I have read a lot about the XSS attack and now I understood how it works then now I am trying to validate it. However I am having some problems :
Looking for many foruns I did :
1 - Download of jar jstl-1.2
2 - On .jsp page I have added :
taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn"
And in the field that I am having problem I put the XMLSCAPE - so I would like to know if is the correct format :
<div class="ibm-container">
<div class="ibm-container-body">
<form action="order_status" class="ibm-column-form ibm-styled-form" method="post">
<p><label for="customer">Customer number:</label>
<span><input name="customer" id="customer" maxlength="7" value="${fn:escapeXml(customer)}" type="text" /></span></p>
<div class="ibm-buttons-row">
<table border="0px" cellpadding="0px" cellspacing="0px">
<tr>
<td width="180px"></td>
<td>
<p><input name="submit" value="<%=com.ibm.ssos.Constants.TEXT_GET_ORDERS%>" type="submit" class="ibm-btn-pri ibm-btn-small" />
<input name="action" value="<%=com.ibm.ssos.Constants.TEXT_GET_ORDERS%>" type="hidden" /></p>
Related
I would like to extract from a webpage some data with VBA.
This is an invoicing program and I am trying to access the first line of data which is the product description
I am not an expert is these matters, but I looked into the html code being one of the fields of data and it looks like this:
<td class="">
<div class="UITextbox length length_maximum-255" data-tag="product_code" data-ui-widget="UITextbox"><span class="field"><input autocomplete="off" id="sales_invoice_line_items_attributes_0_product_code" name="sales_invoice[line_items_attributes][0][product_code]" readonly="readonly" size="30" type="text" /></span></div>
</td>
<td class="">
<div class="UITextbox presence length length_maximum-200" data-tag="description" data-ui-widget="UITextbox"><span class="field"><input autocomplete="off" id="sales_invoice_line_items_attributes_0_description" name="sales_invoice[line_items_attributes][0][description]" size="30" type="text" /></span></div>
</td>
<td class="hidden numeric">
<div class="UIHiddenField" data-tag="item_id" data-ui-widget="UIHiddenField"><input autocomplete="off" id="sales_invoice_line_items_attributes_0_item_id" label="false" name="sales_invoice[line_items_attributes][0][item_id]" type="hidden" /></div>
</td>
<td class="numeric">
<div class="UIDecimal presence numericality numericality_greater_than_or_equal_to-0 ensurenotgreaterthanmaxnumber ensurenotgreaterthanmaxnumber_maximum-99999999" data-tag="quantity" data-ui-widget="UIDecimal"><span class="field"><input class="hidden" name="sales_invoice[line_items_attributes][0][quantity]" type="hidden" value="0.00" /><input autocomplete="off" class="visible" data-scale="2" id="sales_invoice_line_items_attributes_0_quantity" name="" size="30" type="text" value="0,00" /></span></div>
</td>
<td class="">
<div class="UIDropdown" data-tag="unit_type" data-ui-widget="UIDropdown">
<span class="field"><select autocomplete="off" id="sales_invoice_line_items_attributes_0_unit_type" name="sales_invoice[line_items_attributes][0][unit_type]">
I tried this so far with no results:
Dim desc as string
desc = ie.Document.getElementsByClassName("UITextbox presence length length_maximum-200")(0).innerText
The following code has no errors, but no value either.
There isnt any Text in the Div you are looking at:
<div class="UITextbox presence length length_maximum-200" data-tag="description" data-ui-widget="UITextbox">
<span class="field">
<input autocomplete="off" id="sales_invoice_line_items_attributes_0_description" name="sales_invoice[line_items_attributes][0][description]" size="30" type="text" />
</span>
</div>
But the Input has an ID that you can use to get the value from
desc = ie.Document.getElementByID("sales_invoice_line_items_attributes_0_description").value
Perhaps this is not the most eficient way, but I couldnt find any other way, so I just used sendkeys to simulate the keypress that adds a new record, since I could not have the fire event to work.
Thanks for your help Ricardo
IE.Document.getElementById("sales_invoice_line_items_attributes _0_description").Value ="LINE 1 DESCRIPTION"
SendKeys "-"
SendKeys "{ENTER}"
IE.Document.getElementById("sales_invoice_line_items_attributes_1_description").Value ="LINE 2 DESCRIPTION"
I am setting up my menu and want to use drop down options for customers to select items and place email orders.
The following is what I have done so far but when I send the email it goes no where. Just want you to know I have no clue about html coding, I am learning because I would like to use this on my website.
