I was going through my app trying to secure it as much as I can and it got me thinking. I always validate my user's input and I always scrub the input, so for example if I have a "birthday" field, I make sure it's a valid date before putting it into the database. But I also have fields in my database like "passwordresettoken", and I have my code generate this field if the user request it.
Now on my normal user profile page, I obviously have no field called "passwordresettoken", so I don't validate or scrub it, because it should not exists in the form that will be passed. In fact, it should never be passed, since it's not something the user would ever input.
So my question is, is it possible to spoof input fields? Could they edit the HTML on my page to include a passwordresettoken field and then do some damage when the form is passed?
Yes absolutely. I don't even have to look at your HTML. I can submit directly using curl.
http://curl.haxx.se/docs/httpscripting.html
This html
<form method="POST" action="junk.cgi">
<input type=text name="birthyear">
<input type=submit name=press value=" OK ">
</form>
Is equivalent to this curl request
curl --data "birthyear=1905&press=%20OK%20" http://www.example.com/junk.cgi
Related
I have a simple form in react, which lives in a modal. If a user was to use autofill for an email field for example, it would update other fields including fields that I've already filled in. This would lead users to submitting data, not knowing that fields out the view have been updated.
I've tested this in non-react forms and Google Autofill works fine, in that it would not overwrite existing values in fields. But in react lets say I inserted firstname = john, and then use autofill on the email...it would over 'John' and use whatever is saved in Autofill.
Is anyone aware of a way around this? I'm not going to turn autocomplete off as I still want users with the ability, anyway I've tried variations of autocomplete=off as suggested else where but still no result
You can use autocomplete="off" in your input that you do not wish to autofill.
Please also make sure your input types are correct.
example: <input type="text" name="foo" placeholder="foo" autocomplete="off">
You can even do this using JS:
inputElm.setAttribute( "autocomplete", "off" );
as an example.
regards
Aaron
Try to create hidden input right before your input and add random number for your original input name where you don't want Chrome to autofill values:
<input type="text" name="" value="" readOnly={true} style={{display: "none"}}/>
<input
type="text"
name={"address " + Math.random()}
/>
I am playing around with angular and material for a while now (coming from jquery, it was a little bit an effort). I do understand that it is a pure client based thing, but what is the client without server... in my case I have a datepicker which I want to post back to the server and have no idea how to.
So this is my datepicker:
<md-datepicker ng-model="user.birthdate" md-placeholder="Birthdate" ng-required="true">
</md-datepicker>
It's quite obvious that there is no "name" attribute which would be required to post it.
What I also tried is adding a hidden input field with the same model, but it's also empty on the server:
<input type="hidden" name="birthdate" ng-model="user.birthdate" />
So my ideas to solve it would be either to write a directive for adding the name to the actual input behind the datepicker (which will cause some issues with the date format) or read the data when submitting it to the server and somehow transfer it with the form (e.g. with the hidden field). But I cannot believe that it is so complicated because I assume that I am not the only one with this requirement - and whenever I search I only find stuff like date format issues...
Thanks in advance,
Philipp
I have encountered an issue where the value of a submit button is not being submitted with the form data. This is happening because of parsley. After some more troubleshooting I have discovered that if I make use of the script parsley.js and not parsley.remote.js, the issue is not there anymore.
Note: This issue only happens in Internet Explorer and Firefox, while in Chrome everything works just fine.
Working example
Here is an example in plunkr which demonstrates that with the script - parsley.js, this issue does not happen in neither of the browsers, see: http://plnkr.co/edit/0ylxasiyrlxhSrhrMaFH?p=preview
This means that if we run the above plunkr in any browser and enter anything in the text box and then click on submit, the submit button value is going to change from "undefined" to "submitBtn" as it should.
Not working example
Here is another example in plunkr which demonstrates that with the script - parsley.remote.js, there is this issue in both Firefox and Internet Explorer, while it is fine in Chrome, see: http://plnkr.co/edit/ODqZannjYFBEwppXOXiF?p=preview
This means that if we run the above plunkr in either internet explorer or firefox and enter anything in the text box and then click on submit, the submit button value is never going to change to "submitBtn" as it should, but instead it will always stay "undefined".
Anybody has ever encountered this problem or have a solution? Thanks a lot.
