For a generic form checker I want to generate html <input> fields plus internationalized error messages (and default values, ...) while using templates to define which fields are in the form.
Template example:
...
<form>
${structure: make_field('email')}
</form>
Rendered template:
...
<form>
<input type="text" name="email" ... /><span>error message</span>
</form>
Problem:
The error message for each field is specified using gettext like _('error123'). Because the html string is constructed by code I have to translate() the error message myself. Therefore I have to hand in a localizer to the form checker code which I want to avoid.
Is it possible to move the rendering completely to the template engine. Maybe with macros generated in code?!
Related
I have a web form (see dummy example below), it's printed by an agent.
When form is submitted it's processed by an agent (LS).
I do not know how to retrieve files/attachments, that is my problem.
<form name="profile" method="POST" action=".../postAgentName?openagent">
<input name="title"/>
<input name="price"/>
...
<input type="file" name="files" multiple>
</form>
Attachments are not part of DocumentContext as far as I see but only file-names. I kind of suspect files could be temporary uploaded to Domino within request somewhere but really I'm not sure?
Is it possible to get attachments using LotusScript from "files" controller within agent written in LS?
Can somebody point me in right direction? or maybe give a tip what should I do?
Thanks a lot.
I have built my own solution
when we select files on client side - we convert them to base64 with javascript
<form name="formName" method="post" action="agentName?openagent">
<input name="title" value="xxx">
<input type="file" name="files" multiple onchange="toBase64()">
</form>
we add base64 strings to form just like normal so they will be submitted to endpoint (agent)
var reader = new FileReader();
agent will get base64 value and convert it back to file (using LS or Java/LS2J)
Call stream.WriteText(base64File)
Call item.SetContentFromText(stream, contentType, ENC_BASE64)
See details here (could not format properly here):
https://dpastov.blogspot.com/2021/01/how-to-post-attachments-using-form-to.html
To accept files as part of form submission, you have to set the form 'enctype' attribute to handle files:
<form method="post" enctype="multipart/form-data" action="/x.nsf/x?CreateDocument" name="_fmForm">
Files attached using 'file upload control' (FUC) in Domino will be attached to the document and are accessible via attachment type embedded objects as part of the web-query-save event.
(Note: Generating your own form with a file-upload to Domino is tricky).
When I submit my Netlify form the server responds with a 200 status and I get the 'thank you' response page. However, when I check the form submission in the Netlify admin, they are all blank. I've inspected my xhr requests and the data shows in the 'params' section of the browser dev tools.
Disclaimer: I work for Netlify.
When our service stores blank submissions, it has not received any fields from the submission which were defined in the html version of the form with the same name parameter in its definition as the submission.
To start off with, it's useful to know that our service requires a plain html version of your form, with a name parameter as well as the netlify or data-netlify=true parameter; this is what prepares your site to accept form submissions at all, so you had that set up right already; if you didn't, you'd get a 404 when POSTing.
Once you have this in a deploy and we parse it correctly, you'll see the form name in your site settings dashboard on the 'Forms' tab. Note that we ALSO pull all the field names we'll save and show to you in notifications or the dashboard from this file and only this file, so make sure you give each form field all a name as well, in that html file.
If you see the form in your dashboard, yet get a blank submission when you are sure data was POSTed, this probably has one of three causes:
Netlify did not correctly process your field names from the html version of your form. The service will only properly handle the fields which we see in that html version at deploy time.
Netlify does matching by field name at submission time, so make sure that what your site sends to us then matches up between with your deployed html copy of the form. This happens automatically for pure html (no JS) forms since you are POSTing from the file which is the canonical "definition" of your form fields; however for javascript forms you need to take care that the names match up. Put another way, you cannot later add new fields dynamically in javascript and send them (Netlify will accept all fields, as you have seen; but will not store them or notify you about ones that were not processed at deploy time!)
One more quirk that could get in the way: having multiple copies of a form with the same name in your deploy. Only one will be processed, so if you happen to have an errant <form name=test netlify></form> in another html file (or even the same one!) - it could be the one that we process rather than the other form also named test. So, make sure that you only send a single html definition of your form. Note that some frameworks like gatsby render your jsx down into html before deploy, meaning that if you have a plain html file form definition in your deploy - it could be processed instead of the copy gatsby built.
This blog post describes a successful form built in a react app: https://www.netlify.com/blog/2017/07/20/how-to-integrate-netlifys-form-handling-in-a-react-app/
I missed the "name" attribute in input field.
Every input in the form must have a "name" attribute. Something like <input name="email" ...> or <textarea name="message" ...> is what you need.
Don't miss the "name" attribute for both parent and child layers
<form name="contact" method="POST" data-netlify="true">
<input type="text" placeholder="name" class="box" name="name">
<input type="email" placeholder="email" class="box" name="email">
<input type="text" placeholder="project" class="box" name="project">
<textarea name="message" id="" cols="30" rows="10" class="box message" placeholder="message"></textarea>
<div class="field">
<div data-netlify-recaptcha="true"></div>
</div>
<button type="submit" class="btn"> send <i class="fas fa-paper-plane"></i> </button>
</form>
I use <div [innerHTML]="body"></div> to pass unescaped HTML to my template, and when I pass to body div with attribute id, Angular throw:
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
WARNING: sanitizing HTML stripped some content (see http://g.co/ng/security#xss).