<form>
<form method="post" action="mailto:myemail#gmail.com">
Name:<br>
<input type="text" name="name"><br> E-mail:
<br>
<input type="text" name="email"><br>
<table>
<tr>
<td><input type="hidden" name="on0" value="Fries">Fries</td>
</tr>
<tr>
<td>
<select name="os0">
<option value=>Small
<tr>
<td><input type="hidden" name="on0" value="Flavors">Flavors</td>
</tr>
<tr>
<td>
<select name="os0">
<option value=>Garlic Parmesan
<input type="submit" value="Send Email" />
<input type="reset" value="Reset">
</form>
I would like to receive via email orders from customers that reflect the options above. This is just one item but if I can get it to work I will applied the html code to all the items on my menu.
So I'm trying to figure out what sends me to another page when I submit this form. frmS.onsubmit = null. Also the submit button doesn't have an on click that sends you to another page. I want to understand how it sends me to the other page and how to stop that.
EDIT: I should add that I want it to send its info that its sending but not throw me on the next page.
EDIT2: SOLVED I've made an iframe and set the form target to that iframe. Thanks Paul Draper
<form name="frmS" method="post" action="/s.aspx?sm=1jFsQEImT6d7s5gJzLre0g%3d%3d" id="frmS">
<div>
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWDwL+raDpAgLOhOEnAqrszZoKAsv4g6IHAqDo8XkCqc7S2wcC96SjuQgC+beo3gUCi5yS5QgCsOmqpAECjce8xA0C0I38vQkCnNGksA4Cw/alsQoC1J6ZlwQMnZiKw/euXyNaAEgF3qFMFg5vlA==">
<input type="hidden" name="__VIEWSTATE" id="
__VIEWSTATE" value="">
</div>
<!--content area-->
<div id="PageContentDiv"><div style="text-align:left;"><div class="sLogo"><img class="notranslate" src="http://secure.surveymonkey.com/_resources/4485/45604485/552bd2d8-f3b6-4e1f-b1e5-3c5ea48189b9.gif" alt=""><div class="sExit"><a class="ExitBtn" target="_self" href="http://www.gazette.net/teacher">Exit this survey</a> </div><br class="clear"></div></div><h1 class="sTitle"><div style="text-align:left;float:none;"><span class="notranslate">My Favorite Teacher 2013 - Montgomery County High School</span></div></h1><div class="pTitle"><h2>2. </h2> <br class="clear"></div><div class="pgHdr"><div id="q1" class="question" style="margin:0 0 0 0;width:auto"><div class="qContent"><div class="qHeader"><abbr class="noborder" title="Question 1">1</abbr>. Please provide your name and e-mail address below. Click done below to submit your vote.</div><div class="qBody"><table cellspacing="0" cellpadding="3" border="0" style="width:100%;"><tbody><tr><td style="width:20%;font-weight:bold;"><label for="text_579095901_6719868704"><span class="hlbl">Please provide your name and e-mail address below. Click done below to submit your vote. </span>Name: (Optional)</label></td><td valign="top"><input id="text_579095901_6719868704" name="text_579095901_6719868704" type="text" size="30" value="" class="open"></td></tr><tr><td style="width:20%;font-weight:bold;"><label for="text_579095901_6719868706">Email Address: (Optional)</label></td><td valign="top"><input id="text_579095901_6719868706" name="text_579095901_6719868706" type="text" size="30" value="" class="open"></td></tr></tbody></table></div></div></div></div></div>
<!--end content area-->
<div id="panButtonBar">
<div style="text-align:center;">
<input type="submit" name="PrevButton" value="Prev" onclick="onesubmit(this);" id="PrevButton" class="btn btntext grey">
<input type="submit" name="NextButton" value="Done" onclick="onesubmit(this);" id="NextButton" class="btn btntext grey">
</div>
</div>
<div class="spacer" style="height:100px;"> </div>
<input type="hidden" name="hid_smC0l1d" id="hid_smC0l1d" value="r9nWM11rHijwX3dDZ1G8NQ_3d_3d">
<input type="hidden" name="hid_smRsL1d" id="hid_smRsL1d">
<input type="hidden" name="hid_smRs1d" id="hid_smRs1d" value="mII0H4g5XRCu4s1ZVhHXsg_3d_3d">
<input type="hidden" name="hid_smCSV" id="hid_smCSV">
<input type="hidden" name="hid_smS1d" id="hid_smS1d" value="rbQr6Wx8ieI2e98gDtyjNA_3d_3d">
