SitePoint Sponsor

User Tag List

Results 1 to 25 of 25
  1. #1
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    Why can't I view-source of .js file from the browser?

    This is probably a REALLY stupid question for many of you - but I just don't know, and I can't find it in my book(s), but then again, I'm not sure what to look for.

    I was visiting a real-estate site, and when I tried to view the source, the entire file was blank.

    http://home.windermere.com/seasunand...useaction=home

    (The URL indicated they were using cfm, but that shouldn't make any difference ... right?)

    How do they do that (no visible source code)? Don't they even need to have a basic HTML page structure (i.e. <html><head....etc.)?

    I know when I use javascript client side .js files, I don't see that code when I view-source from the browser. Could it all be done in javascipt?

    And a related question, how truly invisible/secure is a .js file? What ever technique they use?

    -Mike-
    Newbeewanabee

  2. #2
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    well to solve your problem scroll down to about the 57th line and you will find the source there

    and a js file isn't secure btw

  3. #3
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hmm, try scrolling down!

    As for .js files -- they can still be downloaded (same stylesheets can be) and the code of them can be viewed).

    There is pretty much NO way to protect your source code.
    I swear to drunk I'm not God.
    » Matt's debating is not a crime «
    Hint: Don't buy a stupid dwarf ö Clicky

  4. #4
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    HA! I can't believe how stupid I can be some times - it just amazes me! Well one comforting thought is that this is embarrassing enough that I won’t make that mistake again.

    However, I did learn something valuable and that is that a javascript .js file is not secure (I already knew that I occasionally forget to put my brain in gear).

    Thanks, Andrew-J and weirdbeardmt, for the brain alignment and the new information.

    I now I need to go beat my self up for awhile.

    -Mike-

    "Sometimes our only value is as a warning to others."

  5. #5
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Any content that is sent to the web browser by a server can be seen/edited/copied by the user if he wants to, and so any such content cannot ever be "secured" (in the sense of preventing this happening).


    M@rco

  6. #6
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks M@rco for the input (and for the past brain alignment). The fact that nothing that is sent to the client is secure from the client viewing it is a point that needs to refreshed occasionally.

    By the way, I found the .js file in my C:\WINDOWS\Temporary Internet Files. So although, the javascript .js file is not seen from a browser’s view-source, it is easily viewable from the client.

    As it turns out, the person who introduced me to javascript was misinformed as I CAN view .js files and cookies (although I haven’t done any experiments to see if I view ASP, PHP, and JavaScript cookies any differently).

    Now I need to do some experiments with session variables. I think they will take a lot more expertise for the client to read them, as I believe they are handled all in memory (memory resource usage is one of the downfalls of session variables especially when there are 1000’s of simultaneous connections), so they never get to the file system -- except maybe in virtual memory.

    Still, like you said M@rco, if it was sent to the client, it is viewable somehow, and that is what I need to remember.

    -Mike-

  7. #7
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    only way to view a js file is by downloading it and click edit, as far as i know

  8. #8
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Good point; I neglected to include that step.

    These are the steps I used to view a .js file:

    1) locate the .js file in C:\WINDOWS\Temporary Internet Files. (The name of the .js file will be within a script tag in the HTML file and will look similar to this:
    <script type="text/javascript" language="javascript" src="its_file_name.js"></script>; or you can just browes around the C:\WINDOWS\Temporary Internet Files directory for files of type ‘JScript File’.

    2) right-click on the .js file name | open in new window (If you use ‘open’ instead of 'open in new window' you will get a warning about running a system control being unsafe.)

    3) A download dialog box will come up; save it where you want.

    It is now a viewable .js file that has some characters that Notepad can’t read, so I use Wordpad or an HTML/JavaScript editor to view it.

