In my Django project, I have a search input in the navbar across most pages on my site.
I'm a beginner to OWASP ZAP. After running the scan, one of the high priority alerts (red flag icon) raised was Cross Site Scripting (Reflected).
In my case, this is my website search form:
<form method="GET" id="searchForm">
<input type="text" name="q"
id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
</form>
if someone searches for javascript:alert(1); in the search box, the value= attribute contains the same.
<form method="GET" id="searchForm">
<input type="text" name="q" value="javascript:alert(1);"
id="searchQuery" placeholder="Search..." autocomplete="off" maxlength="100" required="">
</form>
Is this is a potentially vulnerability or is the input is being sanitized by Django? This form is created using a Django forms.ModelForm:
class SiteSearchForm(forms.ModelForm):
class Meta:
model = Search
fields = ('q',)
Related
I have a Django form, which has a lot of fields so that I have to break it up to 3 pages. It means user has to fill some fields of the form in one page , and then they click next to go to next pages and continue to fill the forms.
To achieve that, I plan to display some fields of the form on each page.
I have come up with this code:
HTML Page 1:
<form method="POST" action="#" class="form">
{{form.email}}
{{form.phone_number}} ...
</form>
HTML Page 2 :
<form method="POST" action="#" class="form">
{{form.current_job}}
{{form.current_salary}}...
</form>
It works fine with this code but it just shows the form in basic appearance, I would like to use bootstrap to make it more beautiful.
My questions is that, how can I integrate bootstrap ?
I have come up with this solution, but it is hard-coded and difficult if I changes fields of the form in the future:
<label class="control-label" for="id_field1">Field 1</label>
<input class="form-control" id="id_field1" maxlength="50" name="field1" type="text"/>
<label class="control-label" for="id_field2">Field 2</label>
<input class="form-control" id="id_field2" maxlength="50" name="field2" type="text"/>
Thank you for your help!
We have website developers redesigning the whole site in Django, and these are questions from our website developers I don't have any real knowledge of how to answer, so I thought someone here might be able to help.
We ran into a few problems with the web to lead and having it map to Salesforce which I HOPE we resolved.
Here's the code snippet:
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <META> element to your page <HEAD>. -->
<!-- If necessary, please modify the charset parameter to specify the -->
<!-- character set of your HTML page. -->
<!-- ---------------------------------------------------------------------- -->
<META HTTP-EQUIV="Content-type" CONTENT="text/html; charset=UTF-8">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: Please add the following <FORM> element to your page. -->
<!-- ---------------------------------------------------------------------- -->
<form action="https://www.salesforce.com/servlet/servlet.WebToLead?encoding=UTF-8" method="POST">
<input type=hidden name="oid" value="SFDCidhere">
<input type=hidden name="retURL" value="http://">
<!-- ---------------------------------------------------------------------- -->
<!-- NOTE: These fields are optional debugging elements. Please uncomment -->
<!-- these lines if you wish to test in debug mode. -->
<!-- <input type="hidden" name="debug" value=1> -->
<!-- <input type="hidden" name="debugEmail" -->
<!-- value="emailaddresshere"> -->
<!-- ---------------------------------------------------------------------- -->
<label for="first_name">First Name</label><input id="first_name" maxlength="40" name="first_name" size="20" type="text" /><br>
<label for="last_name">Last Name</label><input id="last_name" maxlength="80" name="last_name" size="20" type="text" /><br>
<label for="email">Email</label><input id="email" maxlength="80" name="email" size="20" type="text" /><br>
<label for="company">Company</label><input id="company" maxlength="40" name="company" size="20" type="text" /><br>
<label for="phone">Phone</label><input id="phone" maxlength="40" name="phone" size="20" type="text" /><br>
Subject:<textarea id="00N1600000EgFuw" name="00N1600000EgFuw" rows="3" type="text" wrap="soft"></textarea><br>
Contact me:<input id="00N1600000EvgRY" name="00N1600000EvgRY" type="checkbox" value="1" /><br>
newsletter:<input id="00N1600000EvgRd" name="00N1600000EvgRd" type="checkbox" value="1" /><br>
<input type="submit" name="submit">
</form>
That's what the web-to-lead from SFDC generates, and seems to work now.
However they have 2 questions I am not certain about and would love assistance with:
1) The specs for the new site require that the return page be the one the form was sent from (I.e., no redirection; we’re intending to do the equivalent of a “thanks” page as a pop-up onClick() — how is that accomplished through the API? I’d EXPECT that sending an empty retURL value should do it, but we just get back a blank page with a salesforce.com URL;
2) is it possible to customize the “name” parameter for the two checkbox fields (if not then we have to hack the entire form in the Django template without making it possible for Django to render the form natively since you can’t have a model form field name start with a digit…). This isn’t THAT problematic, but I’d like to know for future reference.
If anyone has any insight, I'd love to hear it and pass it along to them!
Many thanks.
Not sure your solution.
The common way that you could using the Partner WSDL or Enterprise WSDL to insert,update,upsert ,delete your data
Parnter WSDL:
not custom from your salesforce org, but it could be common way to get your data.
In python your could use this package
https://pypi.python.org/pypi/pyforce/1.4
And reference by this
https://developer.salesforce.com/docs/atlas.en-us.api.meta/api/sforce_api_partner.htm
Enterprise WSDL will show your salesforce org status (including field and object) . But one your objects or fields are changing that it might be error.
So i suggest using api to control the redirect function and the action.
My solution is as follows in an example
from captcha.fields import ReCaptchaField
from django.conf import settings
def set_field_html_name(cls, new_name):
"""
This creates wrapper around the normal widget rendering,
allowing for a custom field name (new_name).
