I've created a web form for search operation in one of my projects, and the HTML is pretty simple:
<form action='/search' method="post">
<input type="text" id='search-term' name='search-term' />
<input type="submit" id='start-search' alt='' value="" />
</form>
So, when user types Unicode search term and hits Enter, an HTTP Get request would be sent to the server with this URL:
http://www.example.com/search?search-term=مثال
This, in server would be:
http://www.example.com/search?search-term=%D9%85%D8%AB%D8%A7%D9%84
and I'm able to retrieve the decoded value of the search-term query string using HttpContext.Current.Server.UrlDecode("%D9%85%D8%AB%D8%A7%D9%84") which returns مثال to me. Till here everything works fine and I have no problem.
However, if somebody type the aforementioned address directly in IE9, and hit Enter, then what I get at server is:
http://www.example.com/search?search-term=????
What's wrong here?
Update: We checked the traffic via Fiddler, and you can see the result in following pictures:
HTTP Get headers, captured by Fiddler, requested with Firefox
HTTP Get headers, captured by Fiddler, requested with IE
IE does not know what charset you want to use when typing the URL manually, so it has to use a default charset. ? characters occur when Unicode characters are converted to an Ansi charset that does not support those Unicode characters. When submitting a webform instead, IE uses the charset of the webform, which can be specified by the <form> tag itself, in <meta> tags within the HTML document, or the HTTP Content-Type header, so there is less chance that IE has to guess the correct charset to use.
Related
I have a simple form of this type
<form name="keywords" action="www.mydomain.com:6161/articles" method="post">
<input type="text" name="keyword" />
<input type="submit" name="submit" value="Submit" />
</form>
The Express 4 routes for handling the form post, is as follows
app.post('/articles', routes.article.keyword);
The actual route file has the following
exports.keyword = function(req,res,next){
res.send(req.body.keyword);
};
Based on the above circumstances, when I post the form in the browser, I see a page “The address wasn’t understood”.
But, if I use relative URL in the form action i.e.,
It works perfect. Why so?
Because in reality, I sometimes may have to post data to a different domain or URL altogether.
I will post my comment as an answer as it helped.
In order for the action to work, you need to either specify full url, that include schema:
<form name="keywords" action="http://www.example.com/articles" method="post">
Or you can just use a relative url:
<form name="keywords" action="/articles" method="post">
a relative path is one not starting with a / (forward-slash)... generally, this will attempt to load from the current url's base dir (you can set this in html, though the browsers default to the 'dirname' of the url (e.g. 'img/something.gif' on a page at '/some/path/index.html' will fetch it from /some/path/img/something.gif').
an absolute path is one starting with a /. it will be loaded using the same schema, host and optionally, port,user, etc (full url syntax: scheme:[//[user:password#]host[:port]][/]path[?query][#fragment]... read more here: https://en.wikipedia.org/wiki/Uniform_Resource_Locator).
a full url is one starting with a schema (http/https/ftp,etc...)... however (this comes in handy): if you're going to be using the same schema (which keeps your site's security score high), you can skip it, along with the colon.
e.g.: while viewing a site from 'https://blah.net', and attempting to load a resource from google (analytics maybe), you can reference it as:
'//google.com/path/to/whatever'
this will use https if the page was loaded over https, or http if not... keeps you from having to determine the scheme that was used when rendering the page.
I'm trying to send an email, with HTML content that includes an image tag,
for example:
<img ng-src="data:image/gif;base64,iVBORw0KGgoAAAANSUhEU...gAAASwAAAAmCC" />
unfortunately none of the mail client i'm using support this kind of "src" on image tag.
tried to Google it, it seems as known issue, but none of the answers was good for me.
by the way, i'm using AngularJS to bind the model to the html content, then pass it as an html string
to the WebApi controller, and then send it with an Smtp client.
Hope someone can help me solved this somehow,
Thanks,
Nadav S.
Yes, that is correct. Most clients do not support the "data:" url and even if they do, the size of the binary you can embed is very limited. Barely enough for a thumbnail, not enough for a real picture.
