Getting current URL for the Open Graph URL meta-tag

[Matthew]

Hey All,

I got a question regarding getting the current url from wheels so I can populate the og:url meta tag. I thought I would just use ACF for this but the cgi variables just return rewrite.cfm not the actual wheels url. I can not populate it via JS because the facebook scrapper will not run the JS and the field will just be empty. So any ideas would really help as to how I could get the tag populated server side with the wheels URLs.

Thanks all! 

[Matthew]

Well I solved this being a little tricky. I was hoping for a more elegant solution but if anyone else needs to do this here is how I accomplished it.

In the main public site controller: Controller.cfc

I added a sudo-init variable above the init call:

variables.meta = {

  description="",

  keywords="",

  og = {

    url="",

    type="website",

    title="",

    description="",

    image=""

  }

};

 

I added a filter in the init method through "createOpenGraphyMetaURL"

private void function createOpenGraphMetaURL() {

  variables.meta.og.url = "http://www." & get( 'domainName' );

  var urlForArgs = {};

  // Base params used in routing

  if ( Len( params.route ) ) {

    urlForArgs.route = params.route;

  }

  if ( structStringExists( params, "action", true ) ) {

    urlForArgs.action = params.action;

  }

  if ( structStringExists( params, "key", true ) ) {

    urlForArgs.key = params.key;

  }

  

  // Any custom params used in routing

  if ( structStringExists( params, "customParam1", true ) ) {

    urlForArgs.customParam1 = params.customParam1;

  }

  if ( structStringExists( params, "customParam2", true ) ) {

    urlForArgs.customParam2 = params.customParam2;

  }

  variables.meta.og.url &= URLFor( argumentCollection=urlForArgs );

}

Then in my layout I just output the variables.meta.og.url:

<meta property="og:url" content="#variables.meta.og.url#" />

Oh and I always use the StructTypeExists plugin by Chris Peters

Well I hope that helps someone searching for something like this in the future. And if there is a more elegant way to get this done please let me know.

Thanks All!

[Andrew Bellenie]

What you need should be in cgi.path_info

You can also use urlFor() and pass in params with pathOnly=false

--
You received this message because you are subscribed to the Google Groups "CFWheels" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+u...@googlegroups.com.
To post to this group, send email to cfwh...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfwheels.
For more options, visit https://groups.google.com/d/optout.

[Andrew Bellenie]

Apologies, it is onlyPath=false

To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+unsubscribe@googlegroups.com.

[Matthew]

Thanks Andrew!

Rethinking things after your reminder of cgi.path_info. I changed my createOpenGraphMetaURL() to something much simpler although no longer leveraging wheels functions.

variables.meta.og.url = "http://";

if ( cgi.https == "on"  ) {

  variables.meta.og.url = "https://";

}

variables.meta.og.url &= cgi.http_host & cgi.path_info;

if ( Len( cgi.query_string ) ) {

  variables.meta.og.url &= "?" & cgi.query_string;

}

So thanks again!

Apologies, it is onlyPath=false

To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+u...@googlegroups.com.

[Tom King]

Just to flag up, that’s a massive XSS hole; you need to santize that when outputting! Be very careful when directly referencing the CGI scope

T

--

Tom King

Web Development Consultant

+44(0)7775 926480 | oxalto.co.uk | @neokoenig | linkedIn

[Matthew]

Hi Tom,

Can you elaborate on that? Is the concern that I am outputting the cgi.query_string without any sanitation, or was there something else?

[Tom King]

Yes, I'm just talking about sanitisation really:

This is more for the benefit of other devs who might not have experience here: Reflected cross-site scripting vulnerabilities arise when data is copied from a request and echoed into the application's immediate response in an unsafe way. An attacker can use the vulnerability to construct a request that, if issued by another application user, will cause JavaScript code supplied by the attacker to execute within the user's browser in the context of that user's session with the application.

The CGI Scope can have all sorts of things injected into it: CGI.query_string is the worst culprit most of the time, but even a referer's IP address can be spoofed with JS code etc. (think logging of requests in your application)

Normally we wouldn't output the contents directly, we might reference it, but as you're talking about outputting the CGI scope directly into HTML, I thought it was work flagging.

Consider this URL: http://domain.com/myaction?myparam=foo

If your OG meta tag just outputs variables.meta.og.url as per your example, then I can just do http://domain.com/myaction?"/><script>alert(8899);</script>

Which executes:
<meta property="og:url" content="/><script>alert(8899);</script>

in the html; so I could craft a malicious response, send an email to a user with the crafted link, and then they've executed that JS unwittingly.

Apologies if this sounds patronising, it's not meant to be - I'm really just noting it here in case a newbie comes and just copy / pastes the example!

T

[Matthew]

Its all good... lol

I appreciate the "flagging" I did wrap the cgi.query string in the wheels stripTags()  and after your post got paranoid (cause that is how I roll) and am adding even more. I am adding a validURLParams check in just to strip anything out that is not specifically on my list of valid URL params. I will post that for reference to ensure others that run across this post see it. Here is the strip tags addition.

variables.meta.og.url &= "?" & stripTags( cgi.query_string );

I will post the valid URL params addition here shortly when I get it knocked out. If there is any other vulnerabilities in this I definitely want to know :-)

[Matthew]

Here is what I have done to further secure this, although I still may add more putting in RegEx to scrub even more if the para is valid but the value is jacked with... I will post that as well if I don't feel secure enough with this.

private void function createOpenGraphMetaURL() {

  var validURLParamList = "controller,action,key,year,name,tag";

  var validURLParams = ""

  variables.meta.og.url = "http://";

  if ( cgi.https == "on"  ) {

    variables.meta.og.url = "https://";

  }

  variables.meta.og.url &= cgi.http_host & cgi.path_info;

  if ( Len( cgi.query_string ) ) {

    // Convert the cgi.query_string into an array of params and loop over them only keeping the valid ones

    var attemptedURLParams = ListToArray( cgi.query_string, "&" );

    for ( var urlParam in attemptedURLParams ) {

      if ( ListContainsNoCase( validURLParamList, ListFirst( urlParam, "=" ) ) ) {

validURLParams = ListAppend( validURLParams, urlParam, "&" );

      }

    }

    variables.meta.og.url &= "?" & stripTags( validURLParams );

  }

}

[Per Djurner]

Since it goes in an HTML attribute you should probably use EncodeForHTMLAttribute (https://cfdocs.org/encodeforhtmlattribute).

No need for anything else as far as I'm aware (right, Tom?).

--

[Tom King]

EncodeForHTML() should do it for output!

[Matthew]

So...

variables.meta.og.url &= "?" & EncodeForHTML( validURLParams );

[Matthew]

Also I wrapped it up in a Len check...

if ( Len( validURLParams ) ) {

  variables.meta.og.url &= "?" & EncodeForHTML( validURLParams );

[Tom King]

Personally I'd just output with the encode call it in the layout.cfm: gets you in the habit of encoding everything which goes into a view template.

T

[Matthew]

Yeah I like that idea better.

Thanks Tom & Per, you guys are awesome!

[John M Bliss]

They know.  ;-)

--

You received this message because you are subscribed to the Google Groups "CFWheels" group.

To unsubscribe from this group and stop receiving emails from it, send an email to cfwheels+unsubscribe@googlegroups.com.

To post to this group, send email to cfwh...@googlegroups.com.
Visit this group at https://groups.google.com/group/cfwheels.
For more options, visit https://groups.google.com/d/optout.

--

John Bliss - http://www.linkedin.com/in/jbliss