In a Django view, I'm placing an Html form (actual string with some Html, from my DB) into an Html template, with a tag: {{ injected_form|safe }}. This succeeds in showing the form, but I've got an issue POSTing it:
Forbidden (...) CSRF token missing or incorrect.
(Which I know is appropriate Django behaviour, as I have no CSRF token tag/field inside the form itself. Btw the reason for the custom Html form strings in the DB is that they can be produced by the actual user)
A solution I could implement is TheBronx's answer to a question here. This seems to be a case where just doing
<form method="post">
{% csrf_token %}
......
</form>
is not possible! Are there solutions for this issue?
I've figured out how to handle/receive POSTs without a related Django model, but I didn't foresee this CSRF problem submitting them :( Any help would be greatly appreciated
I'm not sure why it isn't possible. Surely the form stored in the database doesn't need to include the <form> tags themselves, so you could easily use those yourself and add the CSRF token. That seems safer anyway, since you should really ensure the destination of the form POST yourself.
But I must say, this whole approach seems wrong. It's never really going to be safe to allow users to add raw HTML to your database and output it directly, unescaped, to the template. And allowing them to specify form fields in HTML seems like a recipe for all sorts of injection attacks.
Instead consider allowing them to choose from a selection of fields, and build up the form yourself from those.
Related
Please bare with my ignorance for now as I have just started learning web related programming. So, I have a web project written in MVC that has a login window with Username textbox bound to a property:
#Html.TextBoxFor(model => model.UserName, new {#placeholder = "Username"})
As I understand, Razor automatically html encodes input to help preventing cross-script attacks. However, when I test username with a javascript I get an exception from MVC:
A potentially dangerous Request.Form value was detected from the
client (UserName="...hp?name_1=code
Which makes me think that the input is NOT html encoded. My idea was to resolve this issue with html encoding/decoding but looks like I am not getting this whole idea right. Could someone explain?
NOTE: one of SO's related posts provides an unsecured solution but it is not an option for me to simply allow html.
It is not HTML encoded, that is correct. You will have to do the HTML encoding in the Action that form posts back to.
Also, you will need to add [ValidateInput(false)] attribute just about your action.
Much like the mailto: link you can add ?subject=
I wanted to be able to create a web link which would send you to a webpage that contained a form.
In that Form, I would like the value of the TextArea to contain information Inserted by the contents of the referring Weblink.
Example:
example.com/page-url?textarea=content
Is that possible? If so, can you tell me?
I pay in chocolates.
Thanks for your time and I look forward to any replies.
Plain HTML can't do this by itself. You'll need to use Javascript or some kind of server-side processing to get the values from the submission.
Forms have two methods - POST, which submits through the headers, and GET, which submits through a querystring. With the querystring it's easier for users to mess with your data, so keep that in mind as you design this. (Not that it's impossible with POST, but it takes a little more work)
Since you're passing to a textarea, make sure you URLEncode your post or things like spaces will cause you a lot of headaches.
I am new to HTML and still trying to understand some concepts. Here it is one that I do not understand at all. After trying HTML form I noticed that if I have a form with attribute name I can access that form the following way document.attribute_name or document[attribute_name]. However if I try to do the same on a div for instance, it does not work. Can somebody please explain me why is this so.
Also, I was wondering if it good practice to use a form when using AJAX. Let say that I have some fields inside a form but I am using ajax and the form never is "posted" as I am using AJAX to change field's contents.
Thanks in advance!
Usually a form has the name attribute in order for you to be able to pass a value to a PHP/ AJAX script.
When writing THE FORM :
<FORM action = 'addDetailsToDatabase.php' method = 'post' >
<input name ='myName'>
<button type = 'submit'>
</form>
When you submit this form it will post the input field value that has the name attribute 'myName' to the addDetailsToDatabase.php script. So now whatever has been entered and submitted in the input you can use in your PHP script.