<input type="hidden" name="hid_smM0D" id="hid_smM0D" value="E6uK1MhOcpBUysyKlC0vrg_3d_3d">
<input type="hidden" name="hid_smV3Rsn" id="hid_smV3Rsn" value="ryjiA1jsXxArHG3rMuiwxg_3d_3d">
<input type="hidden" name="hid_smS3CT1d" id="hid_smS3CT1d" value="IGaEFrQzyw9OHNYpBjkYsg_3d_3d">
<input type="hidden" name="hid_DC" id="hid_DC" value="UTLbMdg3R07bopsDbKUHM51JeIvWdftG8_2bHZNxxsXT_2bITWvXP9m1Zy_2fqRmNPpOx7">
<input type="hidden" name="Hidden_CollectorToken" id="Hidden_CollectorToken">
<input type="hidden" name="Hidden_Simple" id="Hidden_Simple">
<input type="hidden" name="hid_l04dez" id="hid_l04dez" value="RsDrTe_2b1IjsIQj68b5l2TrRCB0SORAXCRx0_2bpMErNSQ_3d">
<div>
</div></form>
The first line sends you to another page -
<form name="frmS" method="post" action="/s.aspx?sm=1jFsQEImT6d7s5gJzLre0g%3d%3d" id="frmS">
You're being sent to the URL specified in the action attribute of your form.
You are getting a redirect response from your server (assuming that the action on your form is your current page; if not, you are going there).
If you want to submit a form without navigating, create an iframe, and set the target attribute of your form to the iframe.
This one is a tad frustrating.
If I run this perl script ...
#!/usr/bin/perl
use CGI qw/:standard/; # load standard CGI routines
my $query = new CGI;
my $club5 = $query->param('club5');
my $messagetext = $query->param('messagetext');
print header, # create HTTP header
start_html('Hello World'), # start of HTML
h1('Hello World'), # level 1 headers
h1($club5),
h1($messagetext),
end_html; # end of HTML
1;
from a remote Chrome browser with
http://www.<hostname>/cgi-bin/message_test.pl?club5=coop9&messagetext=test
the correct page is produced. But if I then execute this PHP program ...
<?php
$user_id = "10006";
echo <<<END
<html>
<head>
<title>Send Message</title>
</head>
<BODY bgcolor="#e8e8e8">
<br>
<table width="450px" height="150px" align="center" valign="top" bgcolor="#e8e8e8">
<form action="http://<hostname>/cgi-bin/message_test.pl" method="post">
<INPUT TYPE="hidden" NAME="user_id" VALUE="$user_id">
<tr align="center" valign="top">
<td>
<br>
<font face="Verdana" size="2">
<input name="messagetext" type="text" size="64">
<br>
<br>
<br><center>
<input name="submit" type="submit" value="SEND">
</font>
</td>
</tr>
</form>
</table>
</body>
</html>
END;
?>
from the same browser with
http://<hostname>/message_test.php
nothing is returned. I swear I had something similar this running a year ago. Is there something new I should be aware of when passing (hidden) variables to Perl using HTTP POST?
It's failing because your browser incorrectly guesses what you meant by your invalid HTML.
It worked after I changed
<table ...>
<form ...>
<INPUT TYPE="hidden" NAME="user_id" VALUE="$user_id">
...
</form>
</table>
to
<form ...>
<INPUT TYPE="hidden" NAME="user_id" VALUE="$user_id">
<table ...>
...
</table>
</form>
In PHP, shouldn't
<INPUT TYPE="hidden" NAME="user_id" VALUE="$user_id">
be
<INPUT TYPE="hidden" NAME="user_id" VALUE="<? echo $user_id; >">
?
Basically i have a form(within a table) and inside the form a field, the form is submitted via ajax, and i have a span which receives the output from the AJAX(when its received a response from the server).
The response is "Successfully updated" however as it turns out, the text actually moves my field. Is it possible for it not to do this?
<form method="GET" name="update_address">
<td align="left" class="rowhead">Address:</td>
<td align="left">
<input type="text" size="45" id="address" name="address" class="btcaddress" value="$value/>
<span style="display: inline-block;">
<input type="submit" name="submit" value="Update" size="45" onclick="javascript:xmlhttpPost('index.php?page=main&do=update_address', 'update_address', 'updated', ''); javascript:return false;"/>
</span><span id="updated"> </span>
Sorry for the improperly formatted code.
Use a DIV insted. It will on on its own line.