CODEWITHSUNDEEP
phpjavascriptjqueryhtmlajax
iwan
iwan

Reputation:

Load page within the page

I'm a beginner in PHP and Javascript..

I found a link from http://cmichaelis.whsites.net/whblog/jquery-extjs-1/example2

Inside it there is a code saying :

function addPanel(location)
{
 tabpanel.add({
       autoLoad: {url: location},
       title: 'More Information...',
       closable:true,
       autoScroll:true
 }).show();
}

how to use : 

<a href="javascript:void(0);"
   onclick="addPanel('loadpage.php?a=http://www.google.com')">
   head over to Google
</a>

What I want to ask is.. what is the code for loadpage.php?

Upvotes: 2

Views: 1429

Answers (2)

andynormancx
andynormancx

Reputation: 13752

The PHP page does not echo out the contents of google.com as suggested in the other answer. It outputs an iframe that points to Google:

<iframe src="http://www.google.com" width="100%" height="100%" frameborder="no"></iframe>

Upvotes: 1

ConroyP
ConroyP

Reputation: 41906

It looks like loadpage.php could be in use to echo out the contents of www.google.com, using file_get_contents.

loadpage.php:

<?php
    // Simplified output - should sanitise $_REQUEST params etc first..
    echo file_get_contents($_REQUEST['a']);
?>

loadpage is effectively acting as a proxy, allowing your javascript to call pages which are not on your own domain.

As @annakata points out in the comments, the code above is obscenely dangerous as-is. The code is an illustration of the basic idea behind a proxy file - in production, this file would need to make sure that the $_REQUEST parameters were sanitised, e.g. only accept values from a whitelist.

The same origin policy is a security element of javascript that stops you from pulling content from outside your domain on to your page using javascript.

Some sites get around this by calling a proxy page on their own server (loadpage in this instance) which effectively just prints out the content of a target url. As this proxy page is on your server, this by-passes the same origin security issue, and still makes available the content of a page from another domain - here www.google.com

Oops, I somewhat foolishly didn't RTFA, but just the code in the question and hypothesised at what it could be doing. @andynormancx is right in his answer as to what the page linked in the q is actually doing.

Upvotes: 0

Related Questions