    -Mike-

  9. #9
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Mike733
    So although, the javascript .js file is not seen from a browser’s view-source, it is easily viewable from the client.
    Huh? Where'd that come from! From that link you posted up top:

    Code:
    function popWindow() {
    	window.open("pop.html","pop","toolbar=0,location=0,directories=0,status=0,menubar=1,scrollbars=0,resizable=1,width=450,height=300");
    
    }
    // -->
    		</script>
    		
    <SCRIPT src="validation.js"></SCRIPT>
    </head>
    Just pop that in your browser and it will bring up the dialog to download it for you...
    I swear to drunk I'm not God.
    » Matt's debating is not a crime «
    Hint: Don't buy a stupid dwarf ö Clicky

  10. #10
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Actualy what I wrote,

    "So although, the javascript .js file is not seen from a browser’s view-source, it is easily viewable from the client."

    was just a generic statement about the security of ".js" files (I was originally told that using ".js" files was a method for protecting code.) I probably should have written it as,

    "So although, the JavaScript ".js" file .... ",

    that way it would not have been so easily confused with "javascrpt.js", which, you are correct, doesn’t match the ".js" file in the link I gave.

    And the steps I wrote was just a generic way to read any ".js" file that came from someone’s server – nothing to do with the link. That’s all. It works. I just used it to look at every JScript File in my C:\WINDOWS\Temporary Internet Files. There are probably more ways to view the ".js" file.

    Forget the link. I chose the wrong example. It started out as an example based on the original premise that ".js" files provided code protection, which, as it turns out, is totally wrong. (Hey, I thought it was REALLY cool that they were able to make the whole source file blank by maybe using a ".js" file. – when in fact I just didn’t scroll down far enough to see the start of the code - I’m still embarrassed.)

    Not a complete loss though, as the security issue was highlighted along with way(s) to view a ".js" file -- something I didn't know before.

    But, back to you.

    I’m not sure what you mean by,

    "Just pop that in your browser and it will bring up the dialog to download it for you".

    Are you saying that I should take the code you highlighted (which is some code copied from the link at the top) and included it in my own code? I’d like to hear more about that.

    Good luck with stopping smoking!

    -Mike-

  11. #11
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    PHP Code:

    <Script Language='Javascript'>
    <!--
    eval(
    unescape('%64%6F%63%75%6D%65%6E%74%2E%77%72%69%74%65%28%27%74%68%69%73%20%69%73%20%65%6E%63%72%70%74%65%64%20%69%6E%20%68%65%78%69%64%65%63%69%6D%61%6C%27%29'));
    //-->
    </Script> 
    you mean something like that

    ascii/hex

  12. #12
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Mike733
    Actualy what I wrote,

    "So although, the javascript .js file is not seen from a browser’s view-source, it is easily viewable from the client."

    was just a generic statement about the security of ".js" files (I was originally told that using ".js" files was a method for protecting code.) I probably should have written it as,

    "So although, the JavaScript ".js" file .... ",

    that way it would not have been so easily confused with "javascrpt.js", which, you are correct, doesn’t match the ".js" file in the link I gave.

    And the steps I wrote was just a generic way to read any ".js" file that came from someone’s server – nothing to do with the link. That’s all. It works. I just used it to look at every JScript File in my C:\WINDOWS\Temporary Internet Files. There are probably more ways to view the ".js" file.

    Forget the link. I chose the wrong example. It started out as an example based on the original premise that ".js" files provided code protection, which, as it turns out, is totally wrong. (Hey, I thought it was REALLY cool that they were able to make the whole source file blank by maybe using a ".js" file. – when in fact I just didn’t scroll down far enough to see the start of the code - I’m still embarrassed.)

    Not a complete loss though, as the security issue was highlighted along with way(s) to view a ".js" file -- something I didn't know before.
    K, sorry -- I misunderstood.


    But, back to you.

    I’m not sure what you mean by,

    "Just pop that in your browser and it will bring up the dialog to download it for you".

    Are you saying that I should take the code you highlighted (which is some code copied from the link at the top) and included it in my own code? I’d like to hear more about that.
    No, I think you probably do know what I mean. What I meant was... from that code you can see the name of a .js file, in this case called "validation.js". Notice it has no route/path/dirs in front of it. So all you need to do is put "validation.js" into the browser after the domain name, and it will download that .js file for you.

