Rank: Member
Groups: Member
Joined: 1/6/2010(UTC)
Posts: 15
|
I'm bringing this up because of my interest in the application's security. From what I can tell, only some of the parameters set using addParam() actually gets saved into the DOM, under iu._params. When the iu.writeHTML() method is called to embed the uploader, I assume whatever has been set there will be saved in the Java instance of the uploader. I assume this because when editing the DOM values directly, for example, changing the FilesPerOnePackageCount to a number higher than initially specified, the uploader will only upload using the initial package size specified. In fact, if I delete the iu._params object from the iu object on FullPageLoad, the uploader does not appear to be affected by that whatsoever and has remembered all the values set, which is great.
My question is this:
When you hide the uploader on the page using CSS (display:none), and then re-display it, does the IU reinitialize all the values set by addParam() or has it remembered these values? Moreover, if I remove the uploader from the page entirely (innerHTML=""), and then re-embed it, will it remember these values or will they all need to be set again?
By the way, just a suggestion, I've noticed that there are a number of variables and functions from IU that are just floating around in the DOM's global namespace. Admittedly, you guys have kept some of the IU stuff together, but it would be great if all of the IU variables and functions were declared in their own namespace.
Another thing, is there a recommended way of not declaring the IULocalization() object if it's not needed? Currently I'm deleting it on FullPageLoad.
|
|
|
|
|
|
Rank: Advanced Member
Groups:
Joined: 6/16/2009(UTC)
Posts: 134
Was thanked: 8 time(s) in 8 post(s)
|
Hi dane! When you call iu.writeHtml() it generates html markup for java applet or activex. The html looks like that: Code:<embed id="ImageUploader1" type="application/x-java-applet;version=1.5" codebase="../Scripts/" code="com.aurigma.imageuploader.ImageUploader.class" archive="ImageUploader6.jar" scriptable="true" mayscript="true" pluginspage="http://java.sun.com/products/plugin/index.html#download" cache_archive="ImageUploader6.jar" cache_version="6.5.6.0" maxfilecount="10" maxfilesize="3145728" maxtotalfilesize="10485760" panelayout="TwoPanes" showdebugwindow="true" allowrotate="false" backgroundcolor="#ffffff" licensekey="71060-10000-F0783-9F2E6-B8FB8;72060-10000-1B006-01BDF-5E6F6;71060-10000-AB772-8823F-99A51;72060-10000-58852-2868C-9B915" uploadthumbnail1fitmode="Fit" uploadthumbnail1width="120" uploadthumbnail1height="120" uploadthumbnail1jpegquality="60" action="upload.aspx?SessionID=7cf16c57-5c02-49d9-a9e1-91dced107199" redirecturl="gallery.aspx" initcompletelistener="ImageUploader1_AutoCallback1" height="400" width="650">
Actually this html is for java applet for non-IE browsers. In IE java and activex html looks different. Then this html inserted into the page through document.write() method. When applet and activex initializes it takes values from this html markup. That is why you can remove iu._params and even whole iu object after you embed control. Because all values you set with addParam already stored in html markup. If you change this markup with tools like firebug or web inspector or web developer tools and then hide and show control. The control will be reinitialized and this values will be read from the html markup again. And yes, if it was changed, the new values will be applied. However IE browser does not re-initialize control when you hide and show it. But this can not be any security issues here. If some bad code can change markup on your page, then it can completely remove your image uploader control and create their own image uploader control. Moreover, most of the uploader properties can be configured in runtime. For example: Code:getImageUploader("ImageUploaderID").setFilesPerOnePackageCount(value);
Quote:By the way, just a suggestion, I've noticed that there are a number of variables and functions from IU that are just floating around in the DOM's global namespace. Admittedly, you guys have kept some of the IU stuff together, but it would be great if all of the IU variables and functions were declared in their own namespace. You are right. But moving functions to local namespace requires to change API. So getImageUploader('upoaderID') or ImageUploaderWriter('uploaderID', 500, 500) would not work. In the future major release we will change API and move Image Uploader functions in the one namespace from global scope. Something similar, that we have done for flash uploader: Code: var u = $au.imageUploaderFlash({
id: 'Uploader1',
width: '100%',
height: '480px',
converters: [
{ mode: '*.*=SourceFile' },
{ mode: '*.*=Thumbnail;*.*=Icon', thumbnailFitMode: 'Fit', thumbnailWidth: '120', thumbnailHeight: '120' }
], upload: {
actionUrl: 'upload.aspx?uploadtoken=71c55ccc1ce94b3dbad243a3a9b7035c'
}, flashControl: {
codeBase: '../Scripts/aurigma.imageuploader.swf'
}
});
u.writeHtml();
Quote:Another thing, is there a recommended way of not declaring the IULocalization() object if it's not needed? Currently I'm deleting it on FullPageLoad. Well, officially there is no way to do it. I think you are the first who need it :) And if removing IULocalization object from FullPageLoad works for you I think it is fine. Edited by user Tuesday, June 15, 2010 11:02:12 PM(UTC)
| Reason: Not specified |
|
|
|
|
|
|
|
Forum Jump
You cannot post new topics in this forum.
You cannot reply to topics in this forum.
You cannot delete your posts in this forum.
You cannot edit your posts in this forum.
You cannot create polls in this forum.
You cannot vote in polls in this forum.