How to enforce safe search on bing.com search engine such that the user cannot switch it off - bing

On the bing.com website it is possible to enforce safe search by adding &adlt=strict to the search string. An example is below.
https://www.bing.com/images/search?q=just+testing&first=1&tsc=ImageHoverTitle&adlt=strict
However the user can still turn off safe search on the top right by selecting the dropdown to turn it off. How can I pass some cookie or URL parameter or header to prevent the user from being able to switch safe search off?

Related

Security warning from extension_builder: action is publicly accessible

I created an extension with the extension builder.
On saving I get this message:
The object was updated. Please be aware that this action is publicly accessible unless you implement an access check. See https://docs.typo3.org/typo3cms/extensions/extension_builder/User/Index.html
How can I fix this issue? Yes I read the page but there are no useful hints.
Since the question is how you can "fix the issue": There is no issue, it is a warning, you can remove it and make your request secure. (As in the other answer.)
The "hint" on the page is actually very straightforward. The "issue", that a user is able to manipulate the url and make the server to execute a not wanted action.
Here is an example:
You have a list of users of your page and you can open thier public porfile for more information:
https://yourdomain.com/list/?tx_ext_plugin['action']=show&tx_ext_plugin['userId']=41.
So if I want to make some trouble, I change the action "show" to "delete" and may I am able to delete the poor user "41" from the db. That is bad.
https://yourdomain.com/list/?tx_ext_plugin['action']=delete&tx_ext_plugin['userId']=41.
So since it is you business logic typo3 offers no out of the box solution for this. That is why this warning from extension builder says, that you need to make actions to prevent misuse.
Regarding how to implemnt a better security here are some thoughts about the Access Control and some ideas what to implement in your actions:
1) FE
You can separate your actions into different plugins. So if you have a public list action it can not be modified to the plugin that responsible for the delete action. How is it possible? TYPO3 will look the page record in your database. And will render it, and if there is a plugin on the page with the signature "tx_ext_plugin" then it will get the sent parameters. In this case you have the possibility to add the different plugins to different pages so changing the signature of it for an attacker won't help, because:
If the delete action is not registered by the plugin, TYPO3 will
throw an exception.
If you are trying to change the whole signature the page won't be able to identify the plugin.
You can add the edit / delete plugin to pages where a user has to be logged in. You can even manage multiple usergroups. Like normal user can only edit its profile, but a premium user can make further changes. You can use in fluid a view helper IfHasRole that can show parts of your template for defined user groups. (There is an ifAuthenticated ViewHelper too)
You can take the extension "femanager" as an example. There is a controller "EditController", that covers actions like "update" and "delete". For example before making the update action there is a check if the logged in user has the same user id as the record which going to be changed. If you have a complex example you can make a check on the user group also.
2) BE
It is actually almost the same as frontend.
BUT instead of plugins / user groups assigned in page settings. You can use different mountpoints, so BE users can not see folders where they are not allow to edit / delete.
You have those two ViewHelper for the BE too. There names are: f:be:security.ifAuthenticated and f:be:security:ifHasRole. However ifAuthenticated is also for FE, in a BE context it does not make sense.
You have also the possibility to identify the id and userGroups of the BE user and you can make your own checks before you let an action run.
You have also the possibility to turn on / off a module for a certain BE group.
+1: It is nothing to do with any action but just to list it too. There is also the possibility to allow / disallow field for BE Users by editing a record through the List mode in the BE.
Extension builder creates dummy actions to update and create records. Those example actions do not contain any security checks, whether the caller actually is allowed to do so.
So it is your job to add adequate access control to those methods. E.g. make sure the current user (be it Frontend or Backend) is actually allowed to update the model in question.

