Is it possible to specify a global default timeout for CSRF form elements in Zend 2?
Otherwise I have to specify a timeout option for each CSRF element.
P.S.: What's the value of the current default timeout?
From the source code of Zend\Validator\Csrf, the default timeout of Csrf element in Zend Framework 2 is set to 300:
protected $timeout = 300; //line 70
If you want to set the same time out for all Csrf elements in your forms, you could create a custom csrfValidator with the timeout value you want and override the default CSRF validator of your elements using setCsrfValidator method.
Otherwise just change the default options when you add Csrf element to your forms:
You can change the options of the CSRF validator using the setCsrfValidatorOptions function, or by using the csrf_options key.
Csrf documentation
I have my own Form base class, derived off Zend\Form\From that all my forms inherit from. This way I can have some default behavior for all forms. Specifically, the one thing I have in this base class for now is that all forms are given a CSRF element by default. This way I never forget to add one. And, if you are doing this, then you could easily configure whatever time-out you want in that one place and it would apply to all your forms.
Related
By default validation in ASP.NET Core for inputs uses class input-validation-error but bootstrap 5 uses is-invalid.
I found some solutions for this:
Create the styles
Use jQuery.validate.unobtrusive and configure the defaults by setting up validClass and errorClass
Is there a way to configure the system to tell it which class to use or is this hardcoded?
BS5 only use the .is-valid and .is-invalid classes as fallback for server-side validation ... i.e., server side sets that class. The BS5 JS uses the :valid and :invalid pseudo-classes.
Not sure if you're looking for server side or client side --- either way read up on how validation works here: https://getbootstrap.com/docs/5.0/forms/validation/
Also read up on Migration here: https://getbootstrap.com/docs/5.0/migration/#utilities-1
If you want to create your own CSS, e.g. a .input-validation-error you can use the form-validation-state mixin, and a variation of the $form-validation-states map. SCSS is here: https://github.com/twbs/bootstrap/blob/main/scss/mixins/_forms.scss
I'm looking for a way how to change default message saying that login is required to see a page created in secure module. Currently it look like this: https://gyazo.com/1477f388deb20e4da3e13c5a957e86ce
Do you know how to change it or create a redirect to a different route ?
Currently I'm using symfony 1.19
You can use
login_module and login_action: Action called when a nonauthenticated user tries to access a page defined as secure in security.yml. The default value is default/login.
secure_module and secure_action: Action called when a user doesn't have the credentials required for an action. The default value is default/secure.
You can override the default pages in two ways:
You can create your own default module in the application's modules/ directory, override all the actions defined in the settings.yml file (index, error404, login, secure, disabled) and all the related templates (indexSuccess.php, error404Success.php, loginSuccess.php, secureSuccess.php, disabledSuccess.php).
You can change the default module and action settings of the settings.yml file to use pages of your application.
The Orbeon Proxy Portlet allows form selection via URL parameters. It would be preferable if the parameters were not included in the URL. I thought I might be able to use a public render parameter as described in the Liferay documentation but it looks like the proxy portlet isn't configured that way.
Looking at OrbeonProxyPortlet.scala I see this method is used to retrieve the URL parameters:
private def portalQuery(request: PortletRequest) =
collectByErasedType[String](request.getAttribute("javax.servlet.forward.query_string")) map decodeSimpleQuery getOrElse Nil
Could this method be modified to combine that map with the map returned by PorletRenderRequest.getParameterMap() or PorletRenderRequest.getPublicParameterMap()?
Or perhaps there could be another init-param like enable-url-parameters, for example, enable-inter-portlet-parameters?
This would also require the following configuration in the portlet.xml:
<supported-public-render-parameter>orbeon-app</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-form</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-document</supported-public-render-parameter>
<supported-public-render-parameter>orbeon-page</supported-public-render-parameter>
As you noticed, currently this is not implemented, and I don't think there is a way without modifying the code of OrbeonProxyPortlet.scala. But yes, it would make sense to make this work, and in fact the option was considered in issue #1850.
I'm considering using the hash method to create static urls to content that is managed by ajax calls in a Asp.Net MVC. The proof of concept i'm working on is a profile page /user/profile where one can browse and edit different sections. You could always ask for the following url /user/profile#password to access directly to you profile page, in the change password section
However, i'm wondering if i'm not starting this the bad way, since apparently i can't access the part after the hash in any way, except by declaring a route value for the hash in global.asax. So i'm wondering if this is the right way to access this part of the url?
Am i supposed to declare a route value, or is there another way to work with hash values (a framework, javascript or mvc)?
Edited to add:
In pure javascript, i have no problem using the window.location.hash property, i'm not sure though how standard it is in today's browsers, hence the question about a javascript framework/plugin that would use it.
The thing is that the part that follows the hash (#) is never sent to the server into the HTTP request so the server has absolutely no way of reading it. So no need to waste time in searching for something that doesn't exist.
You could on the other hand tune your routes to generate links that contain the hash part so that client scripts can read it.
Send the hash value document.location.hash as a parameter to the controller action of your choice.
This can be done in the code if needed...
RedirectResult(Url.Action("profile") + "#password");
should work fine
I have a pretty simple ASP.NET MVC page and am using TinyMCE to allow users to enter comments. However, when I pass the data to a controller I receive the following error message:
A potentially dangerous Request.Form
value was detected from the client
The consensus is that ValidateInput("false") should be set on the Action method but somehow that does not sit well with me. I have tried to intercept this by ordering my action methods and sanitizing the data through my ActionExecitomgContext ActionParameters however this error keeps occurring time and again. Does anyone know of a way to allow this content through (or properly intercept it) without disabling ValidateInput
Do you have specifics on why it doesn't sit well? ValidateInput("false") on the one action that accepts HTML is the proper way to go. The input validation is an old ASP.NET feature that is on by default for security in depth, but is like a sledge hammer. It doesn't understand the nuances of allowed HTML.
For that one action method, you could write your own ValidateSafeHtmlAttribute action filter and put that on the method instead. Maybe that one internally encapsulates a ValidateInput set to false and then does its own validation specific to your scenario. That'd be my recommendation.