Mobile App executes html scripts - html

Am testing a mobile app, in one of scenario where there is option to enter text. I have inputted html code say something below and can submit it
Below codes are executed on my mobile app
enter code here
<html>
<body>
<button type="button" onclick="alert('Hello world!')">Click Me!</button>
</body>
</html>
Result: Shows the input and button controls, however button click doesn't show alert
OR
enter code here
<form action="http://google.com" method="get">
First name: <input type="text" name="fname"><br>
<button type="submit">Submit</button><br>
</form>
Result: Shows up input and button click opens targeted external page in the app.
OR
enter code here
<form action="" method="post">
<input name="username" value="admin" />
<input name="password" type="password" value="secret" />
<input name="injected" value="injected" dirname="password" />
<input type="submit">
</form>
I can even embed a youtube video and play it in app.
1.What kind of security threat is it.
2.To What extent does it harm app security.
3.Does it fall under XSS. Any example scripts to pull app info or alert popup would be helpful

Related

How do I fix the action function of my form submission?

I'm trying to redirect users to a pdf upon form submission however the link appears to be broken on initial arrival. The source code for the pdf appears first, however, if you refresh this page it displays correctly.
pdf destination
<form name="landing" method="POST" data-netlify="true" action="img/newsletter.pdf">
<div class="text-fields">
<h3>Email address</h3>
<input type="email" class="text-input email-input" placeholder="Enter your email" name="email">
</div>
<button class="btn-yellow" type="submit">Sign up</button>
</form>

Embed Tinyletter into Pelican blog as form field

This is a question for Tinyletter and Pelican but it is probably applicable to any static blog with a templating system.
Currently the only way to embed Tinyletter into a static blog is to use a button as a pop-up to this code:
<form style="border:1px solid #ccc;padding:3px;text-align:center;" action="https://tinyletter.com/test-user" method="post" target="popupwindow" onsubmit="window.open('https://tinyletter.com/test-user', 'popupwindow', 'scrollbars=yes,width=800,height=600');return true"><p><label for="tlemail">Enter your email address</label></p><p><input type="text" style="width:140px" name="email" id="tlemail" /></p><input type="hidden" value="1" name="embed"/><input type="submit" value="Subscribe" /><p>powered by TinyLetter</p></form>
I tried to embed this code into my Jinja2 Pelican template file with this code:
<form class="" action="https://tinyletter.com/test-user" method="POST">
<input class="" type="text" name="_replyto" placeholder="Subscribe via email" id="email">
<button class="btn" type="submit" value="Send">
Sign up
</button>
</form>
After generating it, the form field displays and the button displays. But when I test the input by adding an email address (a working one, not a throwaway that tinyletter might reject), it takes me to: https://tinyletter.com/test-user/subscribe/validate and after passing the captcha it always gives the same error:
That email doesn't look right. Please try again.
I tried to enter the same email on the https://tinyletter.com/test-user/subscribe/validate page and that works.
Is there something in the pop-up code that I need to include in my form code?

iOS safari asks to login automatically on website when not wanted

After previously logging into a website I'm building, on testing iOS safari constantly presents "Log in to: [website name]" then a button with my username. On inspection I was able to get rid of this by deleting the login form hidden in the html footer on every page, however I would like to keep the form in my code.
<form action="/" method="POST" class="login" id="login-model">
<input type="text" name="user" placeholder="NAME" />
<input type="password" name="pass" placeholder="PASSWORD" />
<button class="btn">LOGIN</button>
</form>
Is there something I can change about this html so that iOS doesn't "help me out" and bring up the login automatically, this is not wanted.
This is what I currently see:

