EzDevInfo.com

escaping ampersand in url

I am trying to send a GET message that contains strings with ampersands and can't figure how to escape the ampersand in the url.

Example:

http://www.example.com?candy_name=M&M
result => candy_name = M

I also tried:

http://www.example.com?candy_name=M\&M
result => candy_name = M\\

I am using urls manually so I just need the correct characters.

I can't use no libraries. How can it be done?

Why is it common to put CSRF prevention tokens in cookies?

I'm trying to understand the whole issue with CSRF and appropriate ways to prevent it. (Resources I've read, understand, and agree with: OWASP CSRF Prevention CHeat Sheet, Questions about CSRF.)

As I understand it, the vulnerability around CSRF is introduced by the assumption that (from the webserver's point of view) a valid session cookie in an incoming HTTP request reflects the wishes of an authenticated user. But all cookies for the origin domain are magically attached to the request by the browser, so really all the server can infer from the presence of a valid session cookie in a request is that the request comes from a browser which has an authenticated session; it cannot further assume anything about the code running in that browser, or whether it really reflects user wishes. The way to prevent this is to include additional authentication information (the "CSRF token") in the request, carried by some means other than the browser's automatic cookie handling. Loosely speaking, then, the session cookie authenticates the user/browser and the CSRF token authenticates the code running in the browser.

So in a nutshell, if you're using a session cookie to authenticate users of your web application, you should also add a CSRF token to each response, and require a matching CSRF token in each (mutating) request. The CSRF token then makes a roundtrip from server to browser back to server, proving to the server that the page making the request is approved by (generated by, even) that server.

On to my question, which is about the specific transport method used for that CSRF token on that roundtrip.

It seems common (e.g. in AngularJS, Django, Rails) to send the CSRF token from server to client as a cookie (i.e. in a Set-Cookie header), and then have Javascript in the client scrape it out of the cookie and attach it as a separate XSRF-TOKEN header to send back to the server.

(An alternate method is the one recommended by e.g. Express, where the CSRF token generated by the server is included in the response body via server-side template expansion, attached directly to the code/markup that will supply it back to the server, e.g. as a hidden form input. That example is a more web 1.0-ish way of doing things, but would generalize fine to a more JS-heavy client.)

Why is it so common to use Set-Cookie as the downstream transport for the CSRF token / why is this a good idea? I imagine the authors of all these frameworks considered their options carefully and didn't get this wrong. But at first glance, using cookies to work around what's essentially a design limitation on cookies seems daft. In fact, if you used cookies as the roundtrip transport (Set-Cookie: header downstream for the server to tell the browser the CSRF token, and Cookie: header upstream for the browser to return it to the server) you would reintroduce the vulnerability you are trying to fix.

I realize that the frameworks above don't use cookies for the whole roundtrip for the CSRF token; they use Set-Cookie downstream, then something else (e.g. a X-CSRF-Token header) upstream, and this does close off the vulnerability. But even using Set-Cookie as the downstream transport is potentially misleading and dangerous; the browser will now attach the CSRF token to every request including genuine malicious XSRF requests; at best that makes the request bigger than it needs to be and at worst some well-meaning but misguided piece of server code might actually try to use it, which would be really bad. And further, since the actual intended recipient of the CSRF token is client-side Javascript, that means this cookie can't be protected with http-only. So sending the CSRF token downstream in a Set-Cookie header seems pretty suboptimal to me.

How can I make the browser wait to display the page until it's fully loaded?

I hate how you can actually see webpages load. I think it'd be much more appealing to wait until the page is fully loaded and ready to be displayed, including all scripts and images, and then have the browser display it. So I have two questions...

1. How can I do this?
2. I'm a total noob to web development, but is this common practice? If not, why?

Thanks in advance for your wisdom!

What is 'YTowOnt9'?

Our (PHP) framework sometimes renders hidden inputs with value YTowOnt9. I can't find that string anywhere in the (huge) codebase, and can't figure out where it came from. I decided to Google for that particular string, and the result surprised me. Over half a million - kind of random - hits. I haven't found any page describing the value itself. It has 0 hits on Stack Overflow.

Is YTowOnt9 some kind of magic string?

The superclass "javax.servlet.http.HttpServlet" was not found on the Java Build Path

Have project created by maven integration in eclipse. All work fine, but in work space in all jsp files have this:

The superclass "javax.servlet.http.HttpServlet" was not found on the Java Build Path

to first string where place:

<%@ page language="java" contentType="text/html; charset=UTF-8"
    pageEncoding="UTF-8"%>

When create basic dynamic web project and JSP in - all fine, no errors.

How to make a vertical line in HTML

How Do you make a vertical line using HTML?

Can I read the hash portion of the URL on my server-side application (PHP, Ruby, Python, etc.)

Assuming a URL of:

  www.mysite.com?val=1#part2

PHP can read the request variables "val1" using the GET array.

Is the hash value part2 also readable? or is this only upto the browser and JavaScript.

