DMXzone Security Provider PHP Support Product Page
Solved
Texts/content visible in the browser's source code
Reported 17 Dec 2013 16:54:35
1
has this problem
17 Dec 2013 16:54:35 Michele - posted:
Hi… I’m starting to use your extension but I’ve BIG security problem… in the source code I can view all the code in the page, texts that should be hidden instead are shown in the "view source code" of the browser.I checked your demo/showcases and I found the same problem there too.
Even without login authentication, I can see the source code hidden.
Only the database's content is hidden… but this extension can protect the content in the pages or only content in the database?
Thanks.
Regards,
Michele
Replies
Replied 18 Dec 2013 10:23:48
18 Dec 2013 10:23:48 Teodor Kuduschiev replied:
Hello Michele,
Is your question referring to some hidden region on your page?
Did you secure the datasets on your page? The extension secures the database results on your page and they cannot be viewed by inspecting the source.
If you don't want the users to be able to even inspect your page source you can just apply a redirect behavior that leads the not-logged in users to some login page.
Is your question referring to some hidden region on your page?
Did you secure the datasets on your page? The extension secures the database results on your page and they cannot be viewed by inspecting the source.
If you don't want the users to be able to even inspect your page source you can just apply a redirect behavior that leads the not-logged in users to some login page.
Replied 18 Dec 2013 16:12:28
18 Dec 2013 16:12:28 Michele - replied:
So, "Security Provider" is a plugin for your extensions DB Connector and Updater?
Where is possible to found the redirect behavior that you suggest me? Is it included in the behaviors of Security Provider extension?
Anyhow, I think it's impossibile to include all the contents of a private area in a table of a database.
For example, in your demo, without login authentication I see this message in the browser's window:
... but, if I check the source code in the browser I can see the db configuration and the code that should be visible only after login, for example:
Where is possible to found the redirect behavior that you suggest me? Is it included in the behaviors of Security Provider extension?
Anyhow, I think it's impossibile to include all the contents of a private area in a table of a database.
For example, in your demo, without login authentication I see this message in the browser's window:
"Please log in to proceed, The Administrator Back-end of this Content Management System is available only for registered users. Please Log in using a valid username and password."
... but, if I check the source code in the browser I can see the db configuration and the code that should be visible only after login, for example:
<section id="content" data-binding-show="{{$SECURITY.identity}}"> <div class="container"> <div class="row stats-row"> <div class="span4 stat"> <div class="data"> <span class="number">2457</span> visits </div> <span class="date">Today</span> </div> <div class="span4 stat"> <div class="data"> <span class="number">3240</span> users </div> <span class="date">last week</span> </div> <div class="span4 stat last"> <div class="data"> <span class="number">$2,340</span> sales </div> <span class="date">last 30 days</span> </div> </div> <div class="row"> <div id="left-nav" class="span2"> <ul class="nav nav-tabs nav-stacked">[*]<a href="javascript:void(0);">Dashboard <i class="fa fa-angle-double-right">[/i]</a>[/*] <li class="disabled"><a>Articles</a>[/*] <li class="disabled"><a>Tasks</a>[/*] <li class="disabled"><a>Messages</a>[/*][/list] </div> <div id="dashboard" class="span10"> <h2 class="table-title">Orders[/h2] <table class="table table-hover"> <thead> <tr> <th> ID</th> <th> Date </th> <th>Name</th> <th> Status </th> </tr> </thead> <tbody> <tr data-binding-repeat="{{Orders.data}}" data-binding-id="repeat2"> <td><a href="#">#{{idsp_orders}}</a></td> <td> {{date}}</td> <td> <a href="#">{{name}}</a> </td> <td> <span class="{{status.contains( "Pending" ).then( "label label-info", "label label-success" )}}">{{status}}</span></td> </tr> </tbody> </table> <hr/> <h2 class="table-title">Users[/h2] <table class="table table-hover"> <thead> <tr> <th> Name</th> <th> Signed Up </th> <th>Total Spent</th> <th> Email </th> </tr> </thead> <tbody> <tr data-binding-repeat="{{Users.data}}" data-binding-id="repeat1"> <td>[img]img/{{id}}.jpg" alt="avatar" class="img-circle" data-binding-src="img/{{id}}.jpg"> <a class="name" href="#">{{name}}</a></td> <td>{{signed}}</td> <td>{{spent.currency( "$", ".", ",", 2 )}}</td> <td><a href="#">{{email}}</a></td> </tr> </tbody> </table> </div> </div> </div> </section>
Replied 18 Dec 2013 16:28:31
18 Dec 2013 16:28:31 Michele - replied:
For my curiosity, did you used Security Provider technology for your private area?
www.dmxzone.com/user/products
In this page, the security is good and I didn't see in the source code the structure of the private area and db configuration... the source code without login is different from that with authentication (as it should be for a guaranteed safety).
www.dmxzone.com/user/products
In this page, the security is good and I didn't see in the source code the structure of the private area and db configuration... the source code without login is different from that with authentication (as it should be for a guaranteed safety).
