I am trying to make one website for my school and i just started from basic to test
security of our website and it was observed that while getting this output from there
code if we put Name: ../ and Information : (any html code) then it changes that page
into that html code which was injected. Is there any solution how i can prevent this
problem so that i have much higher security.HTML code is
<html>
<head>
<title>Submit your form</title>
</head>
<body bgcolor="Black" text="#FFFFFF" link="#FFF833" vlink="#FFF833">
<center><table width=600 cellspacing=0 cellpadding=0 align="center"><tr><td>
<font face="verdana" size=2><b>Use this form to submit your information to the website.<br /><Br>Note:Information will be stored online immediately but will not be listed on the main page until it has a chance to be looked at.<br /><br />
<form action="submit.php" method="post">Name:<br />
<input type="text" name="name">
<br /><br />Information<br /><textarea rows=15 cols=40 name="text"></textarea>
<br /><br /><input type="submit" value="add text"></form></font>
</b></td></tr></table>
</center>
</body>
</html>
As I have stated twice, it depends entirely on how you're saving this user input... wait, that's three times now XD
I'm going to guess your code is:
file_put_contents("submissions/".$_POST['name']."/index.html", $_POST['text']);
But if $_POST['name'] is ../ then you are saving their submission to submissions/..//index.html... in other words you are overwriting the homepage of the site! And by allowing $_POST['text'] to be dumped in there with no safety just lets anyone do what they want.
Instead, you should be saving these submissions to a database, referencing them by an ID number, and using something like htmlspecialchars to prevent input HTML from being processed.
you need to add some filters with your each field for the input because if you are not doing this then the chances of XSS (corss-site scripting) increases so whether you are taking input from user for suppose usernamd , password , email-ids etc always check is fields must cot contain html tag specially the JAVA SCRIPT tag. If you allowed JAVA script tag with the input it will case session hijacking so please check all thing before lunch on final domain and host . GOOD LUCK
Related
I am making a help file (.chm) for a project I am working on, but am having trouble with an HTML form element. What I want the form to be able to do is send an email so users can contact me about bugs, quetions, etc, but when I try the 'Submit' button, it notifies me that I am about to send the email, then crashes the Microsoft HTML Help Executable.
Here is my code:
<!DOCTYPE html>
<HTML>
<TITLE> Contact me </TITLE>
<BODY>
<IMG SRC="banner.png" WIDTH="800" HEIGHT="160" ALIGN="RIGHT" ALT="Banner">
<HR WIDTH="600" HEIGHT="5" ALIGN="RIGHT">
<P>
<H2 ALIGN="CENTER"><FONT FACE="Trebuchet MS">Contact me</FONT></H2>
</P>
<P><H4><FONT FACE="Trebuchet MS">Please enter the following details</FONT></H4>
<FONT FACE="Trebuchet MS">
<FORM ENCTYPE="text/plain" METHOD="POST" ACTION="mailto:someone#example.com">
Your name: <INPUT TYPE="TEXT" NAME="Name">
<P>Details:
<TEXTAREA ROWS="10" COLS="50" NAME="Details"></TEXTAREA>
</P>
<INPUT TYPE="SUBMIT" VALUE="Submit">
</FORM>
</FONT>
</BODY>
</HTML>
Sorry about my terrible formatting, but hopefully you get the idea.
I have found that when I launch this in Google Chrome as a regular HTML document, it works fine and sends the email perfectly, but when I try it in Internet Explorer as an HTML, it crashes (typical). What am I doing wrong?
Thanks in advance
I don't think it's actually 100% possible, nor would I recommend it if it were.
I think a much better way would be to provide a link to a Contact Me page on your site, or simply provide your email in the body of the CHM.
General Points
UPPERCASING HTML tag names, while valid, is really annoying (subjective). A proper naming convention is where all HTML tags, attributes and keywords are lowercased.
Use <label> elements when referring to form labels, example:
<label>Your Name: <input type="text" name="Name"></label>
This adds the nice bonus of making the "Your Name:" text clickable as well!
this is my jsp page
<html>
<body>
<span>User name:</span> <input type="text" name="Teachername" value="<%=request.getParameter("name") %>" class="input_panel" id="Username" readonly/><br><br><br>
<span>Old password:</span> <input type="password" name="TeacherOpwd" class="input_panel" id="TeacherOpwd" /><br><br><br>
<span>New password:</span> <input type="password" name="TeacherNpwd" class="input_panel" id="TeacherNpwd" /><br><br><br>
<input type="submit" id="TeacherSubmit" name="submit" class="submit_button" value=" " />
</body></html>
i need, whatever i write on the textbox remain unchanged after refreshing the page.
please help..
You can't. That's not how HTML/JSP works. If you want to do something like this you should look at implementing some form of MVVM pattern, or using a framework which supports it. (ZK, AngularJS or KnockoutJS).
