I am trying to retain the users inputs in a textarea on my ASP classic form, so that if the recaptcha is entered wrong then the user's input is not lost and they only have to re-enter the captcha text. I am able to retain the input from a normal text box using value="<%=session("Address")%>". But the same thing does not work for textareas. I have seen a solution for PHP and so was hoping there was something available for ASP. How can i go about doing this, and if possible I would prefer to keep it server side? Thanks in advance.
like so:
<textarea name="" id=""><%=session("Address")%></textarea>
Keep in mind that you should not put out user generated texts directly in your site. think of malicious JavaScript code in session("address")...
you should encode those values like so:
<textarea name="" id=""><%=server.htmlencode(session("Address"))%></textarea>
same for all other places where you "inject" user generated values in your site...
Related
Given a simple text box in the form:
<input type="text" … >
Is there any way for the user to inject a line break?
I know that it is possible to fake a form using curl or other technology, so I’m not relying on this as a form of protection. It’s more a question on whether a user can do this simply.
Thanks
No, they can't enter a new line in a text input.
They can, however, replace the input with a textarea in their browser's DOM inspector or bypass the form entirely and send an HTTP request with whatever data they want in it.
I am looking for some guidance on how to save editing done using /wysihtml5.
I have googled using several different combinations of search terms but virtually all the hits I get are github. I have looked through the examples on that site but I can't find anything that explains how the changes can be saved once a user edits a page.
I do have some php and sql knowledge but would like some pointers to exactly what I need to do to get changes made using /wysihtml5 saved. The other instructions appear very comprehensive so I wonder why this aspect seems to be missing.
Can anyone help please?
Many thanks
Brenda
According to the editor's Getting Started page, it works by replacing a regular <textarea> with the rich editor:
wysihtml5 takes a textarea and transforms it into a rich text editor.
The textarea acts as a fallback for unsupported browsers (eg. IE < 8).
Make sure the textarea element has an id, so we can later access it
easily from javascript. The resulting rich text editor will much
behave and look like the textarea since behavior (placeholder,
autofocus, …) and css styles will be copied over.
Please note: The textarea will always hold the editor’s generated
markup. Therefore wysihtml5 integrates smoothly with forms.
So, the editor's content will always be available as the value of the textarea, and you can use it as you would with a regular form element (submit the form, or get the contents with JavaScript and send it to PHP using Ajax).
For example, consider you apply the editor to the following:
<form action="somescript.php" method="POST">
<textarea id="wysihtml5-textarea" name="wysihtml5-textarea"></textarea>
<input type="submit" value="Submit form">
</form>
If you submit the form by clicking the button, your php script will receive the contents on $_POST["wysihtml5-textarea"] (change the name of the textarea to set the desired key on $_POST).
If you want to get the value using JavaScript, select the <textarea> by ID, then access the element's value:
var textarea = document.getElementById("wysihtml5-textarea");
alert(textarea.value);
Then you can pass that value to PHP using Ajax if you want. The PHP/SQL implementation for actually saving the data is up to you, the editor's code just takes care of providing a rich text editor, and formatting features.
Note: I never used that editor, so my answer might be not be 100% accurate.
I was wondering whether it is possible to assign a value to an HTML text box and protect it.
What I mean is make it´s content unmodifiable, so that when the form gets submitted im "sure" it was this value which was submitted.
BTW I realize the easier way would be not to "listen" fot this input and just assign it but it would come in handy to be able to do what´s stated above.
I hope the question is clear enough, please ask for any needed clarification.
Thanks in advance!
EDIT: I was definitely not clear enough but I tried to express that i should hold the value after submitted (not modifiable in client side)
No, it's not. You should never trust user input, which includes form submissions.
The other answers tell you how to mark the field as read-only. This is useful if you want to display a particular value, while showing that it's not intended to edited.
However, it can still be modified with Firebug, DOM Inspector, etc. Or, they can just submit a HTTP request without using the browser at all.
I would recommend storing the value in a session instead.
Set the readonly property of the input element:
<input type="text" readonly="readonly" />
This will prevent any modification (except if the user edits with a DOM Inspector). Always validate input on the server. If you do not want any changes made, don't allow the user to edit it.
http://www.w3schools.com/tags/att_input_readonly.asp
Form inputs have a 'disabled' and 'readonly' attributes you can set to make them un-editable.
http://htmlhelp.com/reference/html40/forms/input.html
Though you can never be 100% sure what is getting sent from the client side. The entire DOM is editable by the client.
Just do this
<input type="text" value="VALUE" readonly />
Then itll be read only :)
<input type="text" readonly="readonly"/>. But: Never be sure, and validate data on the server side. It is very easy to request GET/POST with invalid data.
I have a web page with a read-only text box which shows some HTML code:
<input type="text" readonly="true" value="<table>...</table>"/>
There is also submit button, which causes page post back and XSS validation to trigger. I don't want to turn off XSS.
I also tried disabled="disabled", but then the user is not able to copy the text in the text box.
So I thought that using div and span which can give same look and feel would suffice and negate the need for turning off the validation. While trying this, I am struggling to restrict the string in one line. As in text box, it is a single row with column size and text is shown nicely, we can also copy text.
Is there a better solution for what I'm trying to do?
If I understand you correctly you're trying to show some example code in a web interface that is formatted for easy consumption by the end user.
As a general rule, you should wrap code snippets in <pre></pre> tags, I would then suggest having a go at using: http://alexgorbatchev.com/wiki/SyntaxHighlighter to format the code as if you were viewing in an IDE.
This will prevent you from having to turn of the XSS checker.
you could use <pre> tags
check this link
If we type something in the text area and press submit button, the values should be displayed on the same page under that. How to do that?
And make stay permanently on the page
You need javascript.
<form onsubmit="document.getElementById('output').innerHTML = document.getElementById('tarea1').value;return false">
<textarea id="tarea1"></textarea>
<input type="submit" />
</form>
<div id="output"></div>
You need some server side code, asp.net or PHP
Test for Post/Get parameters
Echo text in response
If you need to learn about forms and server side basics w3schools.com is the best place to start
In order to store something permanently, you need to have a server running your webpage. You can't just create an HTML file that can get changed on the fly and have those changes become permanent. You'll need to learn a server language (PHP for example) and have a server (like Apache) that can display your page.
Is this what you're intending? to make an actual site, not just a webpage?
Add a piece of JavaScript and attach it to onClick of the submit button. In the JavaScript, copy the value of the text area into the new place (assign the text to innerHTML) and also call submit() on the form.