I am populating form variables from a database.
If the field value has a double quote in it, such as 3" for 3 inches, then the html source looks like the following:
<input name="width" value="3"">
Q: How do I handle fields that contain double quotes?
I first thought it was a cfqueryparam problem, but it turns out it's an html problem.
Use HtmlEditFormat when displaying the value.
Like this:
<input name="width" value="#HtmlEditFormat(Form.Width)#" />
There is also:
XmlFormat for XML output;
JsStringFormat for JavaScript output;
UrlEncodedFormat for URL content.
For more complete/heavyweight stuff, you could consider OWASP's ESAPI - a Java Security API which can be used from CF and provides the following:
Context Method
------- ------
HTML esapi.encodeForHTML(variable)
HTML Attribute esapi.encodeForHTMLAttribute(variable)
JavaScript esapi.encodeForJavaScript(variable)
CSS esapi.encodeForCSS(variable)
URL esapi.encodeForURL(variable)
(from Pete Freitag's cfunited presentation slides)
I think it's probably the browser, you need to encode the quote using " in your HTML then it should pass properly.
Related
I have a form with several TinyMCE textareas. Content is loaded in some textareas when the form is called. Other textareas are empty.
The content that is preloaded into the text fields already has a <p> tag. Everything is fine with it. But i have a problem with the empty textareas. TinyMCE automatically adds a <pre> tag, which destroys the formatting and layout.
This is the process that leads to the problem:
Open the form and enter unformatted text to a empty textarea.
Save the form. The content is displayed correctly. Everything is fine so far.
Edit the form / content.
At this point, TinyMCE adds the pre tag. The tag is not yet saved in the database, it comes from the editor.
I also made some tests with preloaded content. This is the result.
Template code | TinyMCE textarea
<p>test</p> | <p>test</p>
test | <pre>test</pre>
How can I prevent TinyMCE from adding the <pre> tag? Alternatively, <pre> could also be replaced by <p>.
If you're on ColdFusion 10 or later, you should be using the OWASP ESAPI encoding functions. They handle a higher range of character encoding than HTMLEditFormat() and HTMLCodeFormat().
Output between HTML tags: <td>#encodeForHTML(variables.myVar)#</td>
Output in an HTML attribute: <input type="text" value="#encodeForHtmlAttribute(variables.myVar)#">
The cause of the problem was the use of HTMLCodeFormat instead of HTMLEditFormat before I handed the content over to TinyMCE. Both have nearly the same effect, but HTMLCodeFormat adds a <pre> tag in addition.
HTMLCodeFormat()
HTMLEditFormat()
I am using a third party indexing service (Swiftype) to search through my database. The returned records contains a property called highlight. This simply adds <em> tags around matching strings.
I then bind this highlight property in Ember.JS Handlebars as such:
<p> Title: {{highlight.title}} </p>
Which results in the following output:
Title: Example <em>matching</em> text
The browse actually displays the <em> tags, instead of formatting them. I.e. Handlebars is not identifying the HTML tags, and simply printing them as a string.
Is there a way around this?
Thanks!
Handlebars by default escapes html, to prevent escaping, use triple brackets:
<p> Title: {{{highlight.title}}} </p>
See http://handlebarsjs.com/#html-escaping
Ember escapes html because it could be potentional bad code which can be executed. To avoid that use
Ember.Handlebars.SafeString("<em>MyString</em>");
Here are the docs
http://emberjs.com/guides/templates/writing-helpers/
if you've done that you could use {{hightlight.title}} like wished,...
HTH
This question already has an answer here:
JavaScript Date Format for ColdFusion Date Field
(1 answer)
Closed 8 years ago.
This is very frustrating. I am using cfinput datefield and mask="MM/DD/YYYY" and its not working. If it is cfinput text and mask="MM/DD/YYYY" it works perfect. I do not want to only have a textbox though I would like to keep the calendar that the date field gives you... The issue is when they use the calendar it is in the correct format MM/DD/YYYY but if the user just types in the date into the textbox without using the calendar the user can type whatever they desire.. (122334435) which obviously is unacceptable. Any ideas or workarounds anyone may be aware of?
Works:
<cfform name="foo">
<cfinput
type="text"
name="test"
validate="eurodate"
mask="99/99/9999"
validateat="onblur" />
<input type="submit">
</cfform>
Does Not Work:
<cfform name="foo">
<cfinput
type="datefield"
name="test"
validate="eurodate"
mask="MM/DD/YYYY"
validateat="onblur" />
<input type="submit">
</cfform>
I have added an answer to the other question that was originally opened regarding this same issue. I will post a bit here as well since users may find this question and not the other one. Or you could delete this question.
I believe the problem is that the mask attribute on the <cfinput type="datefield" ... code only works when using Flash forms - documentation reference.
I have emphasized the text from that documentation below:
Masking cfcalendar and datefield input
In the cfcalendar tag and the Flash format datefield input control, you use the following masks to determine the format of the output. You can use uppercase or lowercase characters in the mask:
...
The following pattern specifies that the Flash form sends the date selected using a datefield input control to ColdFusion as text in the format 04/29/2004:
<cfinput name="startDate" type="datefield" label="date:" mask="mm/dd/yyyy"/>
Since you are not using a Flash form the mask is not working for you. You could try switching to a regular <cfinput type="text" ... input and change your mask to something like "99/99/9999". That would give you the correct format but the user could still enter invalid dates so you would need additional code to catch that.
