i have any Fcc files which contain some hidden variable which out testing team isattacking like with a parameter TARGET=-SM-http%3a%2f%2fgrow%2egoogle%2ecom%2f%22%20%73%54%79%4c%65%3d%58%3a%65%58%70%52%65%53%73%49%6f%4e%28%61%6c%65%72%74%28%34%37%36%38%33%29%29%20%22
which is making target variable to act as below
INPUT type='hidden' name='target' value='' STYLE= xss:expression(alert('attack alert'))" '
which will result to alert message in finte loop
my form contain some form values which as hidden
name="target" value="$$target$$"
name="smauthreason" value="$$smauthreason$$"
these form values will assign to form elements
so how can i avoid xss attack issue
Related
Within a user task, a segment of the embedded form markup is
...
<div class="form-group">
<label for="reference">Reference</label>
<input class="form-control"
cam-variable-name="reference"
cam-variable-type="String"
name="reference" />
</div>
...
On form entry, the reference field should be empty. On form submission, the associated Camunda process variable is populated with the reference text as a single String as expected.
Reading the Camunda manual, forums etc, there is no setting to specify the bound variable scope,
For this form field, I wish to use local variables (task scoped), not process instance scoped variables.
If process variables are used, if there is a following user task with a form using the same variable-name, that form field is populated with the previously entered value.
I understand that variables can be programmically reset and that I can use a different variable name but use of a local variable would avoid this.
Also, use of process variables results in an excessive number of variables as seen in
cockpit > running process instances > [process-name] > [instance GUID] > variables
Generally, unless the value is to be used later, form based variables have only relevance during form set-up and action processing.
To set local variables in user forms, the easiest way is to define them in a task-listener creating the task. Then you can reference the variables with cam-variable-name in the form.
Have a look at this post for further details: https://forum.camunda.org/t/variables-in-parallel-process/1476/3
I'm running the following form inside abc.cfm.
// Parameters Defined
<cfparam name="startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfform format="HTML" action="datedownload.cfm" method="get" >
<cfformgroup type="horizontal">
<cfinput type="dateField" name="startdate" width="100" value="#startdate#">
<cfinput type="dateField" name="enddate" width="100" value="#enddate#">
<cfinput name="submitApply" type="submit" value = "Apply">
<cfinput type="button" name="download" value="Download" onclick="window.location.href='datedownload.cfm?startdate=#form.startdate#&enddate=#form.enddate#path=http://abc.xyz.com/username/July30/datedownload.cfm'">
</cfformgroup>
</cfform>
Everything is printing fine with the following code in datedownload.cfm
Startdate: <cfdump var = "#startdate#">
End Date :<cfdump var = "#enddate#">
Except that, the Enddate is printing full path along with it as follows:
Startdate: 2013-06-20 End Date : 2013-07-29path=http://abc.xyz.com/username/July30/datedownload.cfm
How can I remove the stuff starting from path?
If I am reading this correctly, you are getting an error that startdate and enddate are not defined in the form scope when you try to load download.cfm. Since you are passing those variables to download.cfm as part of a query string (by submitting the form using GET), they would not be present in the form scope.
I can think of 2 quick and easy solutions:
First, you can change your reference to form.startdate and form.enddate to url.formdate and url.enddate respectively. Variables passed in as part of the query string (like when you do a GET) become part of the url scope, not the form scope (liek when you do a POST).
Second, you can param the variables like this in download.cfm:
<cfparam name="url.startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="url.enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfparam name="form.startdate" default="#url.startdate#">
<cfparam name="form.enddate" default="#url.enddate#">
This will first param the values in the url scope to the same values you have in the page that displays the form, then it will param the same variable names in the form scope to the same value of the same variable names in the URL scope.
Use an ampersand before enddate instead of the question mark and add an ampersand before the path variable
window.location.href='Download.cfm?startdate=#form.startdate#&enddate=#form.enddate#&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm'
The simplest way to solve your problem is to get rid of the 2nd button. It is not necessary and will confuse not only you, but your users. Since your form method is "get" the two formfields will be part of the url scope which seems to be what you want.
Also, where are the form variables coming from in the value attributes of your two inputs?
What's wrong with using a form post? That's the way I prefer to do it. I also test the request type (POST versus GET) to ensure that the download file isn't bookmarkable.
You'll need to use javascript to get the dates in the web-based form, not ColdFusion. (The user will also need to have javascript enabled to use the form to use location.href.)
Give your form fields matching IDs and try the following:
window.location.href='Download.cfm?startdate='+ document.getElementById('startdate').value +'&enddate='+ document.getElementById('enddate').value +'&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm';
I'd recommend not using CFForm tags since they require the the /CFIDE/ directory and is currently recommended to be blocked:
Secure CFIDE Directory for ColdFusion
ColdFusion 9 Server Lockdown Guide (PDF)
ColdFusion 10 Server Lockdown Guide (PDF)
Make sure you perform date validation on the server-side. If you need client-side date validation, you can use HTML5 DOCType and the attributes type="date" & required or consider using the jQuery Validation plugin (preferable to CFForm validation).
I have to use a legacy library to emulate html5 placeholder instead of actually using the placeholder attribute. We're using a js library that emulates this by populating the input's value, then clears the value when user clicks on the input. For example we have a captcha that has a temporary value of 'Enter Code'. We would still like to use HTML5 tooltip validations for browsers that can support it. So if the form is submitted without the captcha filled in than the tooltip should read 'Please enter code'. I set the 'required' attribute on the captcha text input field, however, this doesn't work because the js library set the value of the input field so that it's not blank. And the form is submitting anyway.
I would like to specify a pattern on the captcha input field so that the string 'Enter Code' is not valid, and neither is empty string.
I have tried:
<input id="captcha" type="text" required="required" pattern="(?!Enter Code)">
But that doesn't seem to work.
Use regex pattern ^(?!Enter Code$).+
<input id="captcha" type="text" required="required" pattern="^(?!Enter Code$).+">
I have a form with a password field. When the page loads, the password field automatically fills with the 'stored' password in my browser. Is there a way to disable cache on a field, such that no matter what, the password input field will be empty? Thank you.
I think it's browser implementation dependent, but you can try adding the autocomplete attribute.
Example
<input type="text" name="user" autocomplete="off" value=""/>
I am writing unit tests for a page that uses several Submit buttons to control logical flow through my Django application.
Unfortunately, I can't figure out how to get the response to return the submit values in the unit testing framework. The Django unit testing documentation for post indicates its form is the following:
post(path, data={}, content_type=MULTIPART_CONTENT, follow=False, **extra)
In the case of a Delete button of the form:
<input type="submit" name="delete" value="Delete" />
I've tried placing the Delete value in as data, i.e.:
response = self.client.post(url, {'name':'delete'}, follow=True)
but that doesn't seem to work. I need to have the name values in order to exercise the code paths that they trigger. In the views, the logic takes the form of:
if 'delete' in request.POST:
<do something>
I'm assuming that I make use of **extra somehow to get these values but I haven't had much luck with it either.
Any suggestions?
The data dictionary should map input names to values. In your case, the name is delete, and the value is Delete. So the dictionary should be:
{'delete': 'Delete'}