For more information, read the Wikipedia article on MVVM
For your requirement, data must be preserved for later availability after refresh.
So, as and when you write, there must be some way which is doing the work of storing in background, so that when refresh happens, it can take the data from stored place.
I have not found requirement like this before but can think like you can go with Ajax for this and once you get the data at server, try storing it in cookie and when refresh happens, first try to read from cookie if available or else show blank.
Also, check is there any way you can store it at javascript level, as I am not aware of that.
use HttpSession session = request.getSession(); session.setAttribute("someItem")
after you click the button. It should still be there.
I have 4 HTML Pages. In each page I have forms and form elements, but my submit button is only in my 4th page. So how do i try to access the elements i selected in the first three pages without using JavaScript??
For Eg: Consider a feedback form where we have to answer question in 3-4 pages in order to submit the feedback. We click "Submit Feedback" button only in the 4th page so how do the elements from the 1st, 2nd and the 3rd page get submitted to the server??
THIS IS A PROBLEM SHEET FROM MY COLLEGE. HERE IS THE FULL QUESTION
Step 1:
Identify a web architecture that is suitable for a survey website. The survey website will start with a brief introduction about the survey, and followed by the survey questions. Each question webpage will contain at most two survey questions, links to previous and next questions and a test submit button. Note that a server script is created for this lab allowing you to test if data are correctly passed to the server when the ‘Test’ button is clicked. However, no data will be saved at the server.
Step 2:
Use any text editor on your local computer (e.g. NotePad++), create the HTML for the survey website that contains the following HTML 5 elements. The survey form will be placed between the ... tags.
<!DOCTYPE HTML> <html lang="en"> <head>
<meta charset="utf-8"> <meta name="description" content="Web development">
<meta name="keywords" content="HTML (Part 1 – Content - Form)">
<meta name="author" content="put your name here">
<title>Web Development Survey</title>
</head> <body>
<!–- Survey content --> </body>
</html>
Step 3:
Mark up the form content using the elements discussed in Lecture 3. These are
- Form <form> ... </form>
- Form elements such as <label>...</label>, <input ...>, <select> ... </select>, <text area> ... </text area>,<fieldset> ... </fieldset> and <legend>...</legend>
Use other HTML elements discussed in Lecture 2 as needed
- Heading <h#>...</h#>, Paragraph <p>..</p>, Horizontal Rule <hr>
- List <ol>...</ol> or <ul>...</ul>, Table <table>...</table>, Image <img ...> and Anchor <a ... >...</a>
- Special characters
For instance the first question page for the name and sex can be marked up as follows.
<form id="survey" method="post" action="http://mercury.ict.swin.edu.au/cchua/webdev/surveytest.php">
<p><label>Name (optional)</label> <input type="text" name="name" size="20" />
</p> <p>Gender<br />
<label>Male</label> <input type="radio" name="gender" value=”M" />
<label>Female</label>
<input type="radio" name="gender" value="F" /> </p>
<p><input type="submit" value="Test" /> <input type="reset" value="Reset" />
</p>
</form>
Note that XHTML coding style is used in the above sample code
A processing script had been set up at the server with the following URL:
"//mercury.ict.swin.edu.au/cchua/webdev/surveytest.php"
This allows you to test if your form can correctly pass the inputted data to the server. Note that none of the sample data entered will be saved at the server.
You can obtain all the survey information and question at surveydata.txt. Ensure that correct form elements are used for each survey question. For example, checkbox is use for questions that allows multiple answers, while radio button is used for single choice questions.
Step 4:
Create a new folder ‘lab03’ under the unit folder on the mercury server ~/hit1091/www/htdocs. Upload today’s work to this lab03 folder.
Using WinSCP, drag and drop the all the survey HTML files from your local machine to the htdocs/lab03 folder. You can name the survey HTML files using the ‘survey##.htm’ format where ## represent a 2-digit number. For example, the first page can be named as ‘survey01.htm’ and so on.
Step 5: Test and view web pages.
To view the pages through http, use any Web browser and type in the following address,
//mercury.ict.swin.edu.au/hit1091//
The is s< your 7-digit Swinburne ID >. For example
*http://mercury.ict.swin.edu.au/hit1091/s1234567/lab_03/survey01.htm*
When the authorization request dialog pops up, use your SIMS username and password to confirm access.
Step 6: Validate the page(s) and fix any errors displayed and revalidate
To validate HTML file, use the ‘File Upload’ interface at http://validator.w3.org. For webpages pages that requires server pre-processing, validation via ‘URL’ must be used
What you need to do is to submit on every page. Then through some server-side scripting attach the post to the form in your next page until you are ready to process the information.
For example, if you were doing this in PHP you could have something like this on your second page.