See. plunker
So why it says this? What can be dangerous id in div? Could this bug?
Simple solution is to write pipe like
import { Pipe, PipeTransform } from "#angular/core";
import { DomSanitizer, SafeHtml } from '#angular/platform-browser';
#Pipe({
name: 'sanitizeHtml'
})
export class SanitizeHtmlPipe implements PipeTransform {
constructor(private _sanitizer:DomSanitizer) {
}
transform(v:string):SafeHtml {
return this._sanitizer.bypassSecurityTrustHtml(v);
}
}
add in your html file add pile like
<td *ngIf="i>0" [innerHTML]="entry.attributes[i] | sanitizeHtml"></td>
It is because id attribute is not safe.
This is not my answer but it will answer your question : https://security.stackexchange.com/questions/88973/why-do-id-attributes-need-stricter-validation
For id and name, these attributes are frequently used as reference points in the DOM.
If an attacker can spoof these reference points, she may be able trick existing scripts into getting and setting values from places other than designed, which may be dangerous depending on the context that is is used.
Note from me: The rest of his post talks about the name attribute, but you'll get the idea behind all this if you don't already by what's above
This also applies to HTML forms where name is used to identify the name/value pair. For example, if a website does not encode a particular form field when it is output, but since the form field is server generated and the form is protected against CSRF by the use of tokens it cannot be exploited by normal means. However, an attacker may be able to entice a user to visit a URL with a parameter that is used in name, containing an XSS payload to execute on submission of the form.
e.g. Normal use:
https://example.com/product?item_name=watch&qty=1
which renders a form
<form>
<input type="hidden" name="watch" value="1" />
<input type="hidden" name="shop_name" value="Bob's Supplies" />
<input type="hidden" name="anti-csrf" value="asdjasodhoai" />
<input type="submit" value="Click here to buy" />
</form>
And then gets output as
Thank you for buying from Bob's Supplies.
However, an attacker could send a link to the user like so:
https://example.com/product?item_name=shop_name&qty=<script>alert('xss')</script>
As the application is correctly HTML encoding at this point it renders the form as
<form>
<input type="hidden" name="shop_name" value="<script>alert('xss')</script>" />
<input type="hidden" name="shop_name" value="Bob's Supplies" />
<input type="hidden" name="anti-csrf" value="asdjasodhoai" />
<input type="submit" value="Click here to buy" />
</form>
This then gets output as
Thank you for buying from <script>alert('xss')</script>.
since this page doesn't HTML encode the shop_name parameter because it is trusted and the application framework always takes the first value in case of duplicates. Very contrived, but it was the first thing that fell into my head to demonstrate the point.
To mark a value as trusted, inject DomSanitizer and call one of the following methods:
bypassSecurityTrustHtml
bypassSecurityTrustScript
bypassSecurityTrustStyle
bypassSecurityTrustUrl
bypassSecurityTrustResourceUrl
import { DomSanitizer } from '#angular/platform-browser';
public sanitizer: DomSanitizer
[innerHtml]="sanitizer.bypassSecurityTrustHtml(content)"
https://angular.io/guide/security#xss
You can also use NgDompurify library. It can sanitize your content better due DomPurify and solves all your problems with angular default sanitizer.
I have an input form like this:
<form name="userForm">
<md-input-container>
<label>Username</label>
<input name="username" ng-model="userLogin.username" required>
<div ng-messages="userLogin.username.$error" ng-show="userLogin.username.$dirty">
<div ng-message="required">This is required!</div>
</div>
</md-input-container>
</form>
<div layout="row" layout-align="center">
<md-button class="md-raised md-primary md-padding button-margin" ng-click="handleLoginResult()" ng-disabled="!userForm.$valid">Login</md-button>
</div>
The problem is that until I don't write anything in the input field (= user interaction), the userLogin.username variable doesn't appear in the $scope (I'm using AngularJS' addon for Chrome dev console).
Indeed if I try to print it I get erro (userLogin is not defined >> username can't be read).
Any clue?
Typically, in an AngularJS controller, if you do not create the property implicitly on the $scope object it will not be defined until a bound element attempts to update it. This is just the nature of how AngularJS works and the nature of dynamic Javascript. Is there a reason you need to get to the property if it isn't defined yet? From your question I am assuming that you were just prodding it with the console. If you really need to use it in a function before it is defined use the OR logical operator in Javascript represented by two pipe characters:
$scope.userLogin || '';
I have a multipart data form with mixed type input fields. Something like this.
<form method="post" enctype="multipart/form-data" action="/files/upload">
<input name="files" type="file" multiple />
<input name="category" type="text" />
<input name="description" type="text" />
<input type="submit" value="Submit"/>
</form>
This should be pretty common as you'd want to supply some other data along with the actual file upload: group, description etc.
So since this is a multipart form data the usual "getPostParams" is out of the question.
If I handle it normal way with "handleMultipart", it does not even pick up the text fields.
Processing the above form with "handleMultipart" returns me a list with one part instead of three, which means it ignores the text input fields.
Any idea how to deal with it? How would I process the above form?
According to my research, if you mix fields in a multipart form you get an mime encoded message which should still contain all the fields.
Anything in the form that is not a file should be put into rqParams/rqPostParams. If they are not there, then you should submit a bug report. Try to be as detailed as possible.