Deep copy Javascript objects

Knowing the difference between a value being assinged by reference in contrast to being assigned by value is crucial. In Javascript primitive types like strings or numbers are always assigned by value. So assigning a variable A to a variable B results in variable B containing a “real” copy of variable A. Changing the value of variable B afterwards won’t change the value of variable A.
However, when assigning an object A to an object B in Javascript, object_b is assigned by reference, meaning that both variables point to the same object. In this case changing a property in object B will change the property in object A as well. See the following example:

var object_a = {url:"webdevwonders.com"};
var object_b = object_a;
object_b.url = "google.com";
alert(object_a.url); // Alerts "google.com"

Object A’s property “url” has changed to “google.com”, because the variable object_a points to the same object as variable object_b does. That’s nice but in quite a lot of cases a real (or deep) copy is what you want. The solution to the problem is to loop over each property of object A and assign its value to the property of object B. That is what the following code accomplishes:

var object_a = {url:"webdevwonders.com"};
var object_b = {};
for (var prop in object_a) {
    object_b[prop] = object_a[prop];
}
object_b.url = "google.com";
alert(object_a.url); // Alerts "webdevwonders.com"

If you’re using jQuery there’s a far more elegant way to solve the problem:

var object_a = {url:"webdevwonders.com"};
var object_b = jQuery.extend(true, {}, object_a);
object_b.url = "google.com";
alert(object_a.url); // Alerts "webdevwonders.com"
Please vote: How useful was this post for you?
Current rating:
(5 out of 5)
Posted in Javascript | Tagged , | Leave a comment

Detect Firefox add-on Adblock Plus

Some time ago I wrote a post explaining how to detect firefox add-ons. However, the described way only works for a couple of add-ons. And it doesn’t work for the most popular add-on of all called Adblock Plus. But instead there is an even simpler way to detect if a visitor coming to your website has activated Adblock Plus.
Since Adblock Plus blocks URLs and hides containers using a naming pattern (i.e. hiding all elements on a website containing the class “ad-column”) it is possible to trigger the add-on to hide an element on the page and then check with a simple JS-Script if it is still visible or hidden, the latter meaning that the visitor has Adblock Plus currently up and running.

Checking your Adblock Plus status…

The following script detects Adblock Plus by checking if the container with the id “adright” is hidden (using jQuery):

<div id="adright"></div>
<script type="text/javascript">
if ($("#adright").is(":hidden")) {
    alert("Adblock Plus activated!");
} else {
    alert("Adblock Plus NOT activated!");
}
</script>


The script above works for the standard English filter subscription of Adblock Plus but might not be working for other country-specific subscriptions. For a complete overview of URLs and containers blocked by your filter subscriptions have a look at the filter rules in the Adblock Plus preferences and adjust the script accordingly.

Please vote: How useful was this post for you?
Current rating:
(5 out of 5)
Posted in HTML/CSS, Javascript, Security/Privacy | Tagged , , | Leave a comment

Selenium – web application testing made easy

Writing a web application certainly is fun. Testing the application, on the other hand, usually is a time-consuming, but nevertheless necessary evil. As soon as the application grows above, let’s say, a handful of functionalities and screens, test automation becomes unavoidable.
One great open source software to create automated tests fast but also reliable is called Selenium. Selenium can be used for functional, regression and load testing of web applications. The great thing about Selenium is that the tests can be written in various programming languages, including the most popular ones like PHP, Java, Ruby and many others. Writing tests with Selenium is very straight forward, although, of course, the complexity depends on your web application and its functionality to test.
But the best thing about Selenium is its IDE, which is a Firefox Add-on that allows you to record a test while you browse the web application. After recording your session you can run it again or export the test code in your favourite language and do some reengineering of the given code if necessary. How cool is that?