Google Custom Search - filter data from within a page

I am using Google Custom Search to enable users to search within my website. I have one page that displays a list of references (to scientific publications) as well as other content (dynamic). I would like to display the results so that references including the search term are filtered into their own tab - but I can only see how to label a whole page, not just a section of a page. This means I can filter for 'references', but get other content in my results, not just the references. Is there a way of doing this?
Yes, its possible I suppose. And I had done it sometime back and it had worked as expected. Have a look at these links -
Tech Republic Set up Google Custom Search and
Google Custom Search

urlread pound sign (#) doesn't work

Trying to read in the pricing lists under pricing information tab:
urlread( ' http://www.cefconnect.com/Details/Summary.aspx?Ticker=KYE#pricing ' )
But in url '#pricing' doesn't help.
Any suggestions?
As already pointed out by Darin, it's no use adding #pricing to the URL. The web page uses client-side techniques to switch between tabs; not something that can be used by urlread.
Summary.aspx always returns all tabs together as one big page. CSS and JavaScript make it look like a collection of tabs, when opened in a web browser.
Use the developer toolbar of your web browser to inspect the web page. For example in Google Chrome, just right-click on the section you are interested in, and select 'inspect element'.
I don't know what you are going to do with the result of urlread, but you'll probably have to do some parsing to distill the information you need from the HTML clutter.
Please note Summary.aspx launches additional HTTP requests to retrieve additional data. Use the 'Network' tab of Chrome's developer toolbar to analyze that behavior. For example, the following request is made when you click 'GO' after adjusting the pricing history filter criteria.
http://www.cefconnect.com/Resources/TableData/?Type=PricingHistory&Cusip=48660P104&param0=1M&param1=06/06/2014
At first, this seems to complicate the whole matter, but it may actually be a great opportunity. You can call urlread with the URL above, and get some data in JSON format, which is far less cluttered than HTML. Adjust the parameters to get different data. I'm not sure what 48660P104 is; it might be an internal representation of KYE. You may want to use an initial HTTP request to Summary.aspx to retrieve that code; you'll notice the webpage is littered with URLs containing the same parameter Cusip.
The # character has a special meaning in an url. It represents the fragment identifier and the value following it is never sent to the server. Only client side javascript can access it. You will need to url encode the value if you want to send it to the server:
urlread( ' http://www.cefconnect.com/Details/Summary.aspx?Ticker=KYE%23pricing ' )
This also stands true for other special characters. You need to properly encode them.

Facebook Like Button with hash

when i try to add to my website a FB Like Button with url+hash (example.com/#TEST)
and i try to click the like button - it shares the link without the hash in the news feed (example.com).
when i try to setup the button with "%23" instand of "#" (example.com/%23TEST) - it counts each hash separately in the count box.
is there any way to put a like button with hash - and still count the url without the hash?
Thanks!
When you are creating Facebook like buttons, Facebook uses cURL (correct me people) to acces your URL that has metadata. So if cURL sees different metadata, per URL, you will get different LIKE buttons.
But this doesn't happen; as on the server side, Facebook sees the same URL for every dynamic # enabled link. Since the part of the link before # is same. JavaScript (or any Behavior that can create a hash in URL) is ignored, obviously, since its Behaviour is a client only thing.
The best possible way would be to create the Button dynamically using JavaScript and change the URL-to-like of each button to something friendly without hash.
abc.com/def#part1
abc.com/def#part2
// to
abc.com/def/part1
abc.com/def/part2
Only for the curl script to see it as a different URL.
And when the user hits that link - abc.com/def/part1 - you would be needing server side help as well to redirect to the view part1 from the route def. So you would, in your router code, load only upto the route def (imagine MVC) and then ask the controller to load the view part1, with JavaScript enabled to append the URL hash #part1.
These hash tags are for client side actions not server side. You will not be able to use them in your Like Button.

What's the difference between a PageMod/page-mod and a Page/page-worker?

I don't understand the difference. The only difference I can see is that a PageMod uses a match pattern, whereas a Page uses a specific URL. Why not just use a PageMod (more versatile) for everything?
The page-mod module works with pages that the user loads in the browser. The page-worker module lets you load a web page in the background and perform some operations with it. So you would for example use page-mod if you want to add a "Super-Dooper-Search" button to all Google Search pages when the user visits them. But you would use page-worker if you want to load the Google Search page in background when the user clicks some button, extract the search results from it and present the results to the user - without the user ever seeing the page you loaded (just as an example, don't actually do that because it violates Google's ToS).