Using django if a text is stored in French or Hindi.How will this be stored and retrieved in a text box field
Models.py
class Details(models.Model):
title = models.CharField(max_length = 255)
html page:
<form action="/pjt/details">
<input type="text" name="nee_n"id="neen_n" />
</form>
How to store this in the db and retieve back the same .Is there any setting to be changed in settings.py
Thanks..
Django is based on Unicode and so the language characters will be stored correctly.
Storing the language, i.e. the user's culture is a different issue. This can be initially gleaned from the HTTP request in the format 'en_US' or 'fr_FR'.
This standard is a concatenation of ISO 639-1 and ISO 3166-1.
However the browser culture cannot always be relied upon and so the interface should give the user the opportuinity to change their culture.
Related
After submitting my flaskapp form to make a new response, there is appears a 'quick-suggested' form contains previous input values. How can I restrict appearing this? In fact, I don't understand where it comes from and where it's stores so can't make a relevant ask to google. Dont be sarcastic - it was surprisingly for me, that it's disappear when I try to make this image with scissors!
it's all about that
P.S. all happens in google chrome
Your "google term" would be form autocomplete. This is a feature of your browser not flask or any web framework.
You can ask the browser to not autocomplete a form.
<form ... autocomplete="off">
or an individual field
<input type="text" autocomplete="off">
Keep in mind that the browser doesn't have to respect your wishes. Specifically in the case of login fields where browsers will autofill usernames and passwords regardless of autocomplete="off".
I'm not sure I understand how to phrase my question, but I believe it's specific to ColdFusion's handling of certain AJAX form data, despite my reference to a specific JavaScript plugin.
I'm trying to implement the FilePond uploader on a ColdFusion 2011 server, and I've got it configured well on the frontend (it uploads the files to tmp folder just fine), but my problem is not knowing how to get ColdFusion to process the extra metadata it sends along with it on every upload. This data doesn't look to me like it comes in the same format as plain old hidden input fields.
When I inspect the network request with Dev Tools, it looks different to me than other forms I've processed. There are two "filepond" entries, one a JSON object and the other the binary image. When I < cfdump var="#form.FilePond#">, I only get the tmp uploaded file path, which I can process. But how do I access the JSON in my screenshot containing the "parentid"? Nothing I've tried, like form.FilePond[1], seems to work and throws errors.
Update with output from CF form processing page:
1st line is output of Form.FilePond.
2nd is cfdump of Form.
3rd is cfdump URL.
4th is cfdump of getHttpRequestData()
Update:
Bugs filed for CF2016 (core support ending for CF11 after April 2019)
CF-4204103 -
FORM scope is missing values when same named fields include type=file
CF-4204102 - sameFormFieldAsArray setting doesn't work with enctype="multipart/form-data"
After some testing, I've concluded it's a ColdFusion bug.
Issue:
The issue seems to occur under these conditions
Request is a multipart/form-data POST
Contains multiple fields with the same name
At least 1 of those fields is a file field i.e. type="file"
The first field submitted (within the group) is NOT a file field
Under those conditions, ColdFusion seems to ignore everything before the first file field. (If you check the filepond source ut confirms the metadata field is submitted before any file fields). That's why the metadata value doesn't appear when dumping the FORM scope.
Note, the this.sameFormFieldsAsArray setting has no effect because it doesn't work with multipart/form-data requests.
Test Case
Below is a test case. Notice the results are what you'd expect when the same named field occurs after the first file field?
<cfdump var="#form#" label="Form scope">
<form method="post" enctype="multipart/form-data">
<br>First:
<input type="file" name="fileFirst"><br>
<input type="text" name="fileFirst" value="Lions"><br>
<br>Last:
<input type="text" name="fileLast" value="Tigers"><br>
<input type="file" name="fileLast"><br>
<br>Middle:
<input type="text" name="fileMiddle" value="Bears"><br>
<input type="file" name="fileMiddle"><br>
<input type="text" name="fileMiddle" value="Oh My"><br>
<input type="submit">
</form>
Workaround
This blog provides a workaround using an undocumented feature of the FORM scope. Using form.getPartsArray() provides access to both "filePond" fields allowing you to extract the value of the dropped field. Not ideal, but does work until the issue is fixed.
Keep in mind this is an undocumented feature, so be sure to isolate the code for easier alterations in case Adobe alters or removes that function in the future (which they've done before, so fair warning!).
