I am working with codeigniter,
I enter the following value in a text box
'>"><script>alert(document.cookie)</script>
And save it with, geting that value using $this->input->post();
When we try to show the string in a text box,the text will be closed and showing like,
<input name="field_14" id="field_14" type="text" value="'>">[removed]alert([removed])[removed]" />
in my config file
$config['global_xss_filtering'] = TRUE;
How to overcome this situation?
Anyone know?
Check your POSTDATA as GET or POST (Depends what method is used in the form) in your controller or model. If you are recordering in database you can filter data with escape function:
$field_14 = $this->db->escape($field_14));
Anyway, full code should be checked...
Related
Is it possible to prevent the data from being automatically passed to the input fields. For example - if I have an edit page where I want to change the data and I want the user to type the data again without giving him the pre-filled old data. I was looking over some documentation about the ModelState and the asp-for tag but I just couldn't find the answer.
I was looking for help and I found this post here. Well I want to do exactly the opposite.
asp-for tag helper functionality_
EDIT:
I tried to change the value attribute of the input field to empty string and it worked, however I still would like to know if there is an asp.net approach.
If you don't want to pass data from action to Edit view,you can return a view with an empty model like this:
public IActionResult Edit()
{
return View(new YourModel());
}
Or you can try to use id and name attribute to replace asp-for,so that the data will not be binded to inputs.Here is a demo.
Change
<input asp-for="TestProperty" />
to
<input id="TestProperty" name="TestProperty" />
I am finding it difficult to retrieve data from a web page when that data was initially passed in from the controller layer.
I am using Thymeleaf 3 and Spring boot v1. I have a webMVC controller which is passing an object to the template. The object looks something like this (pseudo-code):
public class Person{
// Nested object retrieved from various data sources
// and passed to the UI
private Address address;
private Job job;
// Form values I want to retrieve from UI
private String formValue1;
private String formValue2;
// getters/setters
}
My html page is divided into two sections. One section displays most of the Person values, while the other section includes a basic form. When the form is submitted, I want the form values plus ALL original values returned to the server.
What I'm finding is that it seems Thymeleaf will only retrieve values which are in the form, which means I have to stretch the form across both sections of the page, even though the user will only fill out one section of the page. So now the html looks as follows:
<html>
<!--header/body/etc -->
<form th:object="${person}" th:action="#{/person/id}" method="post">
<!-- Form Inputs -->
<input type="text" th:field="${person.formValue1}"/>
<input type="text" th:field="${person.formValue2}"/>
<!-- Values not used in form, but included so they will be sent back
to server -->
<input type="text" th:field="${person.address.city}" readonly="readonly"/>
<input type="text" th:field="${person.address.street}"
readonly="readonly"/>
<input type="text" th:field="${person.job.title}" readonly="readonly"/>
</form>
</html>
Additionally, it seems that Thymeleaf can only retrieve values that have the attribute th:field, but th:field is only assignable to the <input/> element (as far as I know), so any long text I have is truncated to the normal length of an input field, which is rather limited.
So I'm wondering if anyone can help with the following questions:
Can Thymeleaf return values which are not within a form (but returned when the form is submitted)
Is th:field the only option I can use for sending data back? (I've successfully displayed data with th:text, but no luck sending anything back).
Thanks.
Can Thymeleaf return values which are not within a form (but returned when the form is submitted)
This is more about how HTML forms and POST in HTTP works here. HTML form will send whole data within and Thymeleaf will bind that data to an object in your controller. So if you want all the values you should in fact wrap it all in a single form - this is a good way to go. If the case is that you don't want to display all the fields you could use hidden fields.
If you still would like to keep the data in separate forms for some reason you could try to work around it:
By using JavaScript to collect data from both forms and send it
Try to name both forms the same. I am not sure about it but it might work
I wouldn't recommend any of those anyway. Try to keep it simple.
Is th:field the only option I can use for sending data back? (I've successfully displayed data with th:text, but no luck sending anything back)
For a long text you can use textarea.
I wish to send a long value from my login.jsp page to the struts action from bean as a hidden field. I have done the mapping etc for the two properties username and password and for them the program works fine. Now I want to send a time value as a hidden property named "requesttime" to store the time of login in a table for security check. But I have not been able to figure out how to do it. Here is the part of the jsp page where I am stuck.
