We are running a separate validation process against a set of multiple Orbeon forms so that we can display a full set of validation messages to the user in one place. We want to use the XPath expressions in relevant, required, and validation expressions within the form definitions as part of this process rather than duplicating those rules.
Is there a way we can call Orbeon to get the validation messages for a form, including meta data to match those messages with controls?
Alternately, we have tried to take the expressions and process them to work with our data. In our system we are using canonical names for controls which we use to store the data from multiple forms in a single XML structure. For example if we had a form set with two forms with the following fields:
Form A
now.applicantInformation.individualOrCompany
now.applicantInformation.relationshipToCompanyOrOrganization
now.applicantInformation.areYouTheIndividualThisAuthorizationWillBeIssuedTo
now.agentInformation.agentMailingAddress.addressType
now.agentInformation.agentMailingAddress.additionalAddressInformation
Form B
now.access.presentlyGated
now.access.inspectorHasKey
Our resulting data would look similar to this:
<now>
<applicantInformation>
<individualOrCompany>Organization</individualOrCompany>
<relationshipToCompanyOrOrganization>Agent</relationshipToCompanyOrOrganization>
<areYouTheIndividualThisAuthorizationWillBeIssuedTo>N</areYouTheIndividualThisAuthorizationWillBeIssuedTo>
</applicantInformation>
<agentInformation>
<agentMailingAddress>
<addressType>Rural Route</addressType>
<additionalAddressInformation></additionalAddressInformation>
</agentMailingAddress>
</agentInformation>
<access>
<presentlyGated>Y</presentlyGated>
<inspectorHasKey>N</inspectorHasKey>
</access>
</now>
For the field now.agentInformation.agentMailingAddress.additionalAddressInformation we have this relevant xpath expression:
(
(
$now.applicantInformation.applicantInformation.individualOrCompany='Organization'
and $now.applicantInformation.applicantInformation.relationshipToCompanyOrOrganization = ('Agent','Executor_Administrator_Trustee','Friend_Neighbour','Power of Attorney','Representative','Trustee in Bankruptcy')
)
or ($now.applicantInformation.applicantInformation.areYouTheIndividualThisAuthorizationWillBeIssuedTo='N')
)
and $now.applicantInformation.agentInformation.agentMailingAddress.addressType='Rural Route'
We thought we might be able to convert this to an xpath expression that would work with our data structure, like this:
(
(
/now/applicantInformation/applicantInformation/individualOrCompany/text() = 'Organization'
and /now/applicantInformation/applicantInformation/relationshipToCompanyOrOrganization/text() = ('Agent','Executor_Administrator_Trustee','Friend_Neighbour','Power of Attorney','Representative','Trustee in Bankruptcy')
)
or (/now/applicantInformation/applicantInformation/areYouTheIndividualThisAuthorizationWillBeIssuedTo/text() = 'N')
)
and /now/applicantInformation/agentInformation/agentMailingAddress/addressType/text() = 'Rural Route'
Unfortunately when we run this xpath expression from Java we get an error from this portion of the expression:
/now/applicantInformation/applicantInformation/relationshipToCompanyOrOrganization/text() = ('Agent','Executor_Administrator_Trustee','Friend_Neighbour','Power of Attorney','Representative','Trustee in Bankruptcy')
The error is:
expected ) but found ,
It seems that the the /element/text() = ('a','b','c') syntax is not supported by standard xpath. Is Orbeon able to support this by using XQuery or XForms?
We can convert this to use the OR operator but it is a bit ugly to do that:
/now/applicantInformation/applicantInformation/relationshipToCompanyOrOrganization[text() = 'Agent' or text() = 'Executor_Administrator_Trustee' or text() = 'Friend_Neighbour' or text() = 'Power of Attorney' or text() = 'Representative' or text() = 'Trustee in Bankruptcy' ]
We also have expressions that use functions such as days-from-duration. XPath has a days-from-duration function, but this appears to be different from the one used by Orbeon. An example expression is:
days-from-duration(($nda.technicalInformation.startAndEndDate.endDate) - ($nda.technicalInformation.startAndEndDate.startDate)) > 0
If you plan to run XPath expressions which run in Orbeon Forms from your own Java code, you will have to use the same XPath processor used in Orbeon Forms, and the same XPath function library. The alternative is to reinvent the wheel, and that will be very difficult.
