I am trying to retrieve multiple values from HTML and make use of it using req.body..
I am able to do this via message: req.body.message
<form id="message-form" class="input-group input-group-lg" style="">
<input type="text" name="message" class="form-control" aria-label="Large" aria-describedby="inputGroup-sizing-sm">
<div class="input-group-prepend">
<button class="btn btn-primary">Send</button>
</div>
</form>
However, I would like to retrieve the values from elements that are not inside the e.g <span id="item" style="font-weight:bold"> </span>
The reason is that when I load the page, it renders these values dynamically (retrieved from database). When I want to do a POST, I would like to make use of these values that have been rendered previously.
Is there a way to do this?
Many thanks.
Forms don't submit data that does not appear inside a form control.
So you can either:
Store the data somewhere in the server (such as in a session) where you can read it back on a subsequent request (watch out for race conditions!) or
Put the data in a form control instead of or as well as in the span. (Possibly using a hidden input).
Related
In my html in a node application I have a form as follows:
<form action="/getRoute" method="get">
<input type="hidden" name='a' value=<%- array1[0].element1 %>>
<input type="hidden" name='b' value=<%- array2[0].element2 %>>
<button type="submit">Submit</button>
</form>
When I click submit, the getRoute route is executed successfully (confirmed by console.log statement) - however, I cannot access the values of the hidden input fields by req.body - would anyone know how I can access these, or alternatively use another html element to pass data into the route?
Just found out that you these inputs are passed via the URL and can be accessed by req.query.a and req.query.b - it's not ideal to send sensitive data via get requests since the URL can be seen.
I tried to Google search but I did not even know what to search for!
My current problem is: say I have a customer order an item, it will show in his list of orders and he can then edit the order in the future by clicking a button next to the order.
Currently the button submits a hidden form which contains all information needed to identify a particular order and this form is passed into the edit order page through a post request. Although the form is hidden, when page source is viewed the information will still be accessible by the user.
How do I avoid exposing the information to the user? I.e do everything in the backend.
<form method="POST" action="/edit_order">
<input type="hidden" name="owner_email" value=<%=all.owner_email %>>
<input type="hidden" name="owner_email" value=<%=all.transactionId %>>
<input type="hidden" name="start_date" value=<%=moment(all.start_date).format() %>>
<input type="hidden" name="end_date" value=<%=moment(all.end_date).format() %>>
<button type="submit" class="btn btn-secondary">Change this order</input>
</form>
I am using nightwatch.js to perform end-to-end testing and have to use a roundabout method for a waitForElementVisible command to work as expected. For example, my code below:
browser.waitForElementVisible(".profile label[for='Admin']") // works
browser.waitForElementVisible(".profile label[for='Admin'] input[id='Admin']") // breaks
For further clarification, I am testing to see if a radio button is visible. The radio button's DOM elements is as such:
<div class='profile'>
<div class='roleSelector'>
<label for="Admin">
<input type="radio" id="Admin" class="Admin">
</label>
</div>
</div>
As far as I know, there is no such specific case.
Did you try using '.profile input[id='Admin']' ?
Hope that serves your purpose at hand.
I have
<form action="?#cgi.query_string#" method="post" ...
The cgi.query_string comes in with an indefinite number of variables. I tried using
<form action="?#EncodeForURL(cgi.query_string)#" method="post" ...
Should I be doing any kind of escaping?
You are using method="POST" in your form tag. So you're trying to have a page with both a query string (URL scope) and a form body (FORM scope), correct?
I'm not sure that's best practice or even allowed by some browsers (I read elsewhere they'll strip query strings on POST actions).
The best solution might be to make the action either GET or POST, and loop through the query string making each item a hidden input?
<cfloop list="#CGI.query_string#" delimiters="&" index="i">
<input
type='hidden'
name='#listFirst(i, "=")#'
value='#listLast(i, "=")#'
/>
</cfloop>
As you say, you can't do this. Your specific question was whether you should do any escaping. The answer to that is "yes" and the location is going to be on the backend, parsing the query string.