Replied 18 Dec 2013 17:10:58
18 Dec 2013 17:10:58 Teodor Kuduschiev replied:
Hello,
On our demo the data is just there for design purposes -> static ui elements.
The extension is created to secure your database content and actions setup with the database Connector and Database Updater, the rest is jut data.show or data.hide attribute based on if you are logged in or not.
The behavior i am talking about is the DMXzone Security Provider Page Executor behavior as on this screenshot:
FULL SIZE HERE
On our demo the data is just there for design purposes -> static ui elements.
The extension is created to secure your database content and actions setup with the database Connector and Database Updater, the rest is jut data.show or data.hide attribute based on if you are logged in or not.
The behavior i am talking about is the DMXzone Security Provider Page Executor behavior as on this screenshot:
FULL SIZE HERE
Replied 18 Dec 2013 17:35:50
18 Dec 2013 17:35:50 Michele - replied:
Ok, thanks.
In the redirect page with the login is possibile after the authentication return back to the page start (the page where the user is arrived before that redirect moved to the login page)?
P.S. I hope to see in the next version of Security Provider a new "behavior" that allow to hide the body content (static and dynamic) when the user is not login.
For "static" I also intend the html structure... I don't think that a business company wants to show to unauthorized people the html structure of its private area (div, h1, img, class, id, etc.).
In the redirect page with the login is possibile after the authentication return back to the page start (the page where the user is arrived before that redirect moved to the login page)?
P.S. I hope to see in the next version of Security Provider a new "behavior" that allow to hide the body content (static and dynamic) when the user is not login.
For "static" I also intend the html structure... I don't think that a business company wants to show to unauthorized people the html structure of its private area (div, h1, img, class, id, etc.).
Replied 21 Dec 2013 16:25:41
21 Dec 2013 16:25:41 George Petrov replied:
Hi Michele,
In next updates of the security provider we will also offer a full restriction of content on php pages.
Greetings,
George
In next updates of the security provider we will also offer a full restriction of content on php pages.
Greetings,
George
Replied 21 Dec 2013 16:55:23
21 Dec 2013 16:55:23 Michele - replied:
Thanks George!!!
Replied 16 Jan 2014 16:24:05
16 Jan 2014 16:24:05 Michele - replied:
Hello... is available "full restriction of content on php pages" in the last 1.0.1 version or it's still "under construction"?
Thanks
Thanks
Replied 16 Jan 2014 16:33:46
16 Jan 2014 16:33:46 Teodor Kuduschiev replied:
Hello Michele,
This option is still 'under construction'.
This option is still 'under construction'.
Replied 27 Jan 2014 13:12:06
27 Jan 2014 13:12:06 Michele - replied:
I'm planning to release a website that need hidden code... is the feature requested in this post coming soon (this week) or the develop is still to start?
Thanks
Thanks
Replied 28 Jan 2014 12:34:00
28 Jan 2014 12:34:00 Teodor Kuduschiev replied:
Hello Michele,
This feature is still work in progress. You can use hidden regions + redirection for not-logged in user.
This feature is still work in progress. You can use hidden regions + redirection for not-logged in user.
Replied 26 Mar 2014 14:05:59
26 Mar 2014 14:05:59 Michele - replied:
Will be this feature available in the next release?
Do you have a timetable about it?
Thanks
Do you have a timetable about it?
Thanks
Replied 23 Apr 2014 14:40:46
23 Apr 2014 14:40:46 Teodor Kuduschiev replied:
Hello,
Please update the extension - it includes the new feature "Page Security Enforcer" which does exactly what you need.
Please update the extension - it includes the new feature "Page Security Enforcer" which does exactly what you need.
Replied 24 Apr 2014 06:08:41
24 Apr 2014 06:08:41 steve smith replied:
I just updated to the latest version and when I try to use the Security Enforcer I receive a script error... While executing onClick in dmxSecurityProviderEnforcer.htm, the following JavaScript error(s) occurred:
At line 174 of file "C;\Users\....\dmxSecurityProvider_lib.js":
str has no properties
I have tried removing and reloading the extension but get the same error every time. Any ideas???
At line 174 of file "C;\Users\....\dmxSecurityProvider_lib.js":
str has no properties
I have tried removing and reloading the extension but get the same error every time. Any ideas???
Replied 24 Apr 2014 11:59:44
24 Apr 2014 11:59:44 Teodor Kuduschiev replied:
There was a minor bug in the extension code, which pointed to a wrong location if you do not have the SEO Extension installed. Please download and install the extension again - this is now fixed.