<cfscript>
// dump raw form fields
for (part in form.getPartsArray()) {
writeDump({ fieldName = part.getName()
, isFile = part.isFile()
, fieldValue = (part.isFile() ? part.getFileName() : part.getStringValue())
}
);
}
</cfscript>
This question already has an answer here:
JavaScript Date Format for ColdFusion Date Field
(1 answer)
Closed 8 years ago.
This is very frustrating. I am using cfinput datefield and mask="MM/DD/YYYY" and its not working. If it is cfinput text and mask="MM/DD/YYYY" it works perfect. I do not want to only have a textbox though I would like to keep the calendar that the date field gives you... The issue is when they use the calendar it is in the correct format MM/DD/YYYY but if the user just types in the date into the textbox without using the calendar the user can type whatever they desire.. (122334435) which obviously is unacceptable. Any ideas or workarounds anyone may be aware of?
Works:
<cfform name="foo">
<cfinput
type="text"
name="test"
validate="eurodate"
mask="99/99/9999"
validateat="onblur" />
<input type="submit">
</cfform>
Does Not Work:
<cfform name="foo">
<cfinput
type="datefield"
name="test"
validate="eurodate"
mask="MM/DD/YYYY"
validateat="onblur" />
<input type="submit">
</cfform>
I have added an answer to the other question that was originally opened regarding this same issue. I will post a bit here as well since users may find this question and not the other one. Or you could delete this question.
I believe the problem is that the mask attribute on the <cfinput type="datefield" ... code only works when using Flash forms - documentation reference.
I have emphasized the text from that documentation below:
Masking cfcalendar and datefield input
In the cfcalendar tag and the Flash format datefield input control, you use the following masks to determine the format of the output. You can use uppercase or lowercase characters in the mask:
...
The following pattern specifies that the Flash form sends the date selected using a datefield input control to ColdFusion as text in the format 04/29/2004:
<cfinput name="startDate" type="datefield" label="date:" mask="mm/dd/yyyy"/>
Since you are not using a Flash form the mask is not working for you. You could try switching to a regular <cfinput type="text" ... input and change your mask to something like "99/99/9999". That would give you the correct format but the user could still enter invalid dates so you would need additional code to catch that.
This is just another example of why using the built-in ColdFusion UI tags is not a good idea. They work for very simple examples but when you need more customization they fail you. You would be better off to use a JavaScript library (like jQuery) for client side validation. Adobe's own Ben Forta acknowledged this several years ago. And the ColdFusion-UI-the-Right-Way project was started because of this as well.
EDIT
On the other question that was posted Adam pointed out another reference in the ColdFusion documentation that reinforces my point. I have emphasized the text from that documentation below:
Masking input data
In HTML and Flash forms, the mask attribute controls the format of data that can be entered into a text field or that is selected in a datefield input control calendar. In HTML format, it does not prevent users from typing a date that does not follow the mask into a datefield input control. You can combine masking and validation on a field.
I'm running the following form inside abc.cfm.
// Parameters Defined
<cfparam name="startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfform format="HTML" action="datedownload.cfm" method="get" >
<cfformgroup type="horizontal">
<cfinput type="dateField" name="startdate" width="100" value="#startdate#">
<cfinput type="dateField" name="enddate" width="100" value="#enddate#">
<cfinput name="submitApply" type="submit" value = "Apply">
<cfinput type="button" name="download" value="Download" onclick="window.location.href='datedownload.cfm?startdate=#form.startdate#&enddate=#form.enddate#path=http://abc.xyz.com/username/July30/datedownload.cfm'">
</cfformgroup>
</cfform>
Everything is printing fine with the following code in datedownload.cfm
Startdate: <cfdump var = "#startdate#">
End Date :<cfdump var = "#enddate#">
Except that, the Enddate is printing full path along with it as follows:
Startdate: 2013-06-20 End Date : 2013-07-29path=http://abc.xyz.com/username/July30/datedownload.cfm
How can I remove the stuff starting from path?
If I am reading this correctly, you are getting an error that startdate and enddate are not defined in the form scope when you try to load download.cfm. Since you are passing those variables to download.cfm as part of a query string (by submitting the form using GET), they would not be present in the form scope.
I can think of 2 quick and easy solutions:
First, you can change your reference to form.startdate and form.enddate to url.formdate and url.enddate respectively. Variables passed in as part of the query string (like when you do a GET) become part of the url scope, not the form scope (liek when you do a POST).
