I have various things that need to end up in a CGI form, thus:
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="thing">
...my understanding (limited, but I'm learning) is that CGI inputs require double quotes as delimiters.
However, some of the things I need to put in there have double quotes. Some have single. Some have none. Some could easily have both. Basically, anything at all might end up in that field (because this is in a field generator, and the idea is to generate the content for those fields from whatever one might desire.)
Conceptually, I imagine:
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="a \"Quoted\" thing with backslash thusly: \\">
...but have no idea if that's right, or what.
Use HTML entities. " == " and so on.
so...
<INPUT TYPE="TEXT" SIZE=64 MAXLENGTH=64 NAME="name" VALUE="a "Quoted" thing with backslash thusly: \">
...does the trick.
Related
Using Twig in Symfony 5, it appear that declarations in template like this :
<input type='text' value='hello' />
are automatically replaced by
<input type="text" value="hello" />
I'm using a JS library (Yaireo Tagify) which can automatically populate an input with json object (so with quotes), that implies using single quote in the input attribute. See discussion here : https://github.com/yairEO/tagify/issues/597
Could you help me ?
Thanks !
DevTools give an incorrect view of output source...
Twig won't change single quotes to double quotes
I must be missing a configuration setting.
Simple example:
<input asp-for="Login.UserIDMaybe" type="text" class="inputStandard" placeholder="User ID" autofocus>
When the page compiles, the result is that exact same HTML, and when the form is submitted, the UserIDMaybe property of the model is always null.
To test that everything else is cool, I can replace that input HTML with the following, and it works (the Login.UserIDMaybe value is filled with what the user entered into the Input).
<input for="Login.UserIDMaybe" type="text" class="inputStandard" placeholder="User ID" autofocus>
Maybe I have completely misunderstood the usage of asp-for, or maybe I have failed to "turn it on". Thanks.
And yes "#addTagHelper *, Microsoft.AspNetCore.Mvc.TagHelpers" is in the _ViewImports.cshtml file, but maybe that is not enough.
If you are using MVC and Razor Pages, make sure you have a _ViewImports.cshtml in your Pages folder too.
I have
<form action="?#cgi.query_string#" method="post" ...
The cgi.query_string comes in with an indefinite number of variables. I tried using
<form action="?#EncodeForURL(cgi.query_string)#" method="post" ...
Should I be doing any kind of escaping?
You are using method="POST" in your form tag. So you're trying to have a page with both a query string (URL scope) and a form body (FORM scope), correct?
I'm not sure that's best practice or even allowed by some browsers (I read elsewhere they'll strip query strings on POST actions).
The best solution might be to make the action either GET or POST, and loop through the query string making each item a hidden input?
<cfloop list="#CGI.query_string#" delimiters="&" index="i">
<input
type='hidden'
name='#listFirst(i, "=")#'
value='#listLast(i, "=")#'
/>
</cfloop>
As you say, you can't do this. Your specific question was whether you should do any escaping. The answer to that is "yes" and the location is going to be on the backend, parsing the query string.
<cfoutput>
<form action='?#CGI.query_string#' method='POST' class='form-horizontal bordered-group' role='form' id='test'>
<input
class='form-control'
type='text'
name='formvar'
/>
<input
class="btn btn-primary btn-lg btn-block"
type="submit"
value="Submit"
/>
</form>
</cfoutput>
Will submit a form to the same page, with the FORM scope present, the URL scope present, and the CGI.query_string defined. The CGI.query_string will have url formatting (%20 for space, etc). The FORM and URL scopes will already be decoded (%20 converted to space, etc).
It seems the crux of your question is really about security and sanitization. In which case you'll want to examine encodeForHTML() (Adobe Docs for encodeForHTML()).
Obviously, this isn't 100% foolproof, since I don't know the details of your code and what you do with the input. But those sanitization functions should be a good start.
So very generally, if you use the URL scope, use encodeForHTML(), and if you use #CGI.query_string#, it will be URL-encoded.
I have a problem while escaping the special character -. Here is the HTML code snippet:
<input class="form-control dob ng-pristine ng-valid" type="text" readonly="readonly" data-date-format="mm/dd/yy" ng-model="pollObj.poll_question.start_time" datepicker=""></input>
<span></span>
<input class="form-control dob ng-pristine ng-valid" type="text" readonly="readonly" data-date-format="mm/dd/yy" ng-model="pollObj.poll_question.end_time" datepicker=""></input>
I am using watir web driver to select a date from the date picker.
So if I have to click the first input from the above html snippet, the only thing that can be distinguished is the value for ng-model. Hence I thought of writing like this:
browser.input(:ng-model="pollObj.poll_question.start_time").when_present.click
In the above code, I need to escape - in ng-model. Using backslash doesnot help.
Can someone please help?
The ng-model is not a standard attribute, so Watir-Webdriver does not directly support the attribute as a locator.
One option is to use a css-selector:
browser.element(:css=> 'input[ng-model="pollObj.poll_question.start_time"]').when_present.click
Or you could use xpath:
browser.input(:xpath => './/input[#ng-model="pollObj.poll_question.start_time"]').when_present.click
I have a multipart data form with mixed type input fields. Something like this.
<form method="post" enctype="multipart/form-data" action="/files/upload">
<input name="files" type="file" multiple />
<input name="category" type="text" />
<input name="description" type="text" />
<input type="submit" value="Submit"/>
</form>
This should be pretty common as you'd want to supply some other data along with the actual file upload: group, description etc.
So since this is a multipart form data the usual "getPostParams" is out of the question.
If I handle it normal way with "handleMultipart", it does not even pick up the text fields.
Processing the above form with "handleMultipart" returns me a list with one part instead of three, which means it ignores the text input fields.
Any idea how to deal with it? How would I process the above form?
According to my research, if you mix fields in a multipart form you get an mime encoded message which should still contain all the fields.
Anything in the form that is not a file should be put into rqParams/rqPostParams. If they are not there, then you should submit a bug report. Try to be as detailed as possible.