.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration

I have this error when trying to browse php files locally

[Fri Apr 13 19:16:40 2012] [alert] [client 127.0.0.1] C:/AppServ/www/hr-website/.htaccess: Invalid command 'RewriteEngine', perhaps misspelled or defined by a module not included in the server configuration, referer: http://127.0.0.1/

what is the problem ?

What's the difference between a web site and a web application? [closed]

I'm stumped trying to come up to a difference between a web site and a web application for myself. As I see it, a web site points to a specific page and a web application is more of some sort of 'portal' to content and information.

But where I'm stuck is that a web application is still viewed through a browser (is it not?) and a web site can still view content dynamically, making the line between web site and application prety gray.

For instance, does a web site using ASP.NET or AJAX (I assume ASP.NET is AJAX's proprietary sibling, if not, ignore ASP.NET AND concentrate on the AJAX), becomes a web application because it can retrieve data dynamically and asynchronously or would a website using PHP and a CMS be more of a web application because it forms the pages on request, based on the request of the client and its content in its databse?

Or maybe I'm totally wrong here - what differenciates between a web application and a website?

How to use the new affix plugin in twitter's bootstrap 2.1.0?

The bootstrap documentation on that topic is a little confusing to me. I want to achieve similar behaviour like in the docs with the affix navbar: The navbar is below a paragraph / page heading, and upon scrolling down it should first scroll along until reaching the top of the page, and then stick there fixed for further scrolldowns.

As jsFiddle does not work with the navbar concept, I've set up a separate page for usage as a minimal example: http://i08fs1.ira.uka.de/~s_drr/navbar.html

I use this as my navbar:

<div class="navbar affix-top" data-spy="affix" data-offset-top="50">
    <div class="navbar-inner">
        <div class="container">
            <div class="span12">
                <a class="brand" rel='nofollow' href="#">My Brand</a> 
                This is my navbar.
             </div>
        </div> <!-- container -->
    </div> <!-- navbar-inner -->
</div> <!-- navbar -->

I thinkg i would want data-offset-top to be of value 0 (since the bar should "stick" to the very top" but with 50 there is at least some effect watchable.

If also put the javascript code in place:

     <script>
        $(document).ready (function (){
            $(".navbar").affix ();
        });
     </script>

Any help appreciated.

How to find corresponding log files folder for a web site?

There are multiple web sites and multiple folders under inetpub\logs\LogFiles (W3SVC1, W3SVC2, etc). How I can find what folder is used by a given web site?

Concatenate strings in LESS

I think this is not possible, but I thought I ask in case there is a way. The idea is that I have a variable for path to web resource folder:

@root: "../img/";
@file: "test.css";
@url: @root@file;

.px{
    background-image: url(@url);
}

I get this as a result:

.px {   background-image: url("../img/" "test.css"); }

But, I want the strings to combine into one string like this:

.px {   background-image: url("../img/test.css"); }

Is it possible to concatenate strings together in LESS?

Golang production web application configuration

For those of you running go backends in production:

What is your stack / configuration for running a Go web application?

I haven't seen much on this topic besides people using the standard library net/http package to keep a server running. I read using Nginx to pass requests to a go server - nginx with go

This seems a little fragile to me. For instance, the server would not automatically restart if the machine was restarted (without additional configuration scripts).

Is there a more solid production setup?

An aside about my intent - I'm planning out a go powered REST backend server for my next project and want to make sure Go is going to be viable for launching the project live before I invest too much into it.

Twitter Bootstrap Button Text Word Wrap

For the life of me I am unable to get these twitter bootstrap buttons to text wrap onto multiple lines, they appearing like so.

I cannot post images, so this is what it is doing...

[This is the bu] tton text

I would like it to appear like

[This is the ]

[button text ]

<div class="col-lg-3"> <!-- FIRST COL -->
  <div class="panel panel-default">
    <div class="panel-body"> 
    <h4>Posted on</h4>
    <p>22nd September 2013</p>
    <h4>Tags</h4>
    <a rel='nofollow' href="#" class="btn btn-primary btn-xs col-lg-12" style="margin-bottom:4px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit.</a>
   <a rel='nofollow' href="#" class="btn btn-primary btn-xs col-lg-12" style="margin-bottom:4px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit.</a>
   <a rel='nofollow' href="#" class="btn btn-primary btn-xs col-lg-12" style="margin-bottom:4px;">Lorem ipsum dolor sit amet, consectetur adipiscing elit.</a>
           </div>
  </div>
</div>

Any help would be much appreciated.

Edit. I have tried adding word-wrap:break-word; but it is not making any difference.

Edit. JSFiddle http://jsfiddle.net/TTKtb/ - You will need it expand the right column so the panels sit next to one another.

Why is Symfony2 performing so bad in benchmarks and does it matter?

My colleagues and I are in the process of choosing a web framework to develop a high traffic web site. We are really good with node.js + express and php + symfony2. Both are great frameworks but we are a bit concerned about Symfony2 because it seems to be outperformed by most web frameworks out there.

Here is the benchmarks that proves it: http://www.techempower.com/benchmarks/

For this reason we will probably use node.js + express but I still wonder why is Symfony2 performing so bad in benchmarks.