Please vote: How useful was this post for you?
Current rating:
(4 out of 5)
Posted in Testing | Tagged , | Leave a comment

Use IFrame in scrollable DIV to read browsing history

I already discussed the HTTP status code hack as an alternative to the slowly dying CSS history hack. In this article I would like to introduce another way of history stealing, which doesn’t require the user to be logged in to an account at the webpage in question (in contrary to the status code hack).
All that’s needed for it to work is a webpage that renders diffrent content for returning visitors in comparison to new visitors. Even better: A page that redirects either returning or new visitors to another page.
Now to the trick: Create an IFrame inside a scrollable DIV (overflow:auto) and make the width and height of the DIV a lot smaller than the width and height of the IFrame. Next, search the returning visitor’s version of the page for a container with an ID that is NOT included in the new visitor’s version of the page. Preferably the container should be somewhere in the bottom and/or right part of the page. This could be a “last viewed articles” container on a shop page for example.
Now call the page in the IFrame and include the ID you found as a hash tag tot the URL, i.e. “http://www.example.com/somepage#returningVisitorsOnlyID”.
What happens then is the following:
If you are a new visitor to the page, it loads and since the ID of the hash tag can’t be found nothing special happens. If, however, you are a returning visitor, the page will load and jump to the container with the ID once it is found. At this point the DIV that’s wrapped around the IFrame will notice this jump and scroll itself down to that position.
After that all you need is a little Javascript and find out about the scroll position of the DIV. And if either scrollleft or scrolltop is bigger than 0 the visitor is a returning one.
Here is a code example and a proof of concept page using groupon.com.

<script type="text/javascript">
// check scroll position of DIV onload of IFrame
function check(){
    var scrollTop = document.getElementById('box').scrollTop;
    var scrollLeft = document.getElementById('box').scrollLeft;
    // page visited if scroll position left or top > 0
    if(scrollTop > 0 || scrollLeft > 0) {
        alert("Groupon visited!");
    } else {
        alert("Groupon not visited!");
    }
}
</script>
<style type="text/css">
    #box {width:250px; height:500px; overflow:auto;}
    iframe {width:1000px; height:1000px;}
</style>
<div id="box">
    <iframe onload="check()" src="http://www.groupon.com#rail" />
</div>

This hack is working in all versions of major browsers except Firefox 4 and Internet Explorer 9.

Please vote: How useful was this post for you?
Current rating:
(5 out of 5)
Posted in HTML/CSS, Javascript, Security/Privacy | Tagged , | Leave a comment

Use HTTP status code to check Facebook login status

The HTTP status codes history hack isn’t exactly about finding out if a user has visited a webpage but rather about knowing if he is currently logged into an account at the specified page. This example shows the exploit using Facebook, but it should be possible to port this to quite a lot of other websites requiring a login at some point.
The idea is quite simple: Some pages of a certain website return a different status code if you are not logged into them than they return if you are logged in. For example, my Facebook profile is only visible to people currently logged in to Facebook. In that case my profile page returns a HTTP status code of 200, but if somebody is trying to view my profile without being logged in it will return a 404 error message. And we can find out about this different behaviour with two simple Javascript Events: onload and onerror.
All we need to do is to load the Facebook profile URL in a script tag and attach an onload and an onerror event to it. The onload event will fire if you are logged in, the onerror fires if you are not logged in. Very simple but also very accurate. See the proof of concept below. You might as well log in or out of your Facebook account and reload this page.

Checking your Facebook login status…

And here’s the code:

<script type="text/javascript" 
    src="https://www.facebook.com/people/Jens-Lübberstedt/1009310897"
    onload="alert('Logged in to Facebook')"
    onerror="alert('Not logged in to Facebook')">       
</script>

The hack works for all versions of Firefox, Chrome and Safari, however it does not work in Internet Explorer or Opera as these browsers won’t fire the attached events.
More examples of this hack’s usage can be found in this article by Mike Cardwell and this post by Jeremiah Grossman.
If you’d like to have a „real“ history hack that tells you if a user has visited a website without requiring him to be logged into it please have a look at my blog post on using an IFrame in a scrollable DIV to read browsing history.