Orbeon Forms has some abstractions for calling XPath, such as XPathCache and XPath. At this point this hasn't been designed to be used by third-party code outside of Orbeon Forms, so some work might be needed there.
Still, you could try to use that, or at the very least to use the Saxon XPath processor to get as close as possible.
Idealy, a form validation service would be offered as part of Orbeon Forms, and leverage existing validation code, but that's a new feature (see also #1357).
Related
I am writing my first Wireshark dissector. I am writing it in Lua, using this as an example. My communication protocol embeds a command ID in the response header, followed by well-defined payloads that differ based on the command ID. So far, I've been structuring the ProtoFields such that the Abbreviated name of the field (the string used in filters) follows a naming convention like this
proto_name.command_name.field_name
Some commands have similar fields, like in the following example
myproto.cmd_update.updateId
myproto.cmd_update_ack.updateId
where, per the protocol, an update command must be acknowledged with a update_ack command with the same updateId payload. Ideally, i would like to create a wireshark filter such that I can see all packets pertaining to the updateId field. I tried creating a filter like
myproto.*.updateId == 0x1234
but that appears to be invalid wireshark filter syntax. I don't want to make the filter explicit like
myproto.cmd_update.updateId == 0x1234 or myproto.cmd_update_ack.updateId == 0x1234
because in my actual protocol there are many more commands with similar/related fields. Is there a filter syntax I can use? Or perhaps, should I structure my dissector's ProtoField abbreviations differently?
There doesn't appear to be a wildcard syntax for the filter line, so I wound up solving this in the dissector itself. In addition to the myproto.*.updateId fields, I also added another field called myproto.updateId (note the lack of the wildcard in the middle). Its value is set to the same thing as the full blown field name, which means that I now have just one field name to search against. I also set this field as hidden = true to hide it from view.
It's a bit of a hack, but gives me what I want.
You could try using a Wireshark display filter macro.
I am interested in the possibility of providing a set of validation rules for user input values.
So for example a textbox called 'Today' might require a rule that looks something like
IsADate() and (Value >= Date())
My problem is that nobody can tell me what rules are needed. In order to deliver a solution I need users to be able to decide for themselves what rules they want.
It occurred to me I could create a database table containing a separate field for each input - each field having a user-definable check constraint and data type, but this is too limiting (in terms of how many rules I can define)
I could allow the users a UI which would effectively allow them to provide a where clause which then executes a select count(*) from dual where <plugin logic>
And then I started to think I am just database-obsessed.
Any thoughts?
I did something similar using application code and business logic. If you create a token parser based on some of your common business objects that you can load and evaluate for various views or forms then you can start to create a collection of custom variables.
#Date.CurrentDate
#Date.LastQuarter
#Customer.LastInvoiceNumber
#Customer.ZipCode
#Customer.MaxNumberOfOrderItems
If you expose your tokens in a list of rules for a particular field you can build a custom component that will let users build expressions like.
Value [ Greater Than ] [ #Customer.LastOrderNumber ] [ AND ]
Value [ Starts With ] [ #Customer.CustomerID ]
In my opinion this would be more flexible than using sql for validation.
If users have limited of Delphi / Pascal syntax knowledge, a quick solution is to let them create the validation as a pascal function, and use TJvInterpreter from JCL library.
Easy to use, simple to implement, that's a good work around !
Reference:
http://jvcl.delphi-jedi.org/JvInterpreter.htm
I have two questions regarding Fortify.
1 - Lets say I have a windows forms app, which asks for a username
and password, and the name of the textbox for password is
texboxPassword. So in the designer file, you have the following,
generated by the designer.
