I have a basic form that asks the user to enter some text in a regular html input control and I am also using jquery-tokeninput to allow users to choose tags from a pre-filled list.
One of the tags in the pre-filled list happens to be the word café, which I have got from the server and populating the tag list by calling
mytaglist.push({id: 'café', name: 'café'});
The problem is that when they attempt to enter a word like 'café' as a tag, asp.net mvc rejects the input saying that:
A potentially dangerous Request.Form value was detected from the client (articleTags="café").
Inspection using firebug shows my post data to be something like:
UserName=neo&category=&Title=caf%C3%A9&Text=sometext&articleTags=caf%26%23233%3B&IsAgreedTerms=true
As you can see, Title has value caf%C3%A9 which is correct but articleTags has value caf%26%23233%3B which I was not expecting.
I absolutely need to make sure that café (and not some encoded value) appears on the screen.
How can I make sure that I send the correct post data and still display café everytime?
Should I change how my server sends the text?
sending the data via Html.Raw solves the problem..
Related
I'm trying to add param in the url, like in this example:
https://www.google.com/ > https://www.google.com/search?q=qq
Opening the last link you can see "qq" in the "q" input.
For this site it doesn't work (this is the problem):
https://www.calabriasue.it/assistenza/richiesta-assistenza-e-supporto/
https://www.calabriasue.it/assistenza/richiesta-assistenza-e-supporto/?nome=mario
Can I add url param also in the last one? I need it.
Thanks!
I tried using different input names, different params ecc but it doesn't work.
Google's server side code is designed to generate an HTML document with an input field that is prefilled with the current search term which is reads from the URL. That is why adding q=search+term to the URL populates the input field.
You can't make arbitrary third-party websites prefill inputs. They have to explicitly provide a mechanism to make it possible.
Parameters only work as long as the code for the target website is expecting to handle a parameter named "nome" with a value "mario". In the case of the google website, it is expecting a parameter named "q" and has a form input for it.
Clicking a URL sends a a GET request type, and the target site may only be accepting parameters from a POST request type. You could consider using the application known as "PostMan" to help with that.
Alternately, the target page you are viewing may be forwarded / routed from a different page which accepts parameters.
Like the question says, how do I add a parameter to a URL?
Example:
When you click on a link to get a featured product on Product Hunt, the URL is appended with ?ref=producthunt.
Can I just add a parameter like this manually to the few links that I have on my website? Are there any scenarios where this might be suboptimal to do?
The parameters in the URL correspond to the superglobal $_GET array.
It means that if your URL is in the form
www.domain.com?key1=val1&key2=val2 ,
then $_GET[key1] contains val1 , and so on.
It is perfectly legitimate to add these parameters manually in a link (a typical use case would be a login button, which redirects you to the current URL and appends &todo=login . You can then add a bit of PHP code that triggers the login process when $_GET contains the value 'login' at the key 'todo').
The other way of adding these parameters is forms. In an HTML form, you specify a 'method' which can be 'get' or 'post'.
If you choose 'get', when the form is submitted, the URL will automatically be appended with the form answers.
NB: It is generally NOT SAFE to directly read values from the $_GET, as the user can fill it with any value (just by changing the URL) so it is good practice to use filters that ensure inputs are safe. Check http://www.w3schools.com/php/php_filter.asp for more on filters
The parameters added to the url is called query string and they have a format
it must start will ?
every paraper will be seperated with &
Example: http://www.yoururl.com?name=myname&age=34&ect=somethingelse
The mistake you did is by putting ?= which is not converted by your web server.
you can pas like '?websitename=website-name'
Querystring parameters are key value pairs that are separated from the URL's domain and path with a ? and separated from each other with an &, i.e ?key=value&key2=value2.
The values can be accessed client-side (in Javascript) and server-side by the webserver or by a server-side language is being used, PHP, ASP.NET, Java.
Some values should be encoded using a function such as encodeURIComponent to ensure that they are valid.
Risks
You need to be careful that the querystring does not contain any sensitive information such as a sequential order number, i.e ?order=5 as someone could manually change the value to see another user's order (?order=6, if no other authentication in place). The order value should be encrypted so it cannot be guessed. Also, do not execute any code passed in on the querystring with eval() as the contents could be changed by a malicious user to execute a crosssite scripting (XSS) attack on another user and steal their cookie or login credentials.
Sometimes we have jobs whose name has an apostrophe in it. I always want those apostrophes to display as ' , never as their HTML entity (').