Please vote: How useful was this post for you?
Current rating:
(4 out of 5)
Posted in HTML/CSS, Javascript, Security/Privacy | Tagged , , | Leave a comment

CSS history hack alternatives

The CSS history hack is dead. Well, almost. As the hack did become more and more popular throughout the web and even made its way to popular newssites and blogs, the problem of being able to spy out a visitor’s history with almost no effort came into focus with browser vendors. As a result, the new generation of browsers with Firefox 4 and Internet Explorer 9 has done very well in disabling this hack in all its possible variations.
So sniffing about its history has become impossible with modern browsers? Definetly not! It isn’t as easy as it used to be with the CSS :visited hack, but in the following two posts I will introduce to you two methods of history hacking I came across lately that still work for all or at least some of the new generation browsers.
Use HTTP status code to check Facebook login status
Use IFrame in scrollable DIV to read browser history

Please vote: How useful was this post for you?
Current rating:
(3 out of 5)
Posted in HTML/CSS, Security/Privacy | Tagged | Leave a comment

How to install ruby-debug19 on Windows and debug in NetBeans

Working with Ruby on Rails on a Windows machine can be painful at times. Especially installing the ruby-debug19 gem and getting it to work properly can be a challenge. In the following I will try to show you how to overcome known problems during the installation process.
I assume that you have already installed a working Ruby 1.9.x version. If not, you may want to download the newest version of ruby and follow the given instructions.
First of all, try to install ruby-debug19 with the following command inside your command shell:

gem install ruby-debug19 ruby-debug-ide19

If this worked for you: Great! But most likely it didn’t work and you got some error message similar to the following:

Building native extensions. This could take a while...
ERROR: Error installing ruby-debug19:
ERROR: Failed to build gem native extension.

If this is the case, you need to install the Ruby Development Kit. You can get the DevKit here. Then go ahead and extract the contents to any folder you like. Navigate to that folder inside your command shell and execute the following commands:

ruby dk.rb init
ruby dk.rb install

Now the Ruby DevKit should be properly installed already. If you experienced any problems during installation please take a look at this detailed installation and troubleshooting guide.
Now execute the “gem install” command from above once again. If everything has been set up correctly you should be able to properly install ruby-debug19 and see something like this:

Temporarily enhancing PATH to include DevKit...
Building native extensions.  This could take a while...
Successfully installed ruby-debug-base19-0.11.25
Successfully installed ruby-debug-19-0.11.6
Successfully installed ruby-debug-ide19-0.4.12
3 gems installed

By installing the ruby-debug-ide19 gem you should be able to debug your project inside your IDE. However, trying to debug a Ruby on Rails project in NetBeans sometimes needs manual patching. You might experience an error quite similar to this one when launching the debugger:

Fast Debugger (ruby-debug-ide 0.4.9) listens on :50405
        C:/Ruby192/lib/ruby/gems/1.9.1/gems/ruby-debug-ide19-0.4.12/lib/ruby-debug-ide.rb:123:in `debug_load'
        C:/Ruby192/lib/ruby/gems/1.9.1/gems/ruby-debug-ide19-0.4.12/lib/ruby-debug-ide.rb:123:in `debug_program'
        C:/Ruby192/lib/ruby/gems/1.9.1/gems/ruby-debug-ide19-0.4.12/bin/rdebug-ide:87:in `'
        C:/Ruby192/bin/rdebug-ide:19:in `load'
        C:/Ruby192/bin/rdebug-ide:19:in `
'
Uncaught exception: no such file to load -- script\rails

This seems to be a bug inside ruby-debug-ide19 where execution paths are not set correctly. You can hotfix this problem by editing line 123 in ruby-debug-ide.rb (the line that throws the error). Replace the line

bt = debug_load(Debugger::PROG_SCRIPT, options.stop, options.load_mode)

with

bt = debug_load('./script/rails', options.stop, options.load_mode)

Restart the debugger and you should be able to debug your projects inside NetBeans.

