This question already has answers here:
What happens if the action field in a <form> has parameters?
(4 answers)
Closed 7 years ago.
I'm writing an application that, unfortunately, still has IE9 support. my requirement has another application posting data and redirecting (via a form POST) into my application, along with query parameters. I'm using Node and express to parse the query params and render a page. I'm running into an issue where, if there are query parameters on a post request, IE9 is actually making three requests, one POST with data, one GET with query params, and one GET without anything attached at all. This seems to effect only IE9, any suggestions on how to make it happen like all other browsers, in one request?
EDIT: now with code
<form action="/testPath/?path=placetoGo&group-id=281740360804&ref-id=2817403600034&itineraryTypeCode=RT&type=edd&num-adults=1" method="POST">
<input type="hidden" name="data" value='something'>
<input type="submit" value="Submit">
</form>
so that's the request to the node/express server.
on the server, IE9 comes in with three requests, first one is a POST with the object on the body. the second is a GET with the query params, and the third is a GET without the post data or query params.
Did You try to change the type attribute of the submit button from submit to button since you post with javascript
also change
<form action="/testPath/?path=placetoGo&group-id=281740360804&ref-id=2817403600034&itineraryTypeCode=RT&type=edd&num-adults=1" method="POST">
to
<form action="/testPath/placetoGo&281740360804&2817403600034&RT&edd&1" method="POST">
Related
Every time I run this code, I get an issue reaching to the targeted page. The site requires post request parameter to be filled in to reach the page where I am after. However, using get request it was good to go until it hits "Var4" parameter within my code. Inspecting element I could see that it indicates as hidden. If i left the hidden parameter blank then it redirects to another location. So, satisfying this thing to get to the targeted page is beyond my capability. Any suggestion will be appreciated.
from selenium import webdriver
driver = webdriver.Chrome(r"C:\Users\ar\Desktop\Chromedriver\chromedriver.exe")
driver.get('https://www.infocomm.org/cps/rde/xchg/infocomm/hs.xsl/memberdirectory.htm')
Var1='Professional Services Providers'
Var2='AUSTRALIA'
Var3='0'
Var4='1'
driver.find_element_by_xpath('//select[#name="mas_type"]').send_keys(Var1)
driver.find_element_by_xpath('//select[#name="mas_cntr"]').send_keys(Var2)
driver.find_element_by_xpath('//input[#name="OtherCriteria"]').send_keys(Var3)
driver.find_element_by_xpath('//input[#name="DoMemberSearch"]').send_keys(Var4)
driver.find_element_by_xpath('//input[#type="submit"]').click()
Element for the hidden stuffs which should be applicable for "Var4":
<form name="searchform" id="searchform" action="memberdirectory.htm" method="post" onsubmit="return Checkform();">
<input type="hidden" id="DoMemberSearch" name="DoMemberSearch" value="1">
<div class="login block-type-a block">
As workaround, you can try execute javascript with selenium.
For example, to unhide element
driver.execute_script("document.getElementById('DoMemberSearch').type = 'text';")
or set value directly
driver.execute_script("document.getElementById('DoMemberSearch').value = '%s';" % Var4)
you could not sendkeys to a hidden element, what you can do is to use javascript to send the value
probably something like this
driver.execute_script("document.getElementById('DoMemberSearch').value='1')
I have a simple form of this type
<form name="keywords" action="www.mydomain.com:6161/articles" method="post">
<input type="text" name="keyword" />
<input type="submit" name="submit" value="Submit" />
</form>
The Express 4 routes for handling the form post, is as follows
app.post('/articles', routes.article.keyword);
The actual route file has the following
exports.keyword = function(req,res,next){
res.send(req.body.keyword);
};
Based on the above circumstances, when I post the form in the browser, I see a page “The address wasn’t understood”.
But, if I use relative URL in the form action i.e.,
It works perfect. Why so?
Because in reality, I sometimes may have to post data to a different domain or URL altogether.
I will post my comment as an answer as it helped.
In order for the action to work, you need to either specify full url, that include schema:
<form name="keywords" action="http://www.example.com/articles" method="post">
Or you can just use a relative url:
<form name="keywords" action="/articles" method="post">
a relative path is one not starting with a / (forward-slash)... generally, this will attempt to load from the current url's base dir (you can set this in html, though the browsers default to the 'dirname' of the url (e.g. 'img/something.gif' on a page at '/some/path/index.html' will fetch it from /some/path/img/something.gif').
an absolute path is one starting with a /. it will be loaded using the same schema, host and optionally, port,user, etc (full url syntax: scheme:[//[user:password#]host[:port]][/]path[?query][#fragment]... read more here: https://en.wikipedia.org/wiki/Uniform_Resource_Locator).
a full url is one starting with a schema (http/https/ftp,etc...)... however (this comes in handy): if you're going to be using the same schema (which keeps your site's security score high), you can skip it, along with the colon.
e.g.: while viewing a site from 'https://blah.net', and attempting to load a resource from google (analytics maybe), you can reference it as:
'//google.com/path/to/whatever'
this will use https if the page was loaded over https, or http if not... keeps you from having to determine the scheme that was used when rendering the page.
I'm developing an app using angularjs with nodejs and dustjs.
What i'm trying to achieve is like during the page refresh pass the data like
res.render('index', {names : [{name:"name1"},{name:"name2"}]});
and dustjs should able to render
{#names}<li>{name}</li>{/names}
how can i use angular js ngrepeat for subsequent actions in the page.
As of now i'm making a http request get the json and render page fully in client side.