//
// texboxPassword
//
this.texboxPassword.Location = new System.Drawing.Point(16, 163);
this.texboxPassword.Name = "texboxPassword";
this.texboxPassword.Size = new System.Drawing.Size(200, 73);
this.texboxPassword.TabIndex = 3;
Fortify marks this as a password in comment issue. How can I suppress this by creating a custom rule? I don't want to suppress the whole issue because I still would like to catch certain patterns (such as password followed by = or : in comments) but the blanket search where any line that contains password is flagged is creating so many false positives. I looked into creating a structural rule but could not figure out how to remove the associated tag (where can I find the tag for password in comment anyways?)
2 - Let's say I have a custom UI control. This control html encodes everything and in my context, it is good enough to avoid XSS. Needless to say, it is being flagged by Fortify. How can I suppress XSS when I have a certain control type in my UI and all of its methods are safe for XSS (they sanitize) in my context? I have tried a DataflowCleanseRule (with a label just to test the concept) and wanted to mark get_Text() and set_Text() as sanitizer functions, but it did not make a difference and Fortify still flagged it for XSS.
<DataflowCleanseRule formatVersion="3.16" language="dotnet">
<RuleID>0D495522-BA81-440E-B191-48A67D9092BE</RuleID>
<TaintFlags>+VALIDATED_CROSS_SITE_SCRIPTING_REFLECTED,+VALIDATED_CROSS_SITE_SCRIPTING_PERSISTENT,+VALIDATED_CROSS_SITE_SCRIPTING_DOM,+VALIDATED_CROSS_SITE_SCRIPTING_POOR_VALIDATION</TaintFlags>
<FunctionIdentifier>
<NamespaceName>
<Pattern>System.Web.UI.WebControls</Pattern>
</NamespaceName>
<ClassName>
<Pattern>Label</Pattern>
</ClassName>
<FunctionName>
<Pattern>_Text</Pattern>
</FunctionName>
<ApplyTo implements="true" overrides="true" extends="true"/>
</FunctionIdentifier>
<OutArguments>return</OutArguments>
</DataflowCleanseRule>
Thank you in advance for your help
This is parsed using regular expressions. Unless you think you are able to create a regular expression that can parse human language properly, I would leave it alone and just audit it as not an issue.
The Pattern tag uses a java regular expression in the body, so should be used as user2867433 suggested. However, you stated
This control html encodes everything and in my context, it is good enough to avoid XSS
If you are going to use a custom rule, this has to assume that it will work in EVERY context, as say in the future somebody writes a piece of code that uses get_Text and then places this directly into a piece of JavaScript, html encoding will do NOTHING to stop the XSS problem here. I would advise again to audit this as not an issue or a false positive due to the validation used and explain why it's good enough in that context
Within "Pattern" you can use Java-Regex. So it should work if you use [gs]et_Text
Is there a way in Orbeon to save TextAreas and RTEs as CDATA sections so that line breaks and other formatting inputted by the user is preserved? In some use cases it's really important not to change what the user has entered and I haven't found a way to accomplish this to date.
Thanks!
In general, formatting and line breaks should be preserved by default. If the input is modified, there are three possible "culprits": the RTE component itself, Tagsoup, and clean-html.xsl. There are certain limitations regarding the RTE component (AFAIK orbeon still uses YUI 2), for example it doesn't handle p elements correctly. Tagsoup and clean-html.xsl should let through most of the standard html elements, but they filter, for example, the canvas element. More on orbeon's RTE element:
http://wiki.orbeon.com/forms/doc/developer-guide/xforms-controls/textarea-control#TOC-Rich-text-editor-HTML-editor-
So, if the content that arrives at your xforms instance is modified, you will need to debug each of the processing steps to check where the modification took place.
If it's a matter of the RTE component, you could try to check if the TinyMCE XBL component works better for you (it uses TinyMCE instead of the YUI2 RTE - i posted it some months ago in the ops-users ML). If it's a Tagsoup matter, you will have to patch the source code (change the Tagsoup config); there's also a workaround to configure Tagsoup using an external config file (it should be available in the ML archives, too). If it's a clean-html.xsl issue, you can easily created your own clean-html.xsl, it's described in the wiki page (see above) HTH fs
When creating tests for .Net applications, I can use the White library to find all elements of a given type. I can then write these elements to an Xml file, so they can be referenced and used for GUI tests. This is much faster than manually recording each individual element's info, so I would like to do the same for web applications using Selenium. I haven't been able to find any info on this yet.
