tags:

views:

304

answers:

2
+1  Q: 

Load page within the page

Hi.. I'm a beginner in PHP and Javascript..

I found a link from http://cmichaelis.whsites.net/whblog/jquery-extjs-1/example2

Inside it there is a code saying :

function addPanel(location)
{
 tabpanel.add({
       autoLoad: {url: location},
       title: 'More Information...',
       closable:true,
       autoScroll:true
 }).show();
}

how to use : 

<a href="javascript:void(0);"
   onclick="addPanel('loadpage.php?a=http://www.google.com')"&gt;
   head over to Google
</a>

What I want to ask is.. what is the code for loadpage.php?

A: 

It looks like loadpage.php could be in use to echo out the contents of www.google.com, using file_get_contents.

loadpage.php:

<?php
    // Simplified output - should sanitise $_REQUEST params etc first..
    echo file_get_contents($_REQUEST['a']);
?>

loadpage is effectively acting as a proxy, allowing your javascript to call pages which are not on your own domain.

As @annakata points out in the comments, the code above is obscenely dangerous as-is. The code is an illustration of the basic idea behind a proxy file - in production, this file would need to make sure that the $_REQUEST parameters were sanitised, e.g. only accept values from a whitelist.

The same origin policy is a security element of javascript that stops you from pulling content from outside your domain on to your page using javascript.

Some sites get around this by calling a proxy page on their own server (loadpage in this instance) which effectively just prints out the content of a target url. As this proxy page is on your server, this by-passes the same origin security issue, and still makes available the content of a page from another domain - here www.google.com

Oops, I somewhat foolishly didn't RTFA, but just the code in the question and hypothesised at what it could be doing. @andynormancx is right in his answer as to what the page linked in the q is actually doing.

ConroyP  2009-02-19 11:31:27
As it stands that's ridiculously dangerous - I hope there's a whitelist or some sanity checking in the php
annakata  2009-02-19 11:36:12
Very unsafe code alright, threw it up as an example of what could be going on in the loadpage file, but answer now updated to highlight the dangers if copied and pasted, cheers!
ConroyP  2009-02-19 11:42:11
+1  A: 

The PHP page does not echo out the contents of google.com as suggested in the other answer. It outputs an iframe that points to Google:

<iframe src="http://www.google.com" width="100%" height="100%" frameborder="no"></iframe>
andynormancx  2009-02-19 11:37:34
So what's the point? That could just as easily be done in JS without the extra roundtrip to the server.
annakata  2009-02-19 11:51:01
I don't know what the point is, I can't see what it achieves.
andynormancx  2009-02-19 12:21:17
It allows you to call your site "Ajax"!
troelskn  2009-02-19 12:25:06
Some browsers don't allow cross-site content. Perhaps this (since it is from an HTML document and not dynamically requested) was an attempt to circumvent that restriction.
Nerdling  2009-02-24 20:58:56

related questions

Autosizing Textarea
Regular expression for parsing links from a webpage?
What are good tools for creating compiled HTML help files (.chm)?
Looking for WYSIWYG HTML editor
Any reason not to start using the HTML 5 doctype?
HTML comments break down
HTML Comments Markup
Setting a div's height in HTML with CSS
Wrapping lists into columns
Is a "Confirm Email" input good practice when user changes email address?
<XMP> Tag
HTML version choice
Options for HTML scraping?
How do you disable browser Autocomplete on web form field / input tag?
How do I make a checkbox toggle from clicking on the text label as well?
Html CSS Editor
Wordpress theme development offline tools
How do I give my web sites an icon for iPhone?
In HTML, how to word-break on a dash?
Detecting font in JavaScript
How do you test layout design across multiple browsers/OSs?
How do I print an HTML document from a web service?
Multiple submit buttons on a HTML form
How can I determine a web user's time zone?
Why doesn't the percentage width child in absolutely positioned parent work in IE7?