"""
old_render = cls.widget.render
def _widget_render_wrapper(name, value, attrs=None):
return old_render(new_name, value, attrs)
cls.widget.render = _widget_render_wrapper
class WebToLeadForm(forms.Form):
# <keep all fields here>
# example field below
referred_by = forms.CharField(label="Referred By", required=False)
# The reCAPTCHA in this form uses keys from settings.
captcha = ReCaptchaField()
set_field_html_name(referred_by, settings.SF_REFERRED_BY)
settings.py
SF_REFERRED_BY = '00xxxxxxxxxxxx'
I have a form that is supposed to create a new 'Quote' record in Django. A 'Quote' requires a BookID for a foreign key.
This is my form
<form method="POST" action="{% url 'quotes:createQuote' %}">
{% csrf_token %}
<section>
<label for="q_text">Quote Text</label>
<input type="text" name="text" id="q_text" placeholder="Enter a Quote" style="padding-left:3px"> <br>
<label for="q_book">Book ID</label>
<input type="text" name="bookID" id="q_book" placeholder="Enter Book ID" style="padding-left:3px"> <br>
<label for="q_disp">Display Quote Now?</label>
<input type="radio" name="display" id="q_disp" value="True"> True
<input type="radio" name="display" value ="False">False <br>
<button value="submit">Submit</button>
</section>
</form>
And this is the method that it is targeting
def createQuote(request):
#b = get_object_or_404(Book, pk=request.bookID)
return HttpResponseRedirect(reverse('quotes:index'))
Somewhere in that request argument I assume there is some sort of field that contains the bookID the user will pass in on the form. How do I get at that information?
Bonus points for anyone who can tell me some way I can visualise data like I might with console.log(some.collection) in Javascript
if request.method == "POST":
book_id = request.POST['book_id']
Assuming you're sure it's in there. Otherwise you'll need to verify/provide a default value like you would for a normal python dictionary.
As for visualising the data, do you mean printing it to the console? In which case if you're running the django runserver you can just do print some_data. If you want it formatted a little nicer, you can use pretty print:
import pprint
pp = pprint.PrettyPrinter()
pp.pprint(some_data)
I am using the Shopify remote add to cart form to pass a group of customized products. Same Shopify product (variant-id), different custom designs (line item properties).
The form call treats the 3 customized products that I am adding to the cart as identical even though they have distinct line items. If I push this to the Shopify cart I will see a product with a quantity of 3. If I submit a form for each product individually then it treats them as unique products in the cart which is the behavior I would hope for.
Here is and example of the code I am trying to use (Notice the "Customizer#" and "Your Design" is unique for each product):
<form action="http://www.boardlams.com/cart/add" method="post">
<input name="id[]" value="262542038" type="hidden">
<input id="Customizer#" name="properties[Customizer#]" value="RTD-Design-1" type="hidden">
<input id="YourDesign" name="properties[YourDesign]" value="http://designer.realtimedesigner.com/orders2/153000/153500/153561/3/design_1.png?1355818798" type="hidden">
<input name="id[]" value="262542038" type="hidden">
<input id="Customizer#" name="properties[Customizer#]" value="RTD-Design-2" type="hidden">
<input id="YourDesign" name="properties[YourDesign]" value="http://designer.realtimedesigner.com/orders2/153000/153500/153561/3/design_2.png?1355818798" type="hidden">
<input name="id[]" value="262542038" type="hidden">
<input id="Customizer#" name="properties[Customizer#]" value="RTD-Design-3" type="hidden">
<input id="YourDesign" name="properties[YourDesign]" value="http://designer.realtimedesigner.com/orders2/153000/153500/153561/3/design_3.png?1355818798" type="hidden">
<input name="return_to" value="/cart" type="hidden">
<input value="Many Customized Products" type="submit">
</form>
Is there a way to have the Shopify cart consider each product as separate item in the cart when submitting the form this way? Sending a remote add to cart form per customized project is not a good solution in this case because we want to submit all of the products as a group.
I appreciate any insights!
Regards,
John
I have two different forms on my home page: one for logins and one for registrations. As you can see from the code, the forms have inputs with different names:
<h3> Log In </h3>
<form action="/login/" method="POST" class="form-vertical" style="padding-top: 5px">
<input id="id_login_username" type="text" name="login_username" maxlength="25" />
<input type="password" name="login_password" id="id_login_password" /><br>
<button type="submit" class="btn btn-info">Login</button>
</form>
<h3> Sign Up <small>(It's free!)</small></h3>
<form action="/register/" method="POST" class="form-vertical" style="padding-top: 5px">
<input id="id_register_username" type="text" name="register_username" maxlength="25" />
<input type="text" name="register_email" id="id_register_email" />
<input type="password" name="register_password" id="id_register_password" />
<input type="password" name="register_password2" id="id_register_password2" /><br>
<button type="submit" class="btn">Submit</button>
</form>
Which renders to this in Chrome:
What can be causing this? And how can I fix it?
That's a really good question and I'm sorry to say I have no idea. Did
you try to register once and also login at least once? If so, that
"might" be what's causing it as browsers come complete with the
"autoremember" feature.
Assuming autofill is enabled (it is by default), the reason it autofills the rest is because chrome's autofill server works on regular expressions, not exact matches.
All the regular expressions used for the various fields can be found in autofill_regex_constants.cc.utf8.
From there you can see that the expression for email field is "e.?mail" and for username it is "user.?name|user.?id|nickname|maiden name|title|prefix|suffix"
It appears a similar question has been asked before:
What is the correct way to stop form input boxes auto-completing?
There is an autocomplete attribute you can use in form fields.
<input id="id_login_username" type="text" name="login_username" maxlength="25" autocomplete="off" />