I would like to be able to search for every element of a given type and save its information (location/XPath, value, and label) so I can write it to a text file later.
Here is the ideal workflow I'm trying to get to:
navigate_to_page(http://loginscreen.com)
log_in
open_account
button_elements = grab_elements_of_type(button) # this will return an array of XPaths and Names/IDs/whatever - some way of identifying each grabbed element
That code can run once, and I can then re-run it should any elements get changed, added, or removed.
I can then have another custom function iterate through the array, saving the info in a format I can use later easily; in this case, a Ruby class containing a list of constants:
LOGIN_BUTTON = "//div[1]/loginbutton"
EXIT_BUTTON = "//div[2]/exitbutton"
I can then write tests that look like this:
log_in # this will use the info that was automatically grabbed beforehand
current_screen.should == "Profile page"
Right now, every time I want to interact with a new element, I have to manually go to the page, select it, open it with XPather, and copy the XPath to whatever file I want my code to look at. This takes up a lot of time that could otherwise be spent writing code.
Ultimately what you're looking for is extracting the information you've recorded in your test into a reusable component.
Record your tests in Firefox using the Selenium IDE plugin.
Export your recorded test into a .cs file (assuming .NET as you mentioned White, but Ruby export options are also available)
Extract the XPath / CSS Ids and encapsulate them into a reusable classes and use the PageObject pattern to represent each page.
Using the above technique, you only need to update your PageObject with updated locators instead of re-recording your tests.
Update:
You want to automate the record portion? Sounds awkward. Maybe you want to extract all the hyperlinks off a particular page and perform the same action on them?
You should use Selenium's object model to script against the DOM.
[Test]
public void GetAllHyperLinks()
{
IWebDriver driver = new FireFoxDriver();
driver.Navigate().GoToUrl("http://youwebsite");
ReadOnlyCollection<IWebElement> query
= driver.FindElements( By.XPath("//yourxpath") );
// iterate through collection and access whatever you want
// save it to a file, update a database, etc...
}
Update 2:
Ok, so I understand your concerns now. You're looking to get the locators out of a web page for future reference. The challenge is in constructing the locator!
There are going to be some challenges with constructing your locators, especially if there are more than one instance, but you should be able to get far enough using CSS based locators which Selenium supports.
For example, you could find all hyperlinks using an xpath "//a", and then use Selenium to construct a CSS locator. You may have to customize the locator to suit your needs, but an example locator might be using the css class and text value of the hyperlink.
//a[contains(#class,'adminLink')][.='Edit']
// selenium 2.0 syntax
[Test]
public void GetAllHyperLinks()
{
IWebDriver driver = new FireFoxDriver();
driver.Navigate().GoToUrl("http://youwebsite");
ReadOnlyCollection<IWebElement> query
= driver.FindElements( By.XPath("//a") );
foreach(IWebElement hyperLink in query)
{
string locatorFormat = "//a[contains(#class,'{0}')][.='{1}']";
string locator = String.Format(locatorFormat,
hyperlink.GetAttribute("class"),
hyperlink.Value);
// spit out the locator for reference.
}
}
You're still going to need to associate the Locator to your code file, but this should at least get you started by extracting the locators for future use.
Here's an example of crawling links using Selenium 1.0 http://devio.wordpress.com/2008/10/24/crawling-all-links-with-selenium-and-nunit/
Selenium runs on browser side, even if you can grab all the elements, there is no way to save it in a file. As I know , Selenium is not design for that kinds of work.
You need to get the entire source of the page? if so, try the GetHtmlSource method
http://release.seleniumhq.org/selenium-remote-control/0.9.0/doc/dotnet/html/Selenium.DefaultSelenium.GetHtmlSource.html