<form method="post" action="page-3.html">
<label>Input for page 2</label>
<input type="text" name="page2Input" />
<?php
foreach($_POST as $key => $value) {
echo '<input type="hidden" name="'. $key .'" value="' . $value .'" >'; //Info from page 1
}
?>
<input type="submit" value="To Page 3">
</form>
This will "add" the information from first page into the form for its information to also be send to page 3. Or you could also just put them in a $_SESSION.
There are different ways to do it. This is just one of them. Don't forget to sanitize your input though.
I am fairly new. I am creating a webpage that ask a user for their ID. I want it to be a required field and only allow numbers. I appreciate if you lead me in the correct direction. this is what I have so far.
<%# Page Language="C#" Inherits="System.Web.Mvc.ViewPage<dynamic>" %>
<!DOCTYPE html>
<html>
<head runat="server">
<title>Search</title>
</head>
<body>
<div>
<table align="center">
<tr>
<td class="label">
Enter ID:
</td>
<td>
<input type="text" name="UserId" id="UserId" />
</td>
</tr>
</table>
</div>
</body>
</html>
Though it's probably suggested to get some heavier validation via JS or on the server, HTML5 does support this via the pattern attribute.
<input type= "text" name= "name" pattern= "[0-9]" title= "Title"/>
Try this with the + after [0-9]:
input type="text" pattern="[0-9]+" title="number only"
Of course, you can't fully rely on the client-side (javascript) validation, but that's not a reason to avoid it completely. With or without it, you have to do the server-side validation anyway (since the client can disable javascript). And that's just what you're left with, due to your non-javascript solution constraint.
So, after a submit, if the field value doesn't pass the server-side validation, the client should end up on the very same page, with additional error message specifying the requested value format. You also should provide the value format information beforehands, e.g. as a tool-tip hint (title attribute).
There's most certainly no passive client-side validation mechanism existing in HTML 4 / XHTML.
On the other hand, in HTML 5 you have two options:
input of type number:
<input type="number" min="xxx" max="yyy" title="Format: 3 digits" />
– only validates the range – if user enters a non-number, an empty value is submitted
– the field visual is enhanced with increment / decrement controls (browser dependent)
the pattern attribute:
<input type="text" pattern="[0-9]{3}" title="Format: 3 digits" />
<input type="text" pattern="\d{3}" title="Format: 3 digits" />
– this gives you a full contorl over the format (anything you can specify by regular expression)
– no visual difference / enhancement
But here you still rely on browser capabilities, so do a server-side validation in either case.
You can also use
<input type="number" name="amount" pattern="^[0-9]+[0-9]*$"/>
Let say I have a post from like this:
<form action="myApp/form_action.asp" method="post">
First name: <input type="text" name="fname" /><br />
Last name: <input type="text" name="lname" /><br />
<input type="submit" value="Submit" />
</form>
So, let say there is a really bad buy who want to do something in my application. For example, my form_action.asp not only accept param "fname", "lname", but also "gender", can he/she make a request on their own , like this....
<form action="http://www.myDomain.com/myApp/form_action.asp" method="post">
First name: <input type="text" name="fname" /><br />
Last name: <input type="text" name="lname" /><br />
Gender: <input type="text" name="gender" /><br />
<input type="submit" value="Submit" />
</form>
****Updates:****
I don't want the user submit the gender, because I don't want to modify his/her gender after he/she assigned.
If he/she can submit this query, it there any way to avoid him/her to do so? thank you.
You're thinking about this the wrong way. Forget about HTML forms. They're not what your server handles. It handles HTTP requests.
And (pretty obviously) people can send you HTTP requests that contain whatever they want. Not just additional fields, but also fields with values that the form would not allow, or fields with names that are 5000 characters long and/or values that are that long.
So what you absolutely must do is define what constitutes valid input and reject input that isn't. In your case, it's pretty simple: if the form is not supposed to contain a "gender" field, then have the server ignore such a field, or abort with an error if it's present.
Usually you don't have to do anything to ignore fields. But you definitely have to write your app in such a way that it does not accept field values that are not valid.
You cannot avoid this. Inputs coming from the clientside are NEVER secure and can ALWAYS be tampered with.
You'll have to implement your checks serverside, in the ASP file itself.
The reason you can't avoid it is that he doesn't need to make his own copy and submit it from another domain. He can easily modify your site live with javascript (e.g.: firebug) and send the fake request identical to a valid one.
If your form action file i.e. form_action.asp doesn't call for the $_POST['gender'] variable i can't see how it would affect your script.
Make sure that you are sanitizing your variables though, so for first name and last name you would only really want to accept A-Za-z, space and maybe hyphens and apostrophes.
By doing this it doesn't really matter what they send to your form because most of the tags, brackets etc will be removed and any script injected won't run.
Make sure you also escape the variables before you enter them in your database, I use mysql_real_escape_string in php, but don't know any asp so you will have to look it up.