locked
My IFrame Response URL replace the my current WEB URL. RRS feed

 > 

  • Question

  • Question
    Sign in to vote
    0
    Sign in to vote
    User1322375056 posted

    Hi Guys, I'm facing issue when I click submit button of iframe I get 1 url in response which overwrites my current browser url. <g class="gr_ gr_909 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" id="909" data-gr-id="909">i</g> want that response url to be open inside my <g class="gr_ gr_1063 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del" id="1063" data-gr-id="1063">iframe</g>.

    I tried to debug it but not possible because as soon <g class="gr_ gr_1188 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" id="1188" data-gr-id="1188">i</g> click iframe submit button the response URL(response.aspx) page overwrite my browser URL.

    Step 1: I have Iframe which i load it on HTTP://www.localhost/MYURL/default.aspx. I used .aspx page to post the form data with 3 URL.

    <%@ Page Language="C#" %>
<script runat="server">
        bool _postLoadCustom = false;
        protected void Page_Load(object sender, EventArgs e)
        {
            if (IsPostBack)
                return;
			string CANCELURL = Request.Params["CANCELURL"];
			string ERRORURL = Request.Params["ERRORURL"];
			string REDIRECTURL = Request.Params["REDIRECTURL"];
            {
                NameValueCollection data = new NameValueCollection();
                data.Add("__CANCELURL", CANCELURL);
                data.Add("__ERRORURL", ERRORURL);
                data.Add("__REDIRECTURL", REDIRECTURL);
                RedirectAndPOST(this.Page,"https://iframeURL/Content", data);
            }
        }


        #region RedirectAndPost
 public static void RedirectAndPOST(Page page, string destinationUrl,
                                           NameValueCollection data)
        {
            string strForm = PreparePOSTForm(destinationUrl, data);
            page.Controls.Add(new LiteralControl(strForm));
        }

        private static String PreparePOSTForm(string url, NameValueCollection data)
        {
            //Set a name for the form
            string formID = "PostForm";
            //Build the form using the specified data to be posted.
            StringBuilder strForm = new StringBuilder();
            strForm.Append("<form id=\"" + formID + "\" name=\"" +
                           formID + "\" action=\"" + url +
                           "\" method=\"POST\">");

            foreach (string key in data)
            {
                strForm.Append("<input type=\"hidden\" name=\"" + key +
                               "\" value=\"" + data[key] + "\">");
            }

            strForm.Append("</form>");
            //Build the JavaScript which will do the Posting operation.
            StringBuilder strScript = new StringBuilder();
            strScript.Append("<script language='javascript'>");
            strScript.Append("var v" + formID + " = document." +
                             formID + ";");
            strScript.Append("v" + formID + ".submit();");
            strScript.Append("<" + "/script>");
            //Return the form and the script concatenated.
            //(The order is important, Form then JavaScript)
            return strForm.ToString() + strScript.ToString();
        }
    #endregion
    
</script>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
    <title></title>
</head>
<body>
  Loading...
</body>
</html>

    Step2: As soon I click the iframe submit button I get 1 url as a response which I want to open it back in the <g class="gr_ gr_1055 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del" id="1055" data-gr-id="1055">iframe</g>.

    <%@ Page Language="C#"  %>
<!DOCTYPE html>
<script runat="server">
    public void Page_Load(object sender, EventArgs e)
    {
        if (IsPostBack)
        {
            return;
        }
        else
        {
            //Load Session from SessionID
            string url = HttpContext.Current.Request.Url.AbsolutePath;
            string status = Request.QueryString["status"].Split('-')[0];
            string sessionID = Request.QueryString["status"].Split('-')[1];
            string exampleServerUrl = ConfigurationManager.AppSettings["EXAMPLEServerURL"];
            //Save Response for the STATUS flag to the Node in Policy XML
            String SessionName = "ProductBase";

            string request =
                    @"
					<server><requests>
					<Session.resumeRq sessionID=""{0}""/>
					<Session.setElementRq path=""data/status"" value=""{1}""/>
					</requests></server>";
            request = string.Format(request, sessionID, status);
            string response = this.HTTPPost(exampleServerUrl, request);
			
			
                        
            
            

        }
    }

    private string HTTPPost(string url, string requestXML)
    {
        string result = null;

        System.Net.HttpWebRequest wr = (System.Net.HttpWebRequest)System.Net.WebRequest.Create(url);
        wr.Timeout = 90000;
        wr.ServicePoint.ConnectionLimit = 10;
        wr.Method = "POST";
        wr.ContentType = "text/xml";
        byte[] byteArray = System.Text.Encoding.ASCII.GetBytes(requestXML);
        System.IO.Stream strm = wr.GetRequestStream();
        strm.Write(byteArray, 0, byteArray.Length);
        strm.Close();
        System.Net.WebResponse resp = wr.GetResponse();
        System.Text.Encoding enc = Encoding.GetEncoding("utf-8");
        System.IO.StreamReader reader = new System.IO.StreamReader(resp.GetResponseStream(), enc);
        result = reader.ReadToEnd();
        reader.Close();
        resp.Close();

        return result;
    }


</script>

<html xmlns="http://www.w3.org/1999/xhtml">
<head runat="server">
</head>
<body>
     <form id="paypageresponce" runat="server" method="post">
			<!--#include file="Response.html"-->
           <label>In progress...please wait</label>
     </form>
       
</body>
</html>

    Sunday, June 16, 2019 5:32 AM

All replies

  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    There is no iFrame in the posted code.   I see you've build a self submitting form and you're making a HTTP POST request that populates HTML and injects the HTML in the response.  It looks like you are trying to hack a payment gateway API rather than using the gateway as intended.  