Second, you can param the variables like this in download.cfm:
<cfparam name="url.startdate" default="#DateFormat(dateAdd('d',-40,now()), 'yyyy-mm-dd')#">
<cfparam name="url.enddate" default="#DateFormat(dateAdd('d',-1,now()), 'yyyy-mm-dd')#">
<cfparam name="form.startdate" default="#url.startdate#">
<cfparam name="form.enddate" default="#url.enddate#">
This will first param the values in the url scope to the same values you have in the page that displays the form, then it will param the same variable names in the form scope to the same value of the same variable names in the URL scope.
Use an ampersand before enddate instead of the question mark and add an ampersand before the path variable
window.location.href='Download.cfm?startdate=#form.startdate#&enddate=#form.enddate#&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm'
The simplest way to solve your problem is to get rid of the 2nd button. It is not necessary and will confuse not only you, but your users. Since your form method is "get" the two formfields will be part of the url scope which seems to be what you want.
Also, where are the form variables coming from in the value attributes of your two inputs?
What's wrong with using a form post? That's the way I prefer to do it. I also test the request type (POST versus GET) to ensure that the download file isn't bookmarkable.
You'll need to use javascript to get the dates in the web-based form, not ColdFusion. (The user will also need to have javascript enabled to use the form to use location.href.)
Give your form fields matching IDs and try the following:
window.location.href='Download.cfm?startdate='+ document.getElementById('startdate').value +'&enddate='+ document.getElementById('enddate').value +'&path=http://abc.xyz.com/<username>/Testing/Testing/Download.cfm';
I'd recommend not using CFForm tags since they require the the /CFIDE/ directory and is currently recommended to be blocked:
Secure CFIDE Directory for ColdFusion
ColdFusion 9 Server Lockdown Guide (PDF)
ColdFusion 10 Server Lockdown Guide (PDF)
Make sure you perform date validation on the server-side. If you need client-side date validation, you can use HTML5 DOCType and the attributes type="date" & required or consider using the jQuery Validation plugin (preferable to CFForm validation).
My company gave me the task of resolving all security issues with a particular application. The security tream reported a cross site scripting error. The error lies in the following input field:
<input type="hidden" name="eventId" value="${param.eventId}"/>
The report from security wasn't very detailed, but the say they can make a POST request to the page that has the above tag including the following malicious code:
eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
And that when the page reloads, it will have the following:
<input type="hidden" name="eventId" value=""><sCrIpt>alert(83676)</sCrIpt></value>
I am trying to "be the hacker" and show the vulnerability. But I can't figure out how they manage to get that script in there. I am guessing they include it as a URL parameter in the GET request for the form, but when I try to do it myself I get a 403 error. Does anyone know how the vulnerability can be shown?
I know there is a number of XSS questions on the site, but none seem to hit this topic.
So, I am not sure why, but my original hunch was correct. The script can be put on as a URL parameter. For some reason though, this was not working with our staging site. Only with running the application locally. I am not sure why, but this works (only locally):
http://localhost:8080/myUrl/MyAction.do?eventId=%22%3e%3csCrIpT%3ealert(83676)%3c%2fsCrIpT%3e
Doing that, you see an alert box pop up. I am planning to fix it using JSTL functions.
<%# taglib uri="http://java.sun.com/jsp/jstl/functions" prefix="fn" %>
...
<input type="hidden" name="eventId" value="${fn:escapeXml(param.eventId)}"/>
Install [TamperData][1] add-on in firefox browser which let you edit the data before submitting. Doesn't matter if it's in POST or GET.
By using this hidden fields can be edited.
What you want to do to fix the problem, is to HTMLAttributeEncode the value before putting it inside the value-attribute. See OWASP ESAPI or MS AntiXSS for methods for doing HTML attribute encoding.
Seeing how the attack string is URL encoding, I think you guess about including it as a GET parameter seems reasonable.
I used the OWASP ESAPI API as the legacy jsp's didn't have JSTL available. This is what I used:
<input type="hidden" name="dataValue" value="<%=ESAPI.encoder().encodeForHTMLAttribute(dataValue)%>">
You can also use the API to filter request.Parameter() which I also needed, as in:
String userURL = request.getParameter( "userURL" )
boolean isValidURL = ESAPI.validator().isValidInput("URLContext", userURL, "URL", 255, false);
if (isValidURL) {
link
}
and:
String name = (String) request.getParameter("name");
name = ESAPI.validator().getValidInput("name ", name , "SafeString", 35, true);