the code doesn't format properly)
I would suggest to try username "jack".
In fact none of suggested methods work for this.
I tried with max_id, min_id, it does not work either.
So it is exact flaw in API, and there is no such documentation on Instagram API to help to solve this.
So finding exact user id by it's username is quite a problem for popular names.
The only one solution for today I found is parsing user's Instagram HTML page and get it's id from there. This is very stupid, but this is only one solution which works in all cases right now :(
It's simple:
https://www.instagram.com/{username}/?__a=1

Worklight: Push message formatting

In Worklight, I have setup Push message for iOS and it works fine. Now for testing purpose, when i am sending push via URL call then the message title comes correctly while the body (payload) part truncates all spaces and shows all words together.
For example:
http://mydomain/myApp/invoke?adapter=aaPushAdapter&procedure=sendPush&parameters=["aahad","General Title 2", "This is General message body 2"]
then , title comes as "General Title 2" and the body part comes as "ThisisGeneralmessagebody2"
My Adapter is declared as:
function sendPush(userId, msgTitle, MsgContents){
var userSubscription = WL.Server.getUserNotificationSubscription('aaPushAdapter.PushEventSource', userId);
if (userSubscription==null){
return { result: "No subscription found for user :: " + userId };
}
WL.Server.notifyAllDevices(userSubscription, {
badge: 1,
sound: "sound.mp3",
activateButtonLabel: "Read",
alert: msgTitle,
payload: {
msg : MsgContents
}
});
return { result: "Notification sent to user :: " + userId };
}
(1) Now how I can preserve this formatting ?
(2) If i have to send URL then how i format and send my message?
Please suggest. Thanks
If %20 does not work, then change all spaces to something like '|', and then unencode this in your app. Or hex encode the whole string so it's one continuous alphanumeric string.
I am not entirely sure how you are using the URL as a means to send the push notification. Do you mean that you actually go to the browser and type this text in the address bar...? You're not supposed to do that (for other than quick tests). There are backend systems that should do that for you.
Anyway, instead of the space between words, use "%20" (w/out the quotation marks) and see if the text is then displayed with spaces in the dialog.

RestSharp: UrlEncode in signature base generation returns invalid string

I'm working on twitter client for win8, using RestSharp ( http://restsharp.org/ ) and I have such problem:
When I'm posting new tweet with RestClient
var timeLine = new RestRequest("/1/statuses/update.json", Method.POST);
var txt = "Hello world";
timeLine.AddParameter("status", txt);
everything works excelent, but if I add more complex status like:
var txt = "Hello, World! What a nice day! #1May";
timeLine.AddParameter("status", txt);
I recieve 401 error. In debugger I saw, that status parameter in Signature Base String is incorrect. I have:
status%3DHello%2C%2520World%21%2520What%2520a%2520nice%2520day%21%2520%231May
and right string (from dev.twitter.com):
status%3DHello%252C%2520World%2521%2520What%2520a%2520nice%2520day%2521%2520%25231May
You can see, that punctuation marks ,!# and other encodes incorrect. How can I fix it?
Signature base generation and Encoding are in /Authenticators/OAuth/OAuthTools.cs
I have the same problem when I display twitter feed in website. Hence, I used this code to convert the text.
Regex.Replace(str, "#(.*?):", #"#http://twitter.com/#!/$1>$1:");

Resources