<cfoutput>
<form action='?#CGI.query_string#' method='POST' class='form-horizontal bordered-group' role='form' id='test'>
<input
class='form-control'
type='text'
name='formvar'
/>
<input
class="btn btn-primary btn-lg btn-block"
type="submit"
value="Submit"
/>
</form>
</cfoutput>
Will submit a form to the same page, with the FORM scope present, the URL scope present, and the CGI.query_string defined. The CGI.query_string will have url formatting (%20 for space, etc). The FORM and URL scopes will already be decoded (%20 converted to space, etc).
It seems the crux of your question is really about security and sanitization. In which case you'll want to examine encodeForHTML() (Adobe Docs for encodeForHTML()).
Obviously, this isn't 100% foolproof, since I don't know the details of your code and what you do with the input. But those sanitization functions should be a good start.
So very generally, if you use the URL scope, use encodeForHTML(), and if you use #CGI.query_string#, it will be URL-encoded.
When I submit my Netlify form the server responds with a 200 status and I get the 'thank you' response page. However, when I check the form submission in the Netlify admin, they are all blank. I've inspected my xhr requests and the data shows in the 'params' section of the browser dev tools.
Disclaimer: I work for Netlify.
When our service stores blank submissions, it has not received any fields from the submission which were defined in the html version of the form with the same name parameter in its definition as the submission.
To start off with, it's useful to know that our service requires a plain html version of your form, with a name parameter as well as the netlify or data-netlify=true parameter; this is what prepares your site to accept form submissions at all, so you had that set up right already; if you didn't, you'd get a 404 when POSTing.
Once you have this in a deploy and we parse it correctly, you'll see the form name in your site settings dashboard on the 'Forms' tab. Note that we ALSO pull all the field names we'll save and show to you in notifications or the dashboard from this file and only this file, so make sure you give each form field all a name as well, in that html file.
If you see the form in your dashboard, yet get a blank submission when you are sure data was POSTed, this probably has one of three causes:
Netlify did not correctly process your field names from the html version of your form. The service will only properly handle the fields which we see in that html version at deploy time.
Netlify does matching by field name at submission time, so make sure that what your site sends to us then matches up between with your deployed html copy of the form. This happens automatically for pure html (no JS) forms since you are POSTing from the file which is the canonical "definition" of your form fields; however for javascript forms you need to take care that the names match up. Put another way, you cannot later add new fields dynamically in javascript and send them (Netlify will accept all fields, as you have seen; but will not store them or notify you about ones that were not processed at deploy time!)
One more quirk that could get in the way: having multiple copies of a form with the same name in your deploy. Only one will be processed, so if you happen to have an errant <form name=test netlify></form> in another html file (or even the same one!) - it could be the one that we process rather than the other form also named test. So, make sure that you only send a single html definition of your form. Note that some frameworks like gatsby render your jsx down into html before deploy, meaning that if you have a plain html file form definition in your deploy - it could be processed instead of the copy gatsby built.
This blog post describes a successful form built in a react app: https://www.netlify.com/blog/2017/07/20/how-to-integrate-netlifys-form-handling-in-a-react-app/
I missed the "name" attribute in input field.
Every input in the form must have a "name" attribute. Something like <input name="email" ...> or <textarea name="message" ...> is what you need.
Don't miss the "name" attribute for both parent and child layers
<form name="contact" method="POST" data-netlify="true">
<input type="text" placeholder="name" class="box" name="name">
<input type="email" placeholder="email" class="box" name="email">
<input type="text" placeholder="project" class="box" name="project">
<textarea name="message" id="" cols="30" rows="10" class="box message" placeholder="message"></textarea>
<div class="field">
<div data-netlify-recaptcha="true"></div>
</div>
<button type="submit" class="btn"> send <i class="fas fa-paper-plane"></i> </button>
</form>