Inserts some scripts in the page - Looks like Skype.

This is the place to report bugs and get support. When posting in this forum, please always provide as much detail as possible.

Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum, do not report it as a bug.

This is the place to report bugs and get support

When posting in this forum, please try to provide as many relevant details as possible. Particularly the following:

  • What operating system were you running when the bug appeared?
  • What database platform is your site using?
  • What version of mojoPortal are you running?
  • What version of .NET do you use?
  • What steps are necessary to reproduce the issue? Compare expected results vs actual results.
Please do not report problems with a custom build or custom code in this forum. If you are producing your own build from the source code and have problems or questions, ask in the developer forum.
This thread is closed to new posts. You must sign in to post in the forums.
12/12/2012 5:41:59 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Inserts some scripts in the page - Looks like Skype.

Hi Joe,

I jus want to know whether this is a bug or a kind of INJECTION thats happening. This happened after i placed a skype call link on a contact page. I havent experienced this anywhere in the past versions. This happened today that i happen to find it in the v2.3.9.4. Please guide in what way it can be treated well and also please to mention why this happens.

Code Sample:

<div class="skype_pnh_menu_container" id="skype_pnh_menu_container" onmouseout="SkypeClick2Call.MenuInjectionHandler.hideMenu(event)" onmouseover="SkypeClick2Call.MenuInjectionHandler.showMenu(this, event)" style="display:none;">
    <div class="skype_pnh_menu_click2call">
        <a class="skype_pnh_menu_click2call_action" id="skype_pnh_menu_click2call_action">Call</a></div>
    <div class="skype_pnh_menu_click2sms">
        <a class="skype_pnh_menu_click2sms_action" id="skype_pnh_menu_click2sms_action">Send SMS</a></div>
    <div class="skype_pnh_menu_add2skype">
        <a class="skype_pnh_menu_add2skype_text" id="skype_pnh_menu_add2skype_text">Add to Skype</a></div>
    <div class="skype_pnh_menu_toll_info">
        <span class="skype_pnh_menu_toll_callcredit">You'll need Skype </span><span class="skype_pnh_menu_toll_callcredit">Credit</span><span class="skype_pnh_menu_toll_free">Free</span><span class="skype_pnh_menu_toll_free"> via Skype</span></div>
</div>

Thanks in Advance.

--
Regards
Guruprasad

12/12/2012 6:37:58 PM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Inserts some scripts in the page - Looks like Skype.

It looks to me like injection of a benign sort. The Skype JavaScript call(s) that you put into your page are creating content divs at page display time. It will use those divs to display whatever it needs to to support calling from within the page.

Jamie

12/12/2012 9:11:40 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: Inserts some scripts in the page - Looks like Skype.

Hi Jamie,

thanks for the reply. But i didnt use anything new there on the page it was jus' a single line code that everyone uses.

viz. <a href="callto://SkypeUserName?call">Call Me on Skype</a>

I've been using this in my previous versions too. In that I found this injective type of results only in this version. Can you please along with JOE  check and ensure that this wont result in bringing a way for someone to hack the the website.

Also check the same in any other previous versions, this isn't happening. So plz. lemme know any additional SDK lines added in v.2.3.9.4 for skype? like the Facebook SDK added since a couple of editions back?

Thanks :-)

--
Regards
Guruprasad

12/13/2012 9:21:39 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Inserts some scripts in the page - Looks like Skype.

Hi,

When I look at the skype page about adding it to your web page it shows that javascript must be added for a call me button.

The markup you posted does not look malicious and seems like it could be added to the page by the skype javascript. Maybe you have forgotten that you added javascript somewhere (like in your master page) and not just a link. Or maybe Skype is integrated with your web browser (like a browser plugin) and is able to update the page markup even without javascript. I would be more concerned about javascript in the page than I would about extra html markup. If there is any skype javascript in the page that you did not add yourself it certainly is not coming from mojoPortal as we don't have anything skype related built in.

I would view the source of your page carefully for any skype javascript and try viewing your page form different web browsers or from different machines that don't have skype installed. 

Hope that helps,

Joe

 

12/13/2012 10:48:49 AM
Jamie E
Gravatar
Total Posts 1203
View Posts
Proud member of the mojoPortal team

Help support mojoPortal!
Add-on modules

Re: Inserts some scripts in the page - Looks like Skype.

Did you happen to recently install Skype Click2Call on your workstation? That matches the function names in the JavaScript calls you posted, and seems to me like the most likely source of the added markup.

As Joe said, if you want to put your mind at ease, access your site from a workstation without any Skype software installed.

Jamie

12/16/2012 12:38:56 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: Inserts some scripts in the page - Looks like Skype.

Hi Joe and Jamie,

That sounds reasonable, yeah i have Skype Client installed on my Windows 8 Machine and Skype2call plugin that came along for the browser.

If so...my question is...on a runtime can any Javacript get inserted inside the HTML module of our mojoPortal? Bcoz. i shared this source from my Edit-Mode and not from the browser's View-Source mode. Jus' lemme know, im curious to know can this happen? Is this like a Cross-Site Scripting?

How can I avoid that?

Thanks,
Guruprasad

12/17/2012 9:30:41 AM
Joe Audette
Gravatar
Total Posts 18439
View Posts

Re: Inserts some scripts in the page - Looks like Skype.

I think the skype browser plugin doesn't know the difference whether you are in an editor or not, it changes the markup if it sees a pattern in the markup that it recognizes, however if it does that in the editor then when you save it becomes permanent content since it will be saved in the database. If the markup were instead in the layout.master then it would only update it when using a machine that has the skype plugin, but if you save it in the editor then it will be there for all browsers even if they don't have the plugin installed.

1/15/2013 10:52:56 PM
Guruprasad
Gravatar
Total Posts 58
View Posts
"Digg-in yourself to achieve excellence!" Follow #GPsays

Re: Inserts some scripts in the page - Looks like Skype.

Hi Joe,

Thanks for your kind answer that i was guessing meanwhile. That answered this issue.
Thank You.

Regards,
Guruprasad Balaji

You must sign in to post in the forums. This thread is closed to new posts.