TAGS do not generally have a need for a name attribute. (I am saying generally need just incase theiris some library out there that uses this I have never seen a name attribut on a div tag.
The best way to get a div is to get it by ID . document.getElementByID('yourdivid') - Javascript.
Your div will look like this
You can use AJAX to post a form to be be run by a PHP script and this has the added benefit of the whole page not being refreshed.
Anwsering the second part its hard what you are asking. With Ajax you can make your page as dynamic as you want
You can select from the database and echo wherever you want the options are limitless (almost). The best thing to do is to learn HTML = SIMPLE Learn CSS =SIMPLE. Then learn some simple JQUERY or javascript. If your dealing with forms and databases learn how to post a form to PHP script and store in a database and then retrieve using the select statement (prepared statements will set you up for years to come try and avoid old SQL tutorials)
Once you get this learn your AJAX to fill the gaps
I am certain the answer will be 'NO', but I wanted to ask anyway just
incase I have missed something.
Everyone knows that one pass data to a page in an anchor tag by using
the GET method:
What I am wondering is if there was a way to do the same thing, but use
the POST Method instead?
My purpose in doing so is to keep the URLs the user sees clean by not
putting anything in them that they do not need to see.
This has nothing to do with security concerns as I already know there
would be ways to obtain the data being passed.
If the answer is indeed no, then what methods do people use to pass data
when there is a desire to keep the URLs clean? Cookies? Something else?
and how to deal with the scenarios when the URL length exceeds the permissible GET request length
I am facing this issue while implementing sorting/pagination with displaytag, all the request parameters are appending in the sort/pagination url which is more then the permissible length of the GET request.
You could do something like this:
<form method="post" action="target.html">
<input type="hidden" name="name" value="value" />
<a onclick="this.parentNode.submit();">click here</a>
</form>
This behaviour is specific to display tag library. It allows for easily bookmarkable search results. If you really intend to change this to make use of POST, then you'd need to rewrite the display tag library or bring in some jQuery to manipulate the links.
The remnant of your questions boils nowhere. If you want GET (idempotent requests, bookmarkable URLs, searchbot-crawable URLs, etc), then use GET. If you want POST (non-idempotent requests, non-bookmarkable URLs, non-crawlable URLs, etc), then use POST.
Usually, POST is mandatory when the request can modify the data in the server. Think of a SQL INSERT, UPDATE, DELETE, etc. You certainly won't make this kind of requests GET. Imagine that you've a table with all "delete row" links which do GET and then a searchbot comes along...
You can use javascript. On onclick of link do form.submit
The only way I know of to deal with lenghty URL is to instead use POST.
You may create a temporary form and submit it while onclick event of <a> tag.
It will work as post ,the name value can be through anchor tag and value of name="" can be access to $_POST[] globl var
In Django / Pinax, I've come across the login form which starts like this :
<form class="login" method="POST" action="">
It works perfectly well. So I assume that either some java-script or something in the Django framework is putting the value into the action attribute.
So, my questions:
How does Django insert the action?
Why do they do it like this?
How can I find out what the action of this form is?
Update : I see this is not a Django thing at all, but what most browsers do.
Having an action of an empty string in most browsers points the form at the URL the browser currently has loaded, which is the script that served the form in the first place.
For an interesting insight on forms with empty actions read this thread, which gives you an updated HTML5-perspective on this matter.
It's also possible that javascript loaded with this page could be setting an action once the page is loaded based on what application is using the page.
Another likely possibility is that the javascript is handling the onsubmit event. One might do that to prevent the page from reloading or redirecting to a specific page
I guess it's bit late to answer this post. Anyways, I'll what I learnt about this.
If the "action" is not specified in forms, then the Django looks up the HttpResponseRedirect in the corresponding view.
For example, in the example below:
if form.is_valid(): # All validation rules pass
# Process the data in form.cleaned_data
# ...
return HttpResponseRedirect('/thanks/')
Once, the form is validated (and processed), the page is redirected to 'thanks'