Please vote: How useful was this post for you?
Current rating:
(4 out of 5)
Posted in Ruby on Rails | Tagged , , , | Leave a comment

Simple PHP crawler example

The following script is a basic example of a php crawler. It crawls through webpages looking for the existence of a certain string. In this testcase the crawler searches for the presence of the Google Analytics tracking code, but it can be modified easily to randomly crawl pages for whatever content you are looking for.
What it basically does is, it looks at all node values of an initially defined node type and compares it with a search string. Each page crawled is added to a hash using the domainname as the key and a boolean as its value (e.g. Analytics code found or not). While it is searching, the crawler also pushes the domains of all external links in the page to a domain stack. This stack is then used to find the next page to crawl. The crawler finishes its work after having crawled a predefined number of domains and uses the crawled domains hash to save all found domains to a textfile.
Anyway, just take a look at it. Here’s the code:

// Disable time limit to keep the script running
set_time_limit(0);
// Domain to start crawling
$domain = "http://webdevwonders.com";
// Content to search for existence
$content = "google-analytics.com/ga.js";
// Tag in which you look for the content
$content_tag = "script";
// Name of the output file
$output_file = "analytics_domains.txt";
// Maximum urls to check
$max_urls_to_check = 100;
$rounds = 0;
// Array to hold all domains to check
$domain_stack = array();
// Maximum size of domain stack
$max_size_domain_stack = 1000;
// Hash to hold all domains already checked
$checked_domains = array();
 
// Loop through the domains as long as domains are available in the stack
// and the maximum number of urls to check is not reached
while ($domain != "" && $rounds < $max_urls_to_check) {
    $doc = new DOMDocument();
 
    // Get the sourcecode of the domain
    @$doc->loadHTMLFile($domain);
    $found = false;
 
    // Loop through each found tag of the specified type in the dom
    // and search for the specified content
    foreach($doc->getElementsByTagName($content_tag) as $tag) {
        if (strpos($tag->nodeValue, $content)) {
            $found = true;
            break;
        }
    }
 
    // Add the domain to the checked domains hash
    $checked_domains[$domain] = $found;
    // Loop through each "a"-tag in the dom
    // and add its href domain to the domain stack if it is not an internal link
    foreach($doc->getElementsByTagName('a') as $link) {
        $href = $link->getAttribute('href');
        if (strpos($href, 'http://') !== false && strpos($href, $domain) === false) {
            $href_array = explode("/", $href);
            // Keep the domain stack to the predefined max of domains
            // and only push domains to the stack that have not been checked yet
            if (count($domain_stack) < $max_size_domain_stack &&
                $checked_domains["http://".$href_array[2]] === null) {
                array_push($domain_stack, "http://".$href_array[2]);
            }
        };
    }
 
    // Remove all duplicate urls from stack
    $domain_stack = array_unique($domain_stack);
    $domain = $domain_stack[0];
    // Remove the assigned domain from domain stack
    unset($domain_stack[0]);
    // Reorder the domain stack
    $domain_stack = array_values($domain_stack);
    $rounds++;
}
 
$found_domains = "";
// Add all domains where the specified search string
// has been found to the found domains string
foreach ($checked_domains as $key => $value) {
    if ($value) {
        $found_domains .= $key."\n";
    }
}
 
// Write found domains string to specified output file
file_put_contents($output_file, $found_domains);
Please vote: How useful was this post for you?
Current rating:
(3 out of 5)
Posted in HTML/CSS, PHP | Tagged , , | Leave a comment

LZW compression and decompression with Javascript and PHP

When trying to transfer large amounts of data between client and server it might be helpful to use an algorithm to compress the data before transmission. The compression technique of choice could be the LZW (Lempel-Ziv-Welch) compression. There is a huge variety of different LZW implementations for various languages out there, probably the largest collection of them can be found here. However, a PHP port of the implementation is missing. Working with the JS implementation from the above mentioned site I thought it might be useful to have a PHP implementation of that exact JS implementation on the server side, so I ported the function to PHP. Using the JS implementation and the following PHP implementation, you should be able to compress and decompress data transferred between client (JS) and server (PHP) without any need of customization. A nice side effect of compressing your data with LZW is that it obfuscates the transferred data as well.
PHP implementation of LZW compression:

class LZW {
    function compress($uncompressed) {
        $dictSize = 256;
        $dictionary = array();
        for ($i = 0; $i < 256; $i++) {
            $dictionary[chr($i)] = $i;
        }
        $w = "";
        $result = "";
        for ($i = 0; $i < strlen($uncompressed); $i++) {
            $c = $this->charAt($uncompressed, $i);
            $wc = $w.$c;
            if (isset($dictionary[$wc])) {
                $w = $wc;
            } else {
                if ($result != "") {
                    $result .= ",".$dictionary[$w];
                } else {
                    $result .= $dictionary[$w];
                }
                $dictionary[$wc] = $dictSize++;
                $w = "".$c;
            }
        }
        if ($w != "") {
            if ($result != "") {
                $result .= ",".$dictionary[$w];
            } else {
                $result .= $dictionary[$w];
            }
        }
        return $result;
    }
    function decompress($compressed) {
        $compressed = explode(",", $compressed);
        $dictSize = 256;
        $dictionary = array();
        for ($i = 1; $i < 256; $i++) {
            $dictionary[$i] = chr($i);
        }
        $w = chr($compressed[0]);
        $result = $w;
        for ($i = 1; $i < count($compressed); $i++) {
            $entry = "";
            $k = $compressed[$i];
            if (isset($dictionary[$k])) {
                $entry = $dictionary[$k];
            } else if ($k == $dictSize) {
                $entry = $w.$this->charAt($w, 0);
            } else {
                return null;
            }
            $result .= $entry;
            $dictionary[$dictSize++] = $w.$this->charAt($entry, 0);
            $w = $entry;
        }
        return $result;
    }
    function charAt($string, $index){
        if($index < mb_strlen($string)){
            return mb_substr($string, $index, 1);
        } else{
            return -1;
        }
    }
}

Usage example:

$lzw = new LZW();
$cmp = $lzw->compress("http://webdevwonders.com");
// 104,116,116,112,58,47,47,119,101,98,100,101,118,119,111,110,266,114,115,46,99,111,109
$dcmp = $lzw->decompress($cmp); // http://webdevwonders.com
Please vote: How useful was this post for you?
Current rating:
(3 out of 5)
Posted in Javascript, PHP | Tagged , , | Leave a comment

How to clear and disable DOM Storage in Firefox, IE and Chrome

The following post shows you how to clear and also disable DOM Storage in recent versions of Firefox, Internet Explorer and Chrome. If you are looking for a way to set DOM Storage items this will be the right post.

Clear DOM Storage in Firefox:

Select “Tools” -> “Clear Recent History”, open “Details”, check “Cookies” and select “Everything” as time range.
ATTENTION: No other time range will clear the DOM Storage. Have a look at Mozillas documentation for further info.

Disable DOM Storage in Firefox:

Type “about:config” in your address bar and hit enter to view your internal browser settings. Scroll down to „dom.storage.enabled“, right click on it and hit „Toggle“ to disable the DOM Storage.

Clear DOM Storage in Internet Explorer:

Select “Tools” -> “Internet Options” -> “General” -> check “Delete browsing history on exit”, click on “Delete”, check “Cookies” and click on “Delete” once more.

Disable DOM Storage in Internet Explorer:

Select “Extras” -> “Internet Options” -> “Advanced” Tab -> Go to “Security” -> uncheck “Enable DOM-Storage”

Clear DOM Storage in Chrome:

Select “Tools” -> “Clear browsing data…”, check “Delete cookies and other site data”, select “Everything” from “Clear data from this period” and click on “Clear browsing data”.

Disable DOM Storage in Chrome:

Open “Options” and select “Under the Hood” Tab. Click on “Content settings…”, select “Cookies” and set “Block sites from setting any data”.

If you are not willing to do this manually you might want to use a browser plugin that handles it for you. For Firefox I can recommend the extension BetterPrivacy. A desktop alternative to delete DOM Storage of all your installed browsers at once would be the open source tool Bleachbit.
Please note: This post has been largely inspired by an awesome article by Dustin Marx, which drills down on the topic much deeper.

Please vote: How useful was this post for you?
Current rating:
(5 out of 5)
Posted in HTML/CSS, Security/Privacy | Tagged , , , | Leave a comment