What method should I use to encode hidden a form field value? Assume that I am storing text like this:
This is a "really" long string with 'quotes' and special characters (~!##$%^&*()_+{}), which might have a random quote (") in the middle of it, making the HTML invalid.
We are using ASP.net to set the value:
<input type="hidden" value="<%= Model.UnencodedTextData %>" name="askingForTrouble" />
I believe if we HTML encoded it, it would solve the problem, but this form will be posted to another application, which we do not have control over. So will the receiving application (Marketo) automatically know how to decode this?
Thank you.
Marketo developer evangelist here. Before posting to Marketo, it is best to use HTML URL encoding for special characters. For example, the JavaScript code sample below would URL encode "&" and "%" characters.
function htmlEscape(str) {
return String(str)
.replace(/&/g, '%26')
.replace(/%/g, '%20');
}
Related
I wanted to write a POC for XSS through POST method. After playing a lot with html form tags, I was finally able to construct a payload except for a single character "\n". XSS requires that character in order for it to work. Payload looks like this
<input hidden=true type="search" name="
N<html><body><script>alert(document.domain)</script><h1>" value="</h1></body></html>">
However a new line character
after being submitted is converted to \n\r instead of \n in HTTP POST request. Is there any work around this problem ??
The solution is strange. Just putting an empty space before
solves the problem.
This is probably a really simple one but I can't find the answer anywhere!
I have a self submitting form with a textarea field like this
<textarea name="desc" wrap="1" cols="64" rows="5"></textarea>
When I type HTML characters in to the textarea field and hit the submit button, the HTML characters are being stripped and I can't see what is doing it!
Do $_GET variables have their HTML stripped automatically?
For example, If I type '[strong]Just[/strong] a test' in to the textarea, and echo the contents of 'desc' like this
echo(print_r($_GET));
I see $_GET['desc'] contains 'Just a test' rather than '[strong]Just[/strong] a test'.
Is this normal? If so, is there a way to keep the HTML so I can store it in a database?
I am using angle '<>' brackets rather than square '[]' in my code, but this forum converts them if I use them here!
Use CDATA
A CDATA section starts with "<![CDATA[" and ends with "]]>"
Source : http://www.w3schools.com/xml/xml_cdata.asp
Where are you printing the data too? The web will parse the html and if you're not looking at the page source you're only going to see the non-html parts.
However, you should be using print html_entities($_GET['desc']) to print out the contents with the html content properly encoded so it's printed instead of parsed.
When should I HTML-escape data in my code and when should I URL-escape? I am confused about which one when to use...
For example, given a element which asks for an URL:
<input type="text" value="DATA" name="URL">
Should I HTML-Escape DATA here or URL-escape it here?
And what about an element:
NAME
Should URL be URL-escaped or HTML-escaped? What about NAME?
Thanks, Boda Cydo.
URL encoding ensures that special characters such as ? and & don't cause the URL to be misinterpreted on the receiving end. In practice, this means you'll need to URL encode any dynamic query string values that have a chance of containing such characters.
HTML encoding ensures that special characters such as > and " don't cause the browser the misinterpret the markup. Therefore you need to HTML encode any values outputted into the markup that might contain such characters.
So in your example:
DATA needs to be HTML encoded.
Any dynamic segments of URL will need to be URL encoded, then the whole string will need to be HTML encoded.
Name needs to be HTML encoded.
HTML Escape when you're writing anything to a HTML document.
URL Escape when you're constructing a URL to call in-code, or for a browser to call (i.e. in the href tag).
In your examples you'll want to 'Attribute' escape the attributes. (I can't remember the exact function name, but it's in HttpUtility).
In the examples you show, it should be first URL-escaped, then HTML-escaped:
<a href="http://www.example.com?arg1=this%2C+that&arg2=blah">
I need to post multi-line data via a hidden field. The data will be viewed in a textarea after post. How can I post a newline/carriage return in the html form?
I've tried \r\n but that just posts the actual "\r\n" data
<input type="hidden" name="multiline_data" value="line one\r\nline two" />
Is there a way to do this?
Instead of using
<input type="hidden">
Try using
<textarea style="visibility:hidden;position:absolute;">
While new lines (Carriage Return & Line Feed) are technically allowed in <input>'s hidden state, they should be escaped for compatibility with older browsers. You can do this by replacing all Carriage Returns (\u000D or \r) and all Line Feeds (\u000A or \n) with proprietary strings that are recognized by your application to be a Carriage Return or New Line (and also escaped, if present in the original string).
