Is there a opportunity to delete the div-container, which RoR creates ?
Input:
<%= form_for #user, :as => :user, :url => user_sign_in_path(#user) do |f| %>
<p>
Output:
<form accept-charset="UTF-8" action="/user/sign_in" class="new_user" id="new_user" method="post">
<div style="margin:0;padding:0;display:inline"><input name="utf8" type="hidden" value="✓" /><input name="authenticity_token" type="hidden" value="MT0OhRtfupZvi28m7bFN31JdZXyiFCGisbENml4cdcg=" /></div>
<p>
<div style="margin:0;padding:0;display:inline">
I don't want that!
It's normal that there are two hidden-text-inputs?
<input name="utf8" type="hidden" value="✓" /><input name="authenticity_token" type="hidden" value="MT0OhRtfupZvi28m7bFN31JdZXyiFCGisbENml4cdcg=" />
This is default behavior of form_for. Here's an official explanation for this:
HTML contains something extra: a div element with two hidden input
elements inside. This div is important, because the form cannot be
successfully submitted without it. The first input element with name
utf8 enforces browsers to properly respect your form's character
encoding and is generated for all forms whether their actions are
"GET" or "POST". The second input element with name authenticity_token
is a security feature of Rails called cross-site request forgery
protection, and form helpers generate it for every non-GET form
(provided that this security feature is enabled).
You can read more about this in the Security Guide.
Related
I've an aspx form with a form tag as below and this form tag contains some sensitive info with hidden fields
<form id="payment_confirmation" target="myFrame" action='https://testsecureacceptance.cybersource.com/embedded/pay' method="post"/>
<input type="hidden" name="access_key" value="sensitivevalue1">
<input type="hidden" name="profile_id" value="sensitivevalue2">
<input type="hidden" name="transaction_uuid" value="<% Response.Write(getUUID()); %>">
<input type="hidden" name="signed_field_names" value="sensitivevalue3">
<input type="hidden" name="unsigned_field_names" value="card_type,card_number,card_expiry_date">
<input type="hidden" name="signed_date_time" value="<% Response.Write(getUTCDateTime()); %>">
<input type="hidden" name="locale" value="en">
<input type="submit" id="submit" name="submit" value="Submit"/>
</form>
When i click "Submit" it successfully post the values and user is "redirected" into the "https://testsecureacceptance.cybersource.com/embedded/pay" form but those hidden fields values are exposed to users (when they inspect the page). I can encrypt them but is there any other way i can post values and redirect from backend where values will not be exposed to users?
Thanks
In short, no. Hidden fields are only hidden from view on the screen and will always be available be available when viewing the source of the page when you are using web forms like this. You can use the viewstate, which will encode the fields and make them harder to read, but if it is truly sensitive information, you will need to properly encrypt that information.
Hope that helps.
I am using Plone 4.3 and the diazo bootstrap theme and want to use the site-search-form to pass the searchterms including two search-options to another site (catalog) via get method.
To achieve this I have modified the plone.searchbox template and changed some content of it:
<div id="portal-searchbox"
i18n:domain="plone"
tal:define="navigation_root_url view/navigation_root_url;
search_input_id view/search_input_id;">
<form id="searchGadget_form" method="get" enctype="application/x-www-form-urlencoded" accept-charset="utf-8" action="http://www.thecatalogadress.net/opensearch">
<div class="LSBox">
<input name="LOCATION"
type="hidden"
value="HAGENBIB" />
<input name="SG1.SG.HAGENBIB:SGHagenvk"
type="hidden"
value="on" />
<input name="QUERY_alAL"
type="text"
size="18"
value=""
title="Finden"
class="searchField" />
<input class="searchButton"
type="submit"
value="search"
i18n:attributes="value label_search;" />
<div class="LSResult" id="LSResult"><div class="LSShadow" id="LSShadow"></div></div>
</div>
</form>
</div>
By now the search term is passed, but the two input-options are not introduced in the URL thus the query in the catalog doesn't work.
The result I need as URL is http://www.thecatalogadress.net/opensearch?LOCATION=HAGENBIB&SG1.SG.HAGENBIB:SGHagenvk=on&QUERY_alAL=test
As I am new to plone I wanted to ask for a hint, where to look at or what to change in order to add the two input-options to the URL.
I think you're probably forgetting to add the proper ZCML directives for the override on the template take place.
Take a look at this tutorial on Overriding Viewlets.
I am not a skilled programmer and I am building a site using a third party's CMS. I have created a <form> in order to gather information and send it to an external site. My code doesn't work. The reason I am told is that the site is built on ASP.NET and as the 'master'page already has a <form> element in it and <form> elements cannot be embedded inside one another; so what I've written will never work. I have been advised to look for a java based solution, but I'm at a loss.
My present code is pretty basic...