I'm encountering the same issue under certain circumstances using the current version of Parsley (2.2.0-rc1) which was supposed to fix this (see here: https://github.com/guillaumepotier/Parsley.js/pull/947#diff-for-comment-36081575)
It happens for me when 1) I have a form with a parsley-remote validated field, and 2) the remote validator isn't called until I've already clicked the submit button on the form.
Example -- I have a form where a user can change their username, like so:
<form id="profile-username" action="/profile" method="post" role="form" data-parsley-validate>
<input type="text" name="username" value="{{ username }}" maxlength="255" required
data-parsley-type="alphanum"
data-parsley-trigger="change"
data-parsley-remote="/api/checkuser"
data-parsley-remote-reverse="true"
data-parsley-remote-message="Username already taken"
data-parsley-type-message="Username can only contain letters A-Z and numbers 0-9" >
<input type="password" name="password" required minlength="6" maxlength="150">
<input type="submit" name="submit" value="Change Username">
If I change the value in the username field, it triggers the remote validator. Later when I click submit, the form will submit including the value of the input [type=submit] as expected.
However if I don't change the value in the username field and just submit the form as is, the remote validator is still called (after I've already clicked submit) but the form posts without a value for submit, which is not what I want.
It seems to be a timing issue... I'm thinking Parsley is doing things with the submit button behind the scenes which don't have a chance to finish in the time between the user clicking 'submit' and the browser going on to the next page.
Bottom Line: In any case it may just be safer to use an input type="hidden" to pass whatever value you need, instead of relying on the value of submit being there.
http://plnkr.co/edit/II4RLMviSep3zFcgtcAv?p=preview
<form name="linkform">
<input ng-model="myvar" type="url" ng-pattern="/[abcd]+/">
<p>{{myvar}}</p>
<p ng-show="linkform.$error.url">ERROR!</p>
</form>
In the example I expect it to match "abcdabcdabcd", but instead that is invalid, while "232r4t3trq" or anything other than [abcd] is valid.
I'm very confused. Basically the url validation by Angular is awful, so I was trying to make it better, but then I got stuck with weird behaviour by ng-pattern.
(hmmm I just tried watching that variable and it becomes [{}] when valid, and null when invalid.... what is going on??? #.#)
The error you display is for the the key url. It thus signals that what you typed is an invalid URL, because your input is of type url. If you don't want angular to validate your input as a URL, make it of type text.
And if you want to display ERROR when the ng-pattern validation fails, use
ng-show="linkform.$error.pattern"
Also, if you want to only accept a, b, c and d inside the field, the pattern should be /^[abcd]+$/.
I have a server that is hosting a JSP page. Can I populate it's text boxes from my client's database?
Create a servlet which loads the data, puts it in request scope and forwards the request to the JSP. If you want to do it whenever the client opens a link/bookmark, then do it in the doGet() method. Or when you want to do it when the client submits a form, then do it in the doPost() method.
Here's an example which preloads a specific product from the DB based on request parameter:
Product product = productService.find(request.getParameter("id")); // Do your DB access job.
request.setAttribute("product", product); // It'll be available by ${product}.
request.getRequestDispatcher("/WEB-INF/product.jsp").forward(request, response); // Let JSP display it.
Map this servlet on an URL pattern of /product then you'll be able to call it by http://example.com/somecontext/product?id=123
In the JSP you just have to set the value attribute of the HTML input element to display it as value of the input element. Since this is sensitive to XSS attacks when you print it plain like as suggested in the other answer, you'd like to use JSTL fn:escapeXml() to avoid XSS attacks.
<%#taglib prefix="fn" uri="http://java.sun.com/jsp/jstl/functions" %>
...
<input type="text" name="name" value="${fn:escapeXml(product.name)}" />
<input type="text" name="description" value="${fn:escapeXml(product.description)}" />
<input type="text" name="price" value="${fn:escapeXml(product.price)}" />
Note that scriptlets (those <% %> things) are a poor practice and don't offer instant access to request attributes (i.e. <%= product.getName() %> style as suggested in other answer won't work), nor does it offer standard XSS escaping facility.
Can I populate it's text boxes from my
client's database?
Yes you can.
Steps:-
Connect to database in servlet.
Retrieve data in servlet and pass it to jsp.
Get that data from request in jsp.
Display data in jsp using scriptlet or jstl.
to populate data in text box in jsp use following:
suppose you have User object that holds user's information then ...
<input type="text" value="<%= user.getName()%>" />