This is just another example of why using the built-in ColdFusion UI tags is not a good idea. They work for very simple examples but when you need more customization they fail you. You would be better off to use a JavaScript library (like jQuery) for client side validation. Adobe's own Ben Forta acknowledged this several years ago. And the ColdFusion-UI-the-Right-Way project was started because of this as well.
EDIT
On the other question that was posted Adam pointed out another reference in the ColdFusion documentation that reinforces my point. I have emphasized the text from that documentation below:
Masking input data
In HTML and Flash forms, the mask attribute controls the format of data that can be entered into a text field or that is selected in a datefield input control calendar. In HTML format, it does not prevent users from typing a date that does not follow the mask into a datefield input control. You can combine masking and validation on a field.
I'm running the following form inside abc.cfm.
// Parameters Defined
<cfparam name="startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfform format="HTML" action="datedownload.cfm" method="get" >
<cfformgroup type="horizontal">
<cfinput type="dateField" name="startdate" width="100" value="#startdate#">
<cfinput type="dateField" name="enddate" width="100" value="#enddate#">
<cfinput name="submitApply" type="submit" value = "Apply">
<cfinput type="button" name="download" value="Download" onclick="window.location.href='datedownload.cfm?startdate=#form.startdate#&enddate=#form.enddate#path=http://abc.xyz.com/username/July30/datedownload.cfm'">
</cfformgroup>
</cfform>
Everything is printing fine with the following code in datedownload.cfm
Startdate: <cfdump var = "#startdate#">
End Date :<cfdump var = "#enddate#">
Except that, the Enddate is printing full path along with it as follows:
Startdate: 2013-06-20 End Date : 2013-07-29path=http://abc.xyz.com/username/July30/datedownload.cfm
How can I remove the stuff starting from path?
If I am reading this correctly, you are getting an error that startdate and enddate are not defined in the form scope when you try to load download.cfm. Since you are passing those variables to download.cfm as part of a query string (by submitting the form using GET), they would not be present in the form scope.
I can think of 2 quick and easy solutions:
First, you can change your reference to form.startdate and form.enddate to url.formdate and url.enddate respectively. Variables passed in as part of the query string (like when you do a GET) become part of the url scope, not the form scope (liek when you do a POST).
Second, you can param the variables like this in download.cfm:
<cfparam name="url.startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="url.enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfparam name="form.startdate" default="#url.startdate#">
<cfparam name="form.enddate" default="#url.enddate#">
This will first param the values in the url scope to the same values you have in the page that displays the form, then it will param the same variable names in the form scope to the same value of the same variable names in the URL scope.
Use an ampersand before enddate instead of the question mark and add an ampersand before the path variable
window.location.href='Download.cfm?startdate=#form.startdate#&enddate=#form.enddate#&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm'
The simplest way to solve your problem is to get rid of the 2nd button. It is not necessary and will confuse not only you, but your users. Since your form method is "get" the two formfields will be part of the url scope which seems to be what you want.
Also, where are the form variables coming from in the value attributes of your two inputs?
What's wrong with using a form post? That's the way I prefer to do it. I also test the request type (POST versus GET) to ensure that the download file isn't bookmarkable.
You'll need to use javascript to get the dates in the web-based form, not ColdFusion. (The user will also need to have javascript enabled to use the form to use location.href.)
Give your form fields matching IDs and try the following:
window.location.href='Download.cfm?startdate='+ document.getElementById('startdate').value +'&enddate='+ document.getElementById('enddate').value +'&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm';
I'd recommend not using CFForm tags since they require the the /CFIDE/ directory and is currently recommended to be blocked:
Secure CFIDE Directory for ColdFusion
ColdFusion 9 Server Lockdown Guide (PDF)
ColdFusion 10 Server Lockdown Guide (PDF)
Make sure you perform date validation on the server-side. If you need client-side date validation, you can use HTML5 DOCType and the attributes type="date" & required or consider using the jQuery Validation plugin (preferable to CFForm validation).
I have three templates in my project—we'll call them first.html, second.html, third.html.
first.html gets a string from the user, using an <input> tag:
<input type="radio" name="selection" value="example_string" />
second.html displays this string using {{selection}}. (In my views.py, I got the value using request.POST.get and render_to_response().)
The question is: how do I send this value from second.html to third.html? One of my attempts—using a <span> tag to save the information in a variable—is illustrated below, but it doesn't seem to work.
<span name="selection" value={{selection}}>{{selection}}</span>
Edit: The following line works by creating a dummy single radio button. I don't know why it shouldn't be possible to create a variable without an <input> tag [visible to the user].
<input type="radio" name="selected" value={{selected}} checked="checked" />
You need to understand how the web works: each page is entirely separate, and is requested using a separate request.
Your basic options are: save data on the client side, or post it back to the server.
Both options can be performed with javascript, or posting back can also be performed by posting the form back to the server.
If you want to send it back to the server, it will have to be stored in the current session, or in a model.
There are many javascript libraries. If you want to use them, I suggest you google around the subject.
Answering my own question, now that I've found the answer on Django's documentation.
There's a special kind of <input> tag precisely for this: "hidden". The following line accomplishes the same as was asked in the question, but without a dummy element visible to the user:
<input type="hidden" name="selected" value={{selected}} />