<li ng-repeat="myname in mynames>{{myname.name}}</li>
I don't prefer to save my data as JavaScript variable, which is readable through source.
Just want know if somebody done something like this.
I done it in a hackish way to implement this, not a suitable solution.
I used ng-if of angularjs to do this
var mynames = [{name:"One"},{name:"Two"}]
<div ng-if="!mydata">
{#mynames }
<div>{name}</div>
{/mynames }
</div>
<div ng-if="mydata">
<div ng-repeat="myname in mynames">[[myname.mynames]]</div>
</div>
i'm using square brackets for angularjs as there was some conflict with dustjs which was fixed using below code
angular.module('myapp').config(function($interpolateProvider){
$interpolateProvider.startSymbol('[[');
$interpolateProvider.endSymbol(']]');
});
Is it possible to pass list parameter from browser to a handler function in Snap?
How do I construct a multiple parameters URL from a list and send it to a handler function?
For instance, I need to delete some table rows or any other objects.
I can not do it with the usual REST route:
("/objects/:id", method DELETE deleteObject)
simply because there could be too many and deleting 100 rows one by one can get a bit tedious.
I chose the doomed objects via checkbox input, say [3,4,6,8] rows need to be deleted.
So how do I pass that list to the handler within URL and what would route look like for the action ?
UPDATE
Well, I finally did it with jquery and ajax call.
Snap's "getParams" function can process multiple parameters URL but I still cannot figure out how to actually construct the URL without jquery and ajax.
I used javascript to collect the items to be deleted and build the array of the items.
I then used ajax to construct multiple parameters URL and send it to the handler.
Few things to note with this method and Snap:
-- Snaps's "getParams" function only supports old style multiple parameters URL:
"a=1&a=2&a=3&a=4"
and not the new one:
"a[]=1&a[]=2&a[]=3&a[]=4"
which makes passing complex parameters impossible.
-- The route should be:
("/objects/", method DELETE deleteObject)
and not the:
("/objects/:ids", method DELETE deleteObject)
I did not answer my question because I don't believe it is the only way to pass multiple parameters URL with snap.
Although "getParams" can process it, my question still stays: how do I construct the URL and send it off to a handler?
For instance, Rails uses "link_to" function within view logic to construct the URL. Snap does not use any logic inside templates so how does it work then?
It just can't be that the only way to pass multiple parameters URL in snap is with the help of javascript...?
Please someone confirm this for me?
You're pretty much there. The following form...
<form action="/foo">
<ul>
<li>Row 1: <input type="checkbox" name="a" value="1"/></li>
<li>Row 2: <input type="checkbox" name="a" value="2"/></li>
<li>Row 3: <input type="checkbox" name="a" value="3"/></li>
<li>Row 4: <input type="checkbox" name="a" value="4"/></li>
<li>Row 5: <input type="checkbox" name="a" value="5"/></li>
</ul>
<input type="submit" name="submit" value="Submit"/>
</form>
...gets submitted like this.
http://localhost:8000/foo?a=2&a=3&a=5&submit=Submit
Then, inside your handler, this will get you a list of ByteStrings.
fooHandler = do
as <- getsRequest (rqParam "a")
So this doesn't require JavaScript at all. But it works with JavaScript as well. If you use jQuery to submit a list like this...
var fieldData = { rows: [0,1,4], cols: [2,3,5] };
$.getJSON('http://localhost:8000/foo', fieldData, ...);
...then you'll have to make an adjustment for the brackets
rs <- getsRequest (rqParam "rows[]")
cs <- getsRequest (rqParam "cols[]")
I've read a couple of related questions on this, but they don't answer my question directly. Developer tools like Firebug allow anyone to see and manipulate form data before a form is sent. A good example of this is adjusting the value of a hidden "member ID" field so that the form submission is credited to another user.
What are the best ways to prevent this type of tampering? My research suggests moving sensitive form inputs to a server-side script, but are there any other options or considerations?
I'm familiar with PHP and jQuery, so my ideal solution would use one or both of those languages.
You can't use jQuery for security since it's all handled on the client side.
In your example just use a PHP session in staed of a hidden input field, because as you rightfully noted this can be manipulated.
Using sessions would look something like the following:
login page
<form action="login.php" method="post">
<input type="text" name="username">
<input type="password" name="password">
<input type="submit" name="submit" value="submit">
</form>
login.php
// you have to include this on every page to be able to user sessions.
// also make sure that you include it before any output
session_start();
//Always sanitize the user input before doing any db actions.
//For example by using: `mysql_real_escape_string()` ( http://php.net/manual/en/function.mysql-real-escape-string.php ).
// check user credentials against db
$_SESSION['user'] = $dbresult['username'];
page-where-userid-is-required.php
session_start();
if (!isset($_SESSION['user'])) {
// user is not logged in!
} else {
// use user info to place order for example
}
The session will be active until the user closes his browser / until the session expires (which is a PHP setting)
The above is just some sample code to give you an idea.
It works smaller projects, however as projects get more complex I would suggest going for the MVC (Model, View, Controller) way. ( http://en.wikipedia.org/wiki/Model%E2%80%93view%E2%80%93controller )
But that's just a whole other story :)
Here are a few basic suggestions:
You need to validate form inputs using a server-side (PHP) script.
Instead of relying on sensitive pieces of information, such as member ID, from the form you could instead cache such data in your server session. That way there is no way for a malicious user to change the data on the fly.
You can still use jQuery validation as a convenience to catch basic input problems, but you can only trust data that is validated using server-side code.