Simply character entities don't work here, due to non-conforming browsers possibly knowing
and
are new lines and stripping them from the value.
Example
For example, in PHP, if you were to echo the passed value to a textarea, you would include the newlines (and unescaped string).
<textarea>Some text with a \ included
and a new line with \r\n as submitted value</textarea>
However, in PHP, if you were to echo the value to the value attribute of an <input> tag, you would escape the new lines with your proprietary strings (e.g. \r and \n), and escape any instances of your proprietary strings in the submitted value.
<input type="hidden" value="Some text with a \\ included\r\nand a new line\\r\\n as submitted value">
Then, before using the value elsewhere (inserting into a database, emailing, etc), be sure to unescape the submitted value, if necessary.
Reassurance
As further reassurance, I asked the WHATWG, and Ian Hickson, editor of the HTML spec currently, replied:
bfrohs Question about <input type=hidden> -- Are Line Feeds and Carriage Returns allowed in the value? They are specifically disallowed in Text state and Search state, but no mention is made for Hidden state. And, if not, is there an acceptable HTML solution for storing form data from a textarea?
Hixie yes, they are allowed // iirc // for legacy reasons you may wish to escape them though as some browsers normalise them away // i forget if we fixed that or not // in the spec
Source
Depends on the character set really but
should be linefeed and
should be carriage return. You should be able to use those in the value attribute.
You don't say what this is for or what technology you're using, but you need to be aware that you can't trust the hidden field to remain with value="line one
line two", because a hostile user can tamper with it before it gets sent back in the POST. Since you're putting the value in a <textarea> later, you will definitely be subject to, for example, cross site scripting attacks unless you verify and/or sanitize your "multiline_data" field contents before you write it back out.
When writing a value into a hidden field and reading it back, it's usually better to just keep it on the server, as an attribute of the session, or pageflow, or whatever your environment provides to do this kind of thing.
I have to submit a HTML form to a 3rd party website and one of the hidden fields is an XML string. The XML needs escaping before it is sent to the 3rd party.
However when I add the plain XML to the form field it semi-escapes it for me. So then when I use HTMLEncode myself part of the XML is double-escaped. How do I prevent the automatic escaping that appears to becoming from .NET.
Or even better how else can send the escaped XML via the hidden field.
XML
<systemCode>APP</systemCode>
Basic assigning to hidden input field
<systemCode>APP</systemCode>
When I HTML Encode it as well
<systemCode>APP</systemCode>
I can see what's happening - but I don't know how to prevent it?
Don't use HTMLEncode as well ! Use it alone !
Something like:
'Setting value:
hdnField.Value = Server.HtmlEncode("<systemCode>APP</systemCode>")
'Outputs: <systemCode>APP</systemCode>
'Retrieving encoded value:
Dim escaped as string = Request.Form("hdnField")
'Retrieves: <systemCode>APP</systemCode>
'Retrieving decoded value:
Dim myValue As String = Server.HtmlDecode(Request.Form("hdnField"))
'Retrieves: "<systemCode>APP</systemCode>"
In the end I used a literal and then HTMLEncoding the XML string before assigned a HTML form variable to the literal text field. A little bit like below:
portalReq.Text = "<input type=""hidden"" name=""portalReq"" value='" & HTMLENCODE(RequestXML) & "' />"
Not elegant but it's circumventing the problem.
You don't need to worry about the HTML output. Only worry about what data is submitted in the form. It doesn't matter whether the HTML is fully escaped or partially escaped - the same data gets submitted either way.
Both of these fields:
<input name="xml" value="<systemCode>APP</systemCode>" />
<input name="xml" value="<systemCode>APP</systemCode>" />
Get submitted as:
xml=%3CsystemCode%3EAPP%3C%2FsystemCode%3E
This is language agnostic - it is browser behavior. When the browser parses the HTML, it will actually normalize both fields to have the same html. If you view source of the page, you will see that the source HTML differs between the inputs, but if you read the form.innerHTML value, you'll see that the parsed HTML is identical.
Demo:
http://jsfiddle.net/gilly3/Xdj5E/