How to prevent a form re-submission on clicking reload button in HTML

when I enter data into the respective fields and click submit button the form is submitted and when i click on reload button it displays the following message "The page that you're looking for used information that you entered. Returning to that page might cause any action you took to be repeated. Do you want to continue?" how to prevent this form re-submission because on clicking the reload button I want to refresh the page. Here is HTML form.
<!DOCTYPE html>
<html>
<head>
<title> Sample Page </title>
</head>
<body>
<form id="login-form" method="post">
<input type="text" id="user-name" name="Username" placeholder="USERNAME" maxlength="15" autocomplete="off"> <br> <br>
<input type="password" id="pass-word" name="Password" placeholder="PASSWORD" maxlength="10" autocomplete="off"> <br> <br>
<button id="login-button" name="login_button" type="submit"> Login </button>
</form>
</body>
</html>
I found a good website here that explains it, but basically you need to send the data to another page, using <form action="file.html">, then in that file, you have this element:
<meta http-equiv="refresh" content="0; URL='original-file.html'" />
This will redirect you to the original page, the one with the form on it, after 0 seconds, and the page can be refreshed without that issue.

In-page form does not send data to remotely hosted aspx form

I have an html form with the action linking to a remotely hosted aspx form. The html form mimics all the input names, ids, values, etc. of the aspx form.
After submitting the html login form with correct login data, instead of processing the data and redirecting to the target link, the page links to the raw login form with only the username data entered. Upon filling in the correct information again, the user is able to log in.
By checking the function of the other instances of the same login form on the site and encountering the same problem, I surmised that the issue is inherent in the remote aspx file, not the html form.
The form was working until about a week ago, when it promptly started behaving like this without any changes made to the code.
The live site is at http://blinqphoto.com
Thank you for any responses, this has me stumped.
Please find the html form and corresponding aspx form below.
HTML:
<form style="" name="LoginForm" method="post" action="https://acct.blinqphoto.com/loginframe.aspxredirect=http%3a%2f%2fwww.blinqphoto.com%2fmy-albums%2f" id="LoginForm">
<div>
<input name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjU0ODEwOTIzZGR61068oyJyEBB4UM9Gc8Fxx4225NLn2XmKWX95/vl6Zg==" type="hidden">
</div>
<div>
<input name="__EVENTVALIDATION" id="__EVENTVALIDATION"value="/wEWBAL1/8vwCgKTqJrlAQKN8oRJAv6M0J8PQkj11RCPtUGzghOj3yic+Mr17E559GJ73UVSHbxO9VE=" type="hidden">
</div>
<span> Email <input name="UserNameTxt" id="UserNameTxt" placeholder="example#gmail.com" type="text"></span>
<br>
<span>Password<input name="PasswordTxt" id="PasswordTxt" placeholder="password" class="password" type="password"></span>
<br>
<input name="LoginButton" value="Sign in" class="LoginButton" type="submit"><br>
</form>
aspx:
<form style="" name="LoginForm" method="post" action="https://acct.blinqphoto.com/loginframe.aspx?redirect=http%3a%2f%2fwww.blinqphoto.com%2fmy-albums%2f" id="LoginForm">
<div>
<input name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUJMjU0ODEwOTIzZGR61068oyJyEBB4UM9Gc8Fxx4225NLn2XmKWX95/vl6Zg==" type="hidden">
</div>
<div>
<input name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWBAL1/8vwCgKTqJrlAQKN8oRJAv6M0J8PQkj11RCPtUGzghOj3yic+Mr17E559GJ73UVSHbxO9VE=" type="hidden">
</div>
<span> Email <input name="UserNameTxt" id="UserNameTxt" placeholder="example#gmail.com" type="text"></span>
<br>
<span>Password<input name="PasswordTxt" id="PasswordTxt" placeholder="password" class="password" type="password"></span>
<br>
<input name="LoginButton" value="Sign in" class="LoginButton" type="submit"><br>
</form>
I believe this is due to the .NET event validation. If you look closely, the value of the __EVENTVALIDATION form field is not always exactly the same. This is used to validate the postback - to check that it is not coming from another URL for example, which is exactly what you are doing.
You need to disable the event validation for the login.aspx page.
Page.EnableEventValidation = false;
Is there a way to disable Event Validation for an entire page?
Note that disable event validation can possibly make your page more vulnerable.