    Can you explain the intent of the code at a high level?  

    Sunday, June 16, 2019 10:46 AM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1322375056 posted

    Hi,

    PFB iFrame code: 

    <iframe src="https://iframeurl.com/context?cancelurl=./response.aspx?decline=./resonse.aspx" />

    In step 1, I have created the form and post it.

    Sunday, June 16, 2019 3:41 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    Jgupta

    Hi,

    PFB iFrame code: 

    <iframe src="https://iframeurl.com/context?cancelurl=./response.aspx?decline=./resonse.aspx" />

    In step 1, I have created the form and post it.

    I still do not see an iframe mark up plus the design makes little senses.  What is a PBF Iframe?

    Payment gateways generally provide a few methods for making payments.  1)  The browser is redirected to the payment providers web application then redirected back when the payment is complete.  2) The payment gateway exposes service to allow developers to create their own shopping cart experience.  

    The code shown indicates you are trying to hack option 1.  You don't want to do that and doing so probably violates the payment provider's terms of use.  

    Sunday, June 16, 2019 3:54 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User1322375056 posted

    From step 1 <g class="gr_ gr_35 gr-alert gr_tiny gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling multiReplace" id="35" data-gr-id="35">i</g> was adding data which is required to send to the service provider to load Iframe.

    I was not trying to hack or violating their term.

    <iframe id="iframe1" name="IframeName" src="www.https://myserver/<g class="gr_ gr_232 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" id="232" data-gr-id="232">serviceprovier</g>/<g class="gr_ gr_233 gr-alert gr_spell gr_inline_cards gr_disable_anim_appear ContextualSpelling ins-del multiReplace" id="233" data-gr-id="233">myaspxpage</g>.aspx?cancelurl?declineurl?confirmurl" /> This is the way i load the iframe on my application.

    From step 1 I was creating the form data that need to be posted to my service vendor. I add all the url that I was sent to my service vendor. As my iframe load and when I click iframe submit button, one of the url I get back in response which tells the status.

    But in my case, the response URL overwrite the current(default.aspx) url.

    from step 2: I have called the Js function which trims url and tell me the status and perform another task.

    That all code i have done.

    Sunday, June 16, 2019 4:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User475983607 posted

    You have not explained the problem you are trying to solve or what step 1 and step 2 mean.  Furthermore, you are explaining the design which I believe has a few bugs.

    An iframe is separate window.  If the src of the iframe is your payment service provider then you have no control over the contents, JavaScript, or server side code.  The site is not under your control.

    The iframe markup shown has an invalid src attribute.

    <iframe id="iframe1" name="IframeName" src="www.https://myserver/serviceprovier/myaspxpage.aspx?cancelurl?declineurl?confirmurl" />

    I tried to make sense of the posted code but I could not understand what it is supposed to do.  The HTTPPost method makes an XML service request, converts the response to a string, and the response is never used.  Perhaps the SXL string is used elsewhere - we cannot see that part of the code.

    The first snippet of code has several issues.  I'm pretty sure the If(IsPostBack) block has a bracket placement error or missing brackets.

            protected void Page_Load(object sender, EventArgs e)
        {
            if (IsPostBack)
                return;
			string CANCELURL = Request.Params["CANCELURL"];
			string ERRORURL = Request.Params["ERRORURL"];
			string REDIRECTURL = Request.Params["REDIRECTURL"];
            {
                NameValueCollection data = new NameValueCollection();
                data.Add("__CANCELURL", CANCELURL);
                data.Add("__ERRORURL", ERRORURL);
                data.Add("__REDIRECTURL", REDIRECTURL);
                RedirectAndPOST(this.Page,"https://iframeURL/Content", data);
            }
        }

    As written the Page_Load returns immediately if the request is a PostBack.  Otherwise, it looks for values in the querystring the first time the page is loaded.  The values cannot exist in a POST because that would cause a return.  Next, the code build a self-submitting form string.  Like above there't no indication what's done with the HTML self-posting form string.

    Sunday, June 16, 2019 7:25 PM
  • Question
    Sign in to vote
    0
    Sign in to vote
    User753101303 posted

    Hi,

    Your submit button is in the main frame ? Try to givey your iframe a name and use target="thisName" :
    https://www.w3schools.com/html/tryit.asp?filename=tryhtml_iframe_target

    Make sure this is needed. I tend to move away from iframe based design unless I really have to. You can't post from server side C#? It seems you have to post the same data to 3 distinct locations ???

    Tuesday, June 18, 2019 11:51 AM