<%long time = System.currentTimeMillis();%>
<html:form action="login">
<bean:message key="login.username"/>
<html:text property="username"/><br/>
<bean:message key="login.password"/>
<html:password property="password"/><br/>
<%--I wish to insert "time" as property "requesttime" as hidden here--%>
<html:submit value="login"/>
</html:form><hr/>
<html:errors/>
Please do not mind my ignorance. And thank you for whatever help you may provide.
Using script you can get the time of login. Now do
< input type="hidden" id="time">
and enter the value you got. Using scriplets would be better.
Then in servlet call the request.getParameter("time") and store as a string or as an integer.
Your choice. Hope this helps.....
I'm coding a newsletter and the guy that asked me to do it wants a link in it...all perfect no problems...
Now the problem is that when you click on this link it goes on a page with fields and the guy asked me if it's possible to automatically fill up one of the fields.
The page is a subscription page for some services and this guy wants me to fill up the referral field automatically when you land on the page with his email. Is it possible?
Thanks heaps
One way to do this is to place the field name and value in the query string. The "query string" is the part of a URL which contains field/value pairs. It is separated from the page address by a ? followed by field=value pairs separated by & characters. For example,
http://www.example.com
...would become...
http://www.example.com?fieldName=fieldValue
In order for this to work, the page must parse the field as part of the HTTP GET request and then return the value as a pre-filled field. If the form is properly validated at the server side then it usually already has this capability of parsing fields and retaining their values across multiple submissions of the same form. This is because doing so allows the page to be redrawn with an error message if some fields are blank or have invalid values.
This is very easy to test - just find the field name in the page source and extend the URL you are currently using as shown above. If it works you are done. If not, you may need to get the code on the server side updated to accept the field as part of the query string.
Other ways to accomplish the same thing are more dependent on the server-side code. For example, many sites embed the associate referral ID in the URL such as:
http://www.example.com/123456/
In this case, server-side code interprets the directory path as a field and parses it accordingly. Because this requires very specific server-side code to support it, the first option is probably your best bet.
Encountered this issue, and the following Javascript code did the trick.
Using #T.Rob query string parameters.
HTML CODE:
<input type="text" name="fillfield" id="fillfield" style="width: 350px;" class="input" value=""/>
JAVASCRIPT CODE:
window.onload=function(){
function querySt(ji) {
hu = window.location.search.substring(1);
gy = hu.split("&");
for (i=0;i<gy.length;i++) {
ft = gy[i].split("=");
if (ft[0] == ji) {
return ft[1];
}
}
}
var fieldName = querySt("fieldName");
if( fieldName==null){
}else{
document.getElementById('fillfield').value = fieldName;
}
}
When you visit http://www.example.com?fieldName=fieldValue it would automatically fill in fieldValue to the fillfield input.
Using php
<?
$passthis = "See you on the other side";
echo '<form action="whereyouwantittogo.php" target="_blank" method="post">'.
'<input type="text" name="passthis1" value="'.
$passthis .' " /> '.
'<button type="Submit" value="Submit" >Submit</button>'.
'</form>';
?>
The script for the page you would like to pass the info to:
<?
$thispassed = $_POST['passthis1'];
echo '<textarea>'. $thispassed .'</textarea>';
echo $thispassed;
?>
Use this two codes on seperate pages with the latter at whereyouwantittogo.php and you should be in business.
i have an aplication that takes some parameters through an html form and then creates a model entity. The problem is, that whatever i try, i get an error like this:
BadValueError: Property xxx must be a list
this is the model:
xxx = db.ListProperty(int)
this is the sentence used for getting the list:
xxx = self.request.get('xxx')
I figure that the html form returns a string as i hit the submit button. So, how would i be able to get a list from an input type="text" in an html form? If i write 1,2 it's not ok, as isn't anything else.
The python code is similar to the helloworld application where a form is used to post greetings on the page, the difference is that i need to get a list, not text.
self.response.out.write("""
<form action="/sign" method="post">
<div><textarea name="content" rows="3" cols="60"></textarea></div>
<div><input type="submit" value="Sign Guestbook"></div>
</form>
</body>
</html>""")
class Guestbook(webapp.RequestHandler):
def post(self):
greeting = Greeting()
if users.get_current_user():
greeting.author = users.get_current_user()
greeting.content = self.request.get('content')
greeting.put()
self.redirect('/')
Is this the optimal way to get user input to create a model entity and how can i fix it so that it will get a list and write it in the models attributes?
The solution was very simple, once an expert showed me :)
tlist = map(lambda x: int(x), self.request.get_all('xxx'))
You should put lists inside xxx, not strings or integers.
Maybe you would want to use request.get_all method, instead of get.