The apostrophe displays correctly on most pages most of the time. But in some instances, the apostrophe displays as the HTML entity instead. Here's a screen-capture showing the behavior:
The apostrophes in the "Notes" field (a textarea) display correctly, but not in the "Job name" and "Display as" fields. Luckily, the apostrophes display correctly on the public-facing side, and I only see this behavior on the admin-side.
This sentence is going to sound insane, but stick with me, here: When I look at a page's source code where this problem occurs, it looks like the leading ampersand in the apostrophe's html entity is being replaced with the HTML entity for ampersand, thus becoming '
Here's a gist of the form's code.
When I look up this job's record in console, the job name and display name are "Job's Got An Apostrophe", so I know (think?) I'm not storing the HTML entity in my database. My database.yml specifies unicode encoding. It's a PostgreSQL 9.2.7 database. Not sure what other information is needed to help resolve this, if any.
I am working on an email validation link for a website. When a user registers and finishes filling in their personal data (and it passes all the checks), they are sent to a jsp page saying that an email has been sent to the address they entered as the username, with a link to click to validate the email address. So that part is all well and good, I generate the link (for now just using my localhost) and it looks like this as an example http://localhost:9999/javawork/msc/validate/?6FRQ8RAT&u=1s3w1Iih64egX01188HT. When they click the link it goes to the jsp page index.jsp in the validation folder. At this point I need to grab the entire URL and send it to a function to make sure the URL is formatted properly (for security purposes). If it passes and the format is fine, I need to grab the 8 digit code immediately after the '?' and also the value of 'u'. I then send those values to a function that checks that they match what we have in our DB, and if they do, I update the DB record with a validation date so we know they have validated their email address.
So my question is first, how do I grab the entire URL to check the format, and second, how do I grab the 8 digit code, and the value of 'u'? I have been looking online and all examples require creating multiple functions or classes, and using the URL class. And they all want me to make an instance of a URL object and initialize it using the entire URL. But it is not a static URL, it will be different for every user that registers, as it generates a random 8 digit code to check against, and the value of 'u' is the masked user id from the DB. I don't understand how it can require you to initialize the entire URL in order to get the values, when you don't know what the values are until you get them from the URL.
Is there a simple way to grab the values, and the entire URL? Even if I can just get everything after the '?', I know the base URL and can build a new String to check the formatting if I can get from the '?' and after. Please help with that part. Thanks.
The Interface HTTPServletRequest contains a method getRequestURL which returns a StringBuffer which you may use to check the format of the entire URL.
You can get it, in a jsp page with :
<%=request.getRequestURL()%>
If you are using the format of request that you specified above, then your second question :
how do I grab the 8 digit code, and the value of 'u'?
May be answered by manipulating that StringBuffer to split at the ? and & for the 8 digit code.
Or use another request method,
ServletRequest.getParameter(java.lang.String name)
To grab each parameters, though, i'm not certain how it will end up handling the unnamed parameter of the 8 digit code. Let me know how that goes.
Don't think of the 8-digit code as an unnamed parameter. Think of it as a parameter without a value.
request.getParameterNames() will give you the 8-digit code as well as "u". So you can loop through like so:
String code = "";
for(String paramName : request.getParameterNames()) {
if(!paramName.equalsIgnoreCase("u"))
code = paramName;
}
I completely understand the differences between the two in terms of form handling, user discretion and privacy of data, but in what situation would anyone rather use GET over POST when sending form results?
Thanks
W3C HTML 4.01 Recommendation on the appropriate usage of GET and POST:
The "get" method should be used when the form is idempotent (i.e., causes no side-effects). Many database searches have no visible side-effects and make ideal applications for the "get" method.
If the service associated with the processing of a form causes side effects (for example, if the form modifies a database or subscription to a service), the "post" method should be used.
Note: The "get" method restricts form data set values to ASCII characters. Only the "post" method (with enctype="multipart/form-data") is specified to cover the entire [ISO10646] character set.
GET places parameters in the URL itself, allowing everyone to see. While POST would be ideal for logins and security-sensitive data, GET is ideal when you want a dynamic page to be bookmarked.
Take a forum for example. The thread which shows all posts within it is loaded dynamically. There doesn't exist a page for every thread available, meaning parameters must be provided which indicate which thread to load. These parameters are passed using GET so that you can bookmark the page and that exact URL with the parameters provided will be used again to load the page.
For instance, to make form data visible in logs.
If i need that user can save a bookmark of next step/page (for whatever reason) i would use GET other than that probably POST.
Both are unsafe and you must escape both.