    For example (I know you hate it, but it works!) from the link you posted first:

    http://home.windermere.com/seasunand...useaction=home

    (so we know the domain is home.windermere.com/seasunandsnow, so if you put http://home.windermere.com/seasunandsnow/validation.js into your browser, it *should* download the file for you.



    Good luck with stopping smoking!
    Thanks! It's pretty tough, but I'm getting there! I might actually do it this time...
    I swear to drunk I'm not God.
    » Matt's debating is not a crime «
    Hint: Don't buy a stupid dwarf ö Clicky

  13. #13
    Prolific Blogger silver trophy Technosailor's Avatar
    Join Date
    Jun 2001
    Location
    Before These Crowded Streets
    Posts
    9,446
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    glad you got it sorted out, anyways.

    Matt, by couting the days you're likely to go back to smoking, you know. It's best to just *inform* yourself that you no longer smoke and it's not an issue. Mind over matter. That's how I did it. When you count the days, your mind plays tricks on you and eventually you get sick of counting and go back to smoking. Just a hint.

    Sketch
    Aaron Brazell
    Technosailor



  14. #14
    We like music. weirdbeardmt's Avatar
    Join Date
    May 2001
    Location
    Channel Islands Girth: Footlong
    Posts
    5,882
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Originally posted by Sketch
    glad you got it sorted out, anyways.

    Matt, by couting the days you're likely to go back to smoking, you know. It's best to just *inform* yourself that you no longer smoke and it's not an issue. Mind over matter. That's how I did it. When you count the days, your mind plays tricks on you and eventually you get sick of counting and go back to smoking. Just a hint.

    Sketch
    Yeh you're probably right... but when you do the maths, 8 days verses however many thousand, each day is something of a struggle. It kind of helps if I can say to myself "Come on, you've lasted this a week, just do another week" etc etc...
    I swear to drunk I'm not God.
    » Matt's debating is not a crime «
    Hint: Don't buy a stupid dwarf ö Clicky

  15. #15
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Wow! Adding the name of the ".js" file after the associated URL is really neat - and it makes perfect sense that it works that way. Thanks. Now I am able to connect up a few more brain cells.

    For starting out so lame, I sure learned a lot.

    Thanks to everyone.

    -Mike-

  16. #16
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    js does a lot more than most people think, thats half the reason with the security scares*. I mean did you know you can edit the registry without the user knowing? It has much more functionalitym, but its rarly made use off.

    *Thats with wsh

  17. #17
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Excuse my ignorance (again), but what is wsh?

    I though the edit registry ability door was closed though. I don’t remember when/how/if it was closed in the newer browses -- I can’t find the article. (Given my recent mental gymnastics, it may have never existed!)

    So are you saying that security risk/ability (depending on its use) still exists in newer browsers, or in certain configurations?

    Fascinating.

    -Mike-

  18. #18
    The doctor is in... silver trophy MarcusJT's Avatar
    Join Date
    Jan 2002
    Location
    London
    Posts
    3,509
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Even better, to view the source of any text-based (ASCII/Unicode) resource (HTM/L, CSS, JS, VBS, XML/XSL, etc...) VERY easily, just prefix the URL with "view-source:" in the address bar and press enter (IE only).

    e.g. view CSS file from CNN site:
    http://i.cnn.net/cnn/virtual/2001/style/main.css]view-source:http://i.cnn.net/cnn/virtual/2001/style/main.css[/URL]

    Often quite handy......!


    M@rco
    Last edited by M@rco; Apr 16, 2002 at 07:38.

  19. #19
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

  20. #20
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Thanks M@rco. Nice. ‘view-source:’ It just keeps getting better.

    What is interesting about this is both of the very simple yet powerful and effective techniques to view the source of as ".js" file (and html in your case) giving by you and weirdbeardmt is probably so 2nd nature to programmers as knowledgeable as yourselves that the idea of someone NOT knowing it doesn’t even come to mind in most cases. Thanks for seeing the need.

    I sure quite a few people who are able to wallow through the beginning of this topic will appreciate the knowledge.

    -Mike-

  21. #21
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Andrew-J, you opened up a new world for me with wsh. There it is: the RegWrite method to WshShell: write the registry. You obviously know a lot about wsh.