The correct way to do this is with mime multipart/related and the "cid:" url. Then one part contains the HTML and the other part contains the base64 encoded picture. The image part contains a header with a field called "Content-ID". The value is any unique string surrounded by <>. For example:
Content-ID: <xxxyyy>
In your HTML you use the following code:
<img src="cid:xxxyyy"/>
See rfc-2392 for the full specification.
I'm trying to create my first chrome extension. Basically I have a simple html page and some javascript that im using to allow users to enter some data, the script will format it correctly and then output it:
<form>
MAC ADDRESS: <input type="text" id="mac" name="macAddress" maxlength="17" >
<button onclick="convert(); return false;">Convert</button>
</form>
Javascript:
function convert() {
var mac = document.getElementById('mac').value; //get string
var mac2 = mac.replace(/\:|-/g,""); //remove colons and dashes
//
//add fullstops after every 4th character, appart from last character.
//
mac2 = mac2.replace(/(.{4})(?!$)/g , '$1.');
//output string
document.getElementById("outputDiv").innerHTML= mac2;
};
My problem is that while this works fine as a normal web page, the get method, to the same page, is not working when I tried to implement it as an extension.
I've followed the tutorials on google's site and the extension is showing up but it doesn't seem to be able to handle get requests. I've tried modifying the manifest file using different suggestions I found on here but still no success.
Theres nothing in the console when I try to debug it (something briefly flickers up when I submit the get request but it doesn't stay up long enough to see what the issue is).
I'd really appreciate it if someone could point me in the right direction with this!
Due to the Content Security Policy applied to extensions:
Inline JavaScript will not be executed. This restriction bans both inline blocks and inline event handlers (e.g. ).
[...]
The inline event handler definitions must be rewritten in terms of addEventListener and extracted into popup.js.
For more info atake a look at the docs.
I am using JBoss AS 7. I created a Facelets page which is bound to a managed bean. I have JSF input text field in my page. If I write some special characters in input text field and submit the page, then it send a request to server. But special characters are already converted to some other characters. I added UTF-8 support tag in Facelets page, but I am still not getting UTF-8 data on server side. Do I need to add some settings on JBoss server so that it can accept UTF-8 data?
i Added a simple Text field
<h:inputText value="#{myBean.value}" />
and wrote text like this
"“ ©” ‘with special character’ — » É €"
i added a breakpoint on server and examined the value and i am getting something like this
â éâ âÂÂwith special characterâ â û àâ¬
I don't know how to get actual value on the server side
Using Microsoft's AntiXssLibrary, how do you handle input that needs to be edited later?
For example:
User enters:
<i>title</i>
Saved to the database as:
<i>title</i>
On an edit page, in a text box it displays something like:
<i>title</i> because I've encoded it before displaying in the text box.
User doesn't like that.
Is it ok not to encode when writing to an input control?
Update:
I'm still trying to figure this out. The answers below seem to say to decode the string before displaying, but wouldn't that allow for XSS attacks?
The one user who said that decoding the string in an input field value is ok was downvoted.
Looks like you're encoding it more than once. In ASP.NET, using Microsoft's AntiXss Library you can use the HtmlAttributeEncode method to encode untrusted input:
<input type="text" value="<%= AntiXss.HtmlAttributeEncode("<i>title</i>") %>" />
This results in
<input type="text" value="<i>title</i>" /> in the rendered page's markup and is correctly displayed as <i>title</i> in the input box.
Your problem appears to be double-encoding; the HTML needs to be escaped once (so it can be inserted into the HTML on the page without issue), but twice leads to the encoded version appearing literally.
You can call HTTPUtility.HTMLDecode(MyString) to get the text back to the unencoded form.
If you are allowing users to enter HTML that will then be rendered on the site, you need to do more than just Encode and Decode it.
Using AntiXss prevents attacks by converting script and markup to text. It does not do anything to "clean" markup that will be rendered directly. You're going to have to manually remove script tags, etc. from the user's input to be fully protected in that scenario.
You'll need to strip out script tags as well as JavaScript attributes on legal elements. For example, an attacker could inject malicious code into the onclick or onmouseover attributes.
Yes, the code inside input boxes is safe from scripting attacks and does not need to be encoded.