I have a website built with custom PHP. From last week when I click on any link to my site a pop-up opens itself. When I checked my code I found an unknown JavaScript code in header of my site like:
<script type="text/javascript">
var uid = '67478';
var wid = '124210';
</script>
<script type="text/javascript" src="http://cdn.popcash.net/pop.js"></script>
I removed this code but next day I rechecked, again same code in header. I again removed it but this comes back again and again.
What is this and how can I remove it permanently?
You have very serious issue, Some one is injecting that script and earning money of your site.
https://www.owasp.org/index.php/Cross-site_Scripting_(XSS)
check your site against XSS injection
Related
My client has an old website on freeserve.co.uk (dodgy and free, now belongs to Orange but no support). I want to redirect all pages on the old site to newdomain/index.php. The index page on the old site is index.htm, however most other pages are .html.
Whatever I try the 301 redirect doesn't seem to work. Has anyone come across freeserve before?
You want to redirect the user when they load the page, here are some examples.
Here's the main example
<head>
<script type="text/javascript">
<!--
window.location="http://www.newlocation.com";
//-->
</script>
</head>
but there are a few other options depending what behaviour you're after.
In our CMS the developer added an "addthis.com" script which appends a hashtag and a tracking id to the browser address bar URL, for example http://www.site.com/about/#.UX6e2j7mK30
There is a solution how to get rid of this tracking but we are limited with CMS which only allows us to add javascripts to page header. The addthis script executes within page body and I need somehow to run the fix script after the default script has run. When I add the below script then the fix doesn't work. Is there any solution? Many thanks
<script type="text/javascript">
$(document).ready(function() {
var addthis_config = addthis_config||{};
addthis_config.data_track_addressbar = false;
});
</script>
Remove the $(document).ready and just declare addthis_config. Since this is just defining the configuration values for AddThis, there's no need to wait for the document to fully load. Because you're waiting for the document to load and then setting addthis_config, the AddThis code has already run and appended the addressbar tracking hash.
I've been working on a problem for the last day and a half now and have still yet to find a solution.
When visitng my game on facebook (which is in facebook's iFrame) php sessions don't work. This is for IE and Safari. Chrome works fine.
I've already read all the posts on stack about this problem, which seems to be down to third party cookie security and needing interaction with the iFrame first. There was a workaround by making javascript post some form data to the iFrame first, but this seems to have been 'fixed' in the latest versions of the browsers very recently as this no longer works.
I even tried implementing a start page that would require them to click a link first (in the iFrame) to load another page which would then create the session. But even THAT doesn't work.
I'm also having trouble even loading new pages in the iFrame using javascript, which seems to always cause infinite loop refreshes.
And no, P3P headers do NOT solve it.
Does anyone have a solution to this problem? I can't be the only one with it, considering how many facebook apps exist!
I came across this problem using a client that had "Accept third party cookies" disabled. My solution was to force PHP to embed the session ID into the URI by putting this line at the start of each page:
ini_set('session.use_trans_sid', true);
As the URLs are in iframe within Facebook the SID is not seen in the top window.
For IE, you will need the P3P Headers set. Something like:
<?php header('P3P: CP="CAO PSA OUR"'); ?>
Safari blocks 3rd-party cookies by default. Currently, the only work-around that is working for me is to "pop-up" a new window to set the cookies. I have something like this:
<script type="text/javascript">
function safariFix(){
if (navigator.userAgent.indexOf('Safari') != -1 && navigator.userAgent.indexOf('Chrome') == -1){
window.open('https://yourdomainname.com/safari.php', 'Safari Fix','width=100,height=100');
}
}
</script>
And safari.php will have this:
<?php
setcookie("safari_test", "1");
?>
<!DOCTYPE html>
<html lang="en">
<head>
<title>Safari Fix</title>
<script src="//ajax.googleapis.com/ajax/libs/jquery/1.6.2/jquery.min.js"></script>
</head>
<script type="text/javascript">
$(document).ready(function(){
window.close();
});
</script>
<body>
Since Safari does not accept third-party cookies by default, we are forced to open this window.
This window will automatically close once we have set the cookies.
</body>
</html>
PROBLEM: This won't work if users have "block pop-ups" enabled in Safari. If anyone has a better solution for this, inform me ;)
The facebook comment plug in is not working with smarty template. The code I am using is given below
<div id="fb-root"></div> {literal}<script src="http://connect.facebook.net/en_US/all.js#appId=APP_ID&xfbml=1"></script>{/literal} <fb:comments width="425"></fb:comments>
Please check this and let me know if there is any solution for this
Thanks In Advance
Rose
The issue is most likely because of the order in which this template loads on the page. You are most likely going to need to manually initialize the XFBML on your page for the tag to render. This is probably beyond what a template engine is going to be able to do. You are going to need to call FB.init(xfbml:true); after the template has loaded on the page. Also, change the script reference to
<script src="http://connect.facebook.net/en_US/all.js"></script>
The initilization call should occur only after the above script is loaded.
<script>
FB.init({xfbml:true});
</script?
I do IFrame application for facebook.
Problem is: any link inside it causes redirect loop
Link is: http://mydomain/mypage?fb_sig=[what I got from $_GET['fb_sig']]
(to test I link to the same page as my loaded canvas is loaded from)
when I click on it, my server returns:
<script type="text/javascript">
top.location.href = "http://www.facebook.com/login.php?api_key=5dc632fcef992470341178f492f79b93&v=1.0&next=http%3A%2F%2Fthiismydomain%2Ffacebook%2F%3Ffb_sig%3D96a5c47f133eadcfbba4abf82e5311e0%26page%3D1";
</script>
then it goes to corresponding page, and facebook returns
Location: http://thisismydomain/facebook/?fb_sig=96a5c47f133eadcfbba4abf82e5311e0&page=1&auth_token=ce4cf4968f91cace5b3e915f5b658984
then, my server replies with
<script type="text/javascript">
top.location.href = "http://www.facebook.com/login.php?api_key=5dc632fcef992470341178f492f79b93&v=1.0&next=http%3A%2F%2Fthisismydomain%2Ffacebook%2F%3Ffb_sig%3D96a5c47f133eadcfbba4abf82e5311e0%26page%3D1%26auth_token%3Dce4cf4968f91cace5b3e915f5b658984";
</script>
and back, facebook replies:
Location: http://thisismydomain/facebook/?fb_sig=96a5c47f133eadcfbba4abf82e5311e0&page=1&auth_token=ce4cf4968f91cace5b3e915f5b658984&auth_token=77df653b7949ca39c1a226c82cce8add
and it goes on and one without end.
Should I say that this redirect responce from my server is generated automately (most probaby my facebook php lib)
I have no more ideas why this happends. Any ideas?
I had a similar problem, where getSession() returned nothing, and thus sending me out on an infinite redirect loop. I solved it by enabling OAuth 2.0 in the settings for the application, as stated here:
http://forum.developers.facebook.net/viewtopic.php?id=64656
Ok, if you recognize the problem, here is the solution:
fb_sig is not the only param to be passed manually. Whole fb_sig* should be passed. Read more at this beautiful page http://www.foobots.net/breakouts.html