<form action="http://ExternalWebSite.com" method="post" id="subForm">
<label for="name">Name:</label><br /><input type="text" name="name" id="name" /><br />
<label for="Email">Email Address:</label><br /><input type="text" name="email" id="email" /><br />
<label for="Dog name">Your dog's name:</label><br /><input type="text" name="dogname" id="dogname" /><br />
<label for="Town where you live">Town where you live:</label><br /><input type="text" name="town" id="town" /><br />
<input type="submit" value="Subscribe" />
</form>
How can I make this execute without using the tag inside my html code?
ASP.NET web forms adds one <form runat="server"> in your application. Therefore, you can't nest forms, but you can get multiple forms through a hack, mentioned here.
You can make an ajax call (post in this case) too to that url
$.ajax({
type: "POST",
url: "http://ExternalWebSite.com",
data: { name: $("#name").val(), $("#email").val(), $("#dogname").val(), $("#town").val() },
success: function(result){
//here you handle what to do after the post
}
});
For further reference on how to use jquery go to: This link The most imortant here is the ajax called which is foinf to make a post the specified utl sending the named parameters,the success function which will receive anything you write on the response on the url you are calling, and the selectors $("#name").val() which means "give me the value of the element with the id name"
Cheers,
I have a problem with integrating Paypal Shopping Cart to my ASP.NET C# project.
The problem is that Paypal Shopping Cart is inside a FORM tag, so if I place that inside my server form tag it won't work.
It would look like this:
<body>
<form id="form1" runat="server">
<form target="_self" action="https://www.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_cart">
<input type="hidden" name="business" value="MySecretEmail#hidden.com">
<input type="hidden" name="display" value="1">
<input type="image" src="https://www.paypalobjects.com/en_US/i/btn/btn_viewcart_LG.gif" border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0" src="https://www.paypalobjects.com/en_US/i/scr/pixel.gif" width="1" height="1">
</form>
</form>
</body>
Is there any way I can prevent this from happening? I've search on google and here on Stackoverflow where I found this link: PayPal Name-Value Pair API Basics, but honestly, it doesn't make any sense to me since I'm not a programmer.
Thank you!
The simplest way to solve this problem is to use the PostBackUrl property of the asp:button. Using this method, the ASP generates your JavaScript to handle the external post.
This allows the rendering of the form to happen correctly and doesn't require any workaround. Remember that as your code is already in a form tag, your paypal items don't need to be wrapped in an extra tag.
e.g.
<input type='hidden' name='cmd' value='_cart'/>
<input type='hidden' name='upload' value='1'/>
<input type='hidden' name='business' value='business#business.com'/>
<input type='hidden' name='currency_code' value='aud'/>
<input type='hidden' name='item_number_1' value='item number_1'>
<input type='hidden' name='item_name_1' value='16x16 inch square canvas'>
<input type='hidden' name='amount_1' value='70'>
<input type='hidden' name='item_number_2' value='item number_2'>
<input type='hidden' name='item_name_2' value=' 48x20 rectangular canvas'>
<input type='hidden' name='amount_2' value='104'>
<asp:Button ID="Button1" PostBackUrl='https://www.paypal.com/cgi-bin/webscr' runat="server" />
Hope this helps.
Technically, your example isn't valid HTML. In the longer term, you might be best refactoring this code to remove your 'technical debt'. (See "must not contain other form elements" under element prohibitions on the W3C site for XHTML 1.0)
In the meantime, you could try submitting the nested form with jQuery.
1. Replace Submit Button
<button class="submit-button" id="submit-button">Submit Payment</button>
2. Amend Form Tag
<form id="nested-form" target="_self" action="https://www.paypal.com/cgi-bin/webscr" method="post">
3. Submit form using jQuery
<script type="text/javascript">
$('#submit-button').live('click',function() {
$('#nested-form').submit();
});
</script>
I haven't had a chance to test this, so please test and let me know if it works for you.
Here's a very easy method. It's what I use exclusively so I know with 100% certainty that it works.
Create a "false" image only PayPal button.
User clicks this button (it's just an image)
This image has an onclick method which calls a 2 line javascript function (see below)
Put your "real" PayPal button form at the end of your page AFTER the closing form tag.
Enclose it in a SPAN tag with style="display:none;"
Add ID="ppsubmit" to the "real" button's image input
When user click the false button, the onclick method calls a javascript function that does just 2 things ... a) changes span display to inline and b) automatically clicks the real PayPal button.
<form id="form1" runat="server">
<!-- Here's the image only "false" paypal button -->
<input type="image"
src="https://www.sandbox.paypal.com/en_US/i/btn/btn_subscribeCC_LG.gif"
border="0" name="submit" alt="PayPal - The safer, easier way to pay online!"
onclick="javascript:doPPform();" />
</form> <!-- this closes your asp.net form -->
<!-- Here's the hidden span with the real paypal button
at the bottom of your webpage -->
<span id="ppform" style="display: none;">
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post"
target="_top">
<input type="hidden" name="cmd" value="_s-xclick">
<input type="hidden" name="hosted_button_id" value="xxxxx">
<input id="ppsubmit" type="image"
src="https://www.sandbox.paypal.com/en_US/i/btn/btn_subscribeCC_LG.gif"
border="0" name="submit"
alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0"
src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"
width="1" height="1">
</form>
</span>
<!-- Here's the 2 line javascript code when the user clicks the "false" button -->
<script language="javascript" type="text/javascript">
function doPPform() {
document.getElementById("ppform").style.display = "inline";
document.getElementById("ppsubmit").click();
}
</script>
A quick solution would be to put the paypal form inside an iframe.