    Here are a few statements of things I THINK I know (inferred from the DevGuru link you gave) that lead to a question. If you get a chance, I would appreciate any information you can give me.

    The other two Microsoft hosts that run scripts are IE and IIS (PWS is subset of IIS). More generically though: browser and web-server since non-MS products execute scripts also.

    The browser executes scripts inside a HTML document received from a web-server. Those scripts (supposedly) have very limited control over the client system limited by the browser (well JScript version in the browser).

    The web-server executes scripts already on the web-server’s 'system'. The scripts are used to processes client requests and send information to a client.

    It looks like wsh’s original intent (inferred from DevGuru limited writeup) is to execute local scripts to do system control that can be grouped in batch files and/or timed using Windows Task Scheduler.

    The question I have is how does someone outside the system get wsh, intended as a internal script host, to do their bidding? (I’m not looking for a hacking how-to, just a general overview so I can understand the process.)

    -Mike-

  22. #22
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Well, you couldn't be much wronger about this

    You obviously know a lot about wsh.
    infact I probably know as much as you in fact, the person to actually ask is Flawless_koder he was the one that told me about this. You can put wsh on a website and invoke handlers instead of active x which will alert the user.

    As you said "this opened up a new world for me with wsh" which was the same for me and my mate which i mentioned too (now learning javascript).

  23. #23
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Andrew-J, you are too modest. I don’t know enough to realize the difference between a handler and active x, but thanks for starting the learning process.

    Take Care.

    -Mike-

  24. #24
    Currently Occupied; Till Sunda Andrew-J2000's Avatar
    Join Date
    Aug 2001
    Location
    London
    Posts
    2,475
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    you have no doubt used handlers before.

    eg

    onclick, onmouseover, onmouseout etc

    object.CreateScript(CommandLine,[MachineName])

    object
    WshController Object.
    Commandline
    Required. String value indicating the script's path and switches as they would be typed at the command prompt. The path to the script should appear as seen from the controller computer system rather than the computer system on which you want to run the script.
    MachineName
    Optional. String value indicating the name of the remote computer system (the computer on which you want to run the remote script). It is specified in the Uniform Naming Convention (UNC).

    The CreateScript method returns a handle to an instance of a WshRemote object. The path part of the script name does not need to be local — it can refer to a script on a network share. This makes it possible to sit at one computer system, retrieve a script from another computer system, and run it on a third computer system. If a machine name is not provided, the remote script object runs on the controller computer system (this is the default). If a machine name is provided, the remote script object runs on the named computer system. The CreateScript method establishes a connection with the remote computer system and sets it up to run the script, but the script does not actually start until you call the Execute method of the WshRemote object.
    thats a handler

    I will give you an examlpe of active x

    PHP Code:

    <script>

    function 
    ShowDriveList()
    {
       var 
    fsosnex;
       
    fso = new ActiveXObject("Scripting.FileSystemObject");
       
    = new Enumerator(fso.Drives);
       
    "";
       for (; !
    e.atEnd(); e.moveNext())
       {
          
    e.item();
          
    x.DriveLetter;
          
    += " - ";
          if (
    x.DriveType == 3)
             
    x.ShareName;
          else if (
    x.IsReady)
             
    x.VolumeName;
          else
             
    "[Drive not ready]";
          
    +=   "<br>";
       }
       return(
    s);
    }
    document.write(ShowDriveList());

    </script> 
    just download the documentmentation it will tell you in jscript and vbscript how to use this

  25. #25
    SitePoint Enthusiast
    Join Date
    Feb 2002
    Posts
    55
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Andrew-J, you obviously put a lot of effort into this example. Thank you. Unfortunately, I have to leave for a job today, so I can’t put in the time it deserves until later, but I wanted to acknowledge your effort.

    Ah, yes - I have used handlers, but they have been on a client. My brain is not putting together the handler/server relationship - unless PHP and ASP are handlers. Hmmm, in a way they would be as they react to prompts/'events' from the client.

    I’m sure your example will shed light on it, and I look forward to learning from it. Back to you later.

    -Mike-


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •