Using FusionCharts with web services

[ooper]

With version 3.0.5 came additional security features that disallow the use of absolute URLs. Needless to say, this breaks the ability to use FusionCharts as part of a web service. Here is the error in the debug window:

 

 

 

dataURL reset: A colon character was found in dataURL, which can be potentially dangerous as it allows XSS attacks. Re-setting dataURL to Data.xml. If you're using absolute URLs (like http://domain.com/...) to provide dataURL, please convert it to relative path for increased security.

 

 

 

Our web services create xml data files for FusionCharts and store them on our servers. We also have the swf files on our servers. The web service sends back to the client completed <object> tags, with absolute URLs that reference our servers. The web service client then embeds the <object> tags in his html and gets FusionCharts displayed to his users... well, at least prior to v 3.0.5. (We have no upgrade path. We are stuck on v 3.0.4)

 

 

 

Do you have any suggestions on how we can resolve this? One thing that comes to mind is to have each of our hundreds of clients store the swf files on their local servers (is there a licensing problem with this??) and rather than send back a completed <object> tag, send back the URL where they can download the xml data file. Then they would have to create the <object> tag themselves and reference everything locally. Wow, this would be VERY user-UNfriendly.

 

 

 

I am aware of the dataXML option, but as your docs indicate, it is limited by the string length supported by the browser. This will not work for us since we have large data sets.

 

 

 

Is there some other way that you can provide the security measures added in v305 and still allow absolute URLs? If not, why not leave it up to the users of FusionCharts whether we want to take advantage of the extra security measures provided in v305 rather than force it upon us?

[Rahul Kumar]

Hi,

 

There is one option, you can use a relayer code, that will fetch the XML from different domain and after that, you can use this relayer as dataURL to the chart.

 

Please see to this: http://www.fusioncharts.com/forum/Topic3741-27-1.aspx

[ooper]

Let me see if I understand how the "relayer" suggestion works:

 

 

 

1. One of our clients calls a web service on our servers.

 

2. We generate the data.xml file and store it on our servers.

 

3. We return to our client a response to his web service call and include the URL where they can download the data.xml file.

 

4. Our client uses "relayer" code to fetch the data.xml file and they store it on their server. (Not sure why this is called a "relayer". All they are doing is simply downloading an xml file.)

 

5. Our client creates an <object> tag similar to this:

 

 

 

 

 

<object classid="clsid:d27cdb6e-ae6d-11cf-96b8-444553540000"

 

codebase="http://fpdownload.macromedia.com/pub/shockwave/cabs/flash/swflash.cab#version=8,0,0,0"

 

width="700"

 

height="400"

 

id="Column3D" >

 

<param name="movie" value="/chartswf/MSColumn3D.swf" />

 

<param name="FlashVars" value="&dataURL=/chartdata/mydata.xml" />

 

<param name="quality" value="high" />

 

<param name="wmode" value="opaque" />

 

<embed src="/chartswf/MSColumn3D.swf" flashVars="&dataURL=/chartdata/mydata.xml" wmode="opaque" quality="high" width="700" height="400" name="Column3D" type="application/x-shockwave-flash" pluginspage="http://www.macromedia.com/go/getflashplayer" />

 

</object>

 

 

 

6. Our client embeds the <object> tag in their web page and displays the chart to the end-user.

 

 

 

Question 1: Is the above correct?

 

Question 2: The above requires that we distribute the FusionChart swf files to each of our clients, since they will have to host both the swf and the data files in order for the relayer suggestion to work. Is this okay?

 

 

 

I am not familiar with the licensing requirements, but if our clients have to purchase a license to FusionCharts in order for this relayer suggestion to work, then it is not a viable solution for us.

 

 

 

Please advise.

 

 

 

Thanks.

[Pallav]

No - not this. Essentially everything will be on your server. Just that there will be another file which connects to the remote webservice and provides data to FusionCharts locally.

 

 

 

So, the scenario would look as under:

 

- On your server, you now have a file called Relayer.php (or aspx or ...).This file connects to the remote webservice, gets the data and builds XML.

 

- FusionCharts will access this file for data, instead of directly accessing remote web service.

[ooper]

I don't think you are understanding our situation here. Go to this URL:

 

 

 

http://www.washingtonpost.com/real-estate/tools-calculators/mortgage-calculator.html

 

 

 

Enter some numbers and click submit. You'll see a nice FusionChart along with some other calculations.

 

 

 

The Washington Post is a client of ours. We provide financial calculators via web services. We license FusionCharts, have the swf files on our servers and generate the xml data files for the FusionCharts. Our clients, like Washington Post, call our web services. We don't call web services, we provide them.

 

 

 

If you view source on the page with the FusionChart on it from the above link, you can search and find the <object> tag. Notice there are absolute URLs pointing to our servers for the pre-version 3.0.5 swf file and the data file.

 

 

 

If we wanted to upgrade to latest version of swf files, how could our clients, like Washington Post, continue to use the FusionCharts?

[ooper]

Hello,

 

Still hoping you can answer my previous post from 2/11/2009.

 

Thanks.

[ooper]

Hello,

 

Still hoping you can answer my previous post from 2/11/2009.

 

Thanks.

[ooper]

Will someone please answer my post from 2/11/2009?

 

 

 

Thanks.

[Pallav]

Please update to v3.1 from www.fusioncharts.com/PUC and then try again.

[ooper]

THANK YOU! Version 3.1 has fixed our problem. We can now use absolute URLs as we need to.