On the form element, change target="_parent" so it posts back to the parent page.
Why don't you make the page the payment form is on use a MasterPage that has the tag removed. I do this on all the sites and it works without problems.
I discovered the PayPal button problem before I discovered that it is an ASP.NET problem.
In the process of creating buttons and adding to my page, sometimes they would work and sometimes they would not. Then I would have 2 identical buttons and the second would work and the first would not. Remove the first and then the button that worked would not. To get to the point if I added a form tag before my PayPal button the Paypal button works.
<%-- simple form tag --%>
<form action="">
</form>
<form action="https://www.sandbox.paypal.com/cgi-bin/webscr" method="post">
<input type="hidden" name="cmd" value="_xclick">
<input type="hidden" name="business" value="hughet_1335403121_biz#yahoo.com">
<input type="hidden" name="lc" value="US">
<input id="iptItemName" type="hidden" name="item_name" value="testBuyNow">
<input type="hidden" name="amount" value="10.00">
<input type="hidden" name="currency_code" value="USD">
<input type="hidden" name="button_subtype" value="products">
<input type="hidden" name="no_note" value="0">
<input type="hidden" name="cn" value="Add special instructions to the seller">
<input type="hidden" name="no_shipping" value="2">
<input type="hidden" name="bn"
value="PP-BuyNowBF:btn_buynowCC_LG.gif:NonHosted">
<input type="image"
src="https://www.sandbox.paypal.com/en_US/i/btn/btn_buynowCC_LG.gif"
border="0" name="submit" alt="PayPal - The safer, easier way to pay online!">
<img alt="" border="0"
src="https://www.sandbox.paypal.com/en_US/i/scr/pixel.gif"
width="1" height="1">
</form>
I understand this a "hack fix", and I'm not sure why this works. Curious if this works for others.
im confused, the w3c validation service seems to be saying that asp.net cannot legally render a hidden field inside a form tag on the page, have a look at this ...
http://validator.w3.org/check?uri=http%3a%2f%2fmotcombegarage%2eco%2euk%2f
from what i can tell it seems to be saying that the following code sample is invalid markup WTF !!!
<html>
<head> ... header stuff ... </head>
<body>
<form method="post" action="" id="ctl01">
<div class="aspNetHidden">
<input type="hidden" name="ctl09_HiddenField" id="ctl09_HiddenField" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY1NzEyODQ1M2RkJPtW5VtaL7LPuSxnn1JM1yVnOeGAovb8b4b3KShHy4M=" />
<input type="hidden" name="__EVENTVALIDATION" id="__EVENTVALIDATION" value="/wEWAwKt17cxAr+s9MgFAqjXzJsHz7KyzLpZjYtTK89blY7GgKAElK/5syvVNn4h7rVehcQ=" />
</div>
... other code ...
</form>
</body>
</html>
This presents 2 problems for me if the code is in fact invalid:
This code is generated by the .net framework for handling postbacks so editing it could be a problem
i have no idea what the valid context for a form field should be (lolz)
Is this a bug or have i done something wrong ???
EDIT:
As pointed out by Peter O below I added the missing div tag in my markup ... comparing this to the markup that the validator uses shows that this div whilst present in the markup is apparently not worth validating ... so that kinda changes the question to ... why is it ignoring that div ? ...
Seems a bit odd that you can't put an input tag inside a form tag directly though ... surely thats the point of a form tag, to contain input tags ??
The only way I've seemed to get rid of the message, following the code on your homepage, is to assign a value to the first hidden input
<div class="aspNetHidden">
<input type="hidden" name="ctl09_HiddenField" id="ctl09_HiddenField" value="toverton" />
<input type="hidden" name="__EVENTTARGET" id="__EVENTTARGET" value="" />
<input type="hidden" name="__EVENTARGUMENT" id="__EVENTARGUMENT" value="" />
<input type="hidden" name="__VIEWSTATE" id="__VIEWSTATE" value="/wEPDwUKMTY1NzEyODQ1M2RkJPtW5VtaL7LPuSxnn1JM1yVnOeGAovb8b4b3KShHy4M=" />
</div>
In all liklihood, this is most likely a bug.
The INPUT elements should be placed within a DIV element, like this:
<form ... >
<div>
<input type="hidden" ... />
<input type="hidden" ... />
<input type="hidden" ... />
</div>
</form>