when attributes are used together with attribute of existing normal attribute and when used alone.
What's the difference..?
For example
<form action="#" th:action="#{/seedstartertermng}" th:object="${seedStarter}" method="post">
<form th:action="#{/seedstartertermng}" th:object="${seedStarter}" method="post">
above, when using action attribute with th:action,
Why do i have to write it twice similar attribute?
can't i use th:action alone?
Does second case using only th:action perform the same function as first case?
ps. Additionally, what is the role of the "#" character in the first sentence..?
Related
I'm currently working on a Spring MVC project where we are migrating all our jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. An example of this:
<form:form method="post" id="someForm" modelAttribute="${commandName}" htmlEscape="true" autocomplete="off">
<div class="form-group">
<input type="text" id="username" value="<c:out value='${inputValue}'/>"/>
<input type="password" id="password" />
<input type="submit" class="btn btn-lg btn-block-sm" value="<spring:message code="header.content.close"/>" tabindex="0" />
<input type="hidden" name="_eventId" value="continue"/>
</div>
</form:form>
This fits under the umbrella of output-escaping, which is something that happens on the server side when processing a template to render.
An example of an xss attack this prevents is if the user entered
<script>alert("gotcha");</script> for the username, and some arbitrary value for the password. The form will rerender with the entered username bound to the form. The htmlEscape="true" attribute in the form tag will cause this output to be escaped to mitigate xss. So the username field will contain <script>alert("gotcha");</script> when the bound form rerenders with the error, instead of the actually entered valid html
Is there a standard way to achieve this same functionality in thymeleaf?
A few possibilities I see:
This is already built into thymeleaf.
I'm aware that the spring thymeleaf package uses unbescape to perform output escaping on some attributes, for example SpringValueTagProcessor which I believe escapes output on th:value attributes. However, I'm not sure this is equivalent, and fear there may be security holes left unfilled if this was done in a way that only partially mitigates what the spring form htmlEscape fully mitigates.
If so, please explain how this covers the same cases that htmlEscape does.
There is an existing Spring / Spring MVC solution that is flexible enough to not rely on jsp.
If so, what?
There is a common solution to this for thymeleaf which involves some modification of the template parsing engine.
If so, please explain.
Here is a brief article to give you an idea of what I mean regarding the spring form behavior. Regarding this article, it appears that setting the defaultHtmlEscape to false globally in the web.xml only overrides the default value of HtmlEscapeTag, which appears to only work for spring tags. Thus I don't think the solution can be applied to thymeleaf.
I would appreciate any direction here.
Escaping of output text is done automatically if you use th:text. In rare cases, you can use th:utext if you want to use unescaped text, but you have to be aware of the security implications. See Process thymeleaf variable as html code and not text for some more info.
I ended up getting an answer on the GitHub discussions for the Thymeleaf project here, which I will summarize and clarify:
HTML escaping is built into Thymeleaf form elements by default.
This is evidenced by th:input processor source code. Note the use of getDisplayString which performs html output escaping via org.springframework.web.util.HtmlUtils
I went through and manually checked all the uses of getDisplayString where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator).
See GitHub issue thymeleaf/thymeleaf-docs#84 for information regarding the docs being updated accordingly.
So since the form helpers arent included in laravel anymore. How do we call for a delete method with regular html forms? I can't find nothing about this, every example uses the form helpers..
thanks
Edit: It works using this:
<input name="_method" type="hidden" value="DELETE">
However, a little bit of explanation would be nice.
I have a form like
<form action="abc/1" method="post">
</form>
I want every time this form is submitted my URL remains same like suppose my current URL was
http://localhost/abc/1 after form submit it should be again
http://localhost/abc/1
but instead this it become
http://localhost/abc/1
http://localhost/abc/abc/1
http://localhost/abc/abc/abc/1 each time I press submit button in form.
its something related to URL schemes of mvc in code-igniter
The action of your form is relative to your current position.
If you are on http://example.com/contact and your form's action is set to contact/send the form well send to http://example.com/contact/contact/send Now, this would be easy fixed by either removing the contact/ part form the action attribute or by adding a / in the beginning of your action attribute, so the path is absolute - /contact/send.
Doing this in CodeIgniter should be relatively easy, as you can use the URL Helper to point to the correct URL's in your application.
<form action="<?php echo site_url('abc/1'); ?>" method="post">
</form>
This example will always point you to the page relative to your base_url and index_page settings in application/config/config.php.
In your case, mentioned in the comments, something along with <?php echo site_url('home/authenticateUser/' . $user_id); ?> would probably be the answer.
Try like
<form action="/abc/1" method="post">
</form>
or else you better to use site_url like
<form action="<?php echo site_url('abc/1');?>" method="post">
</form>
Changing the action from "abc/1" to "/abc/1" will work, but if you are building your app in a subdirectory, as is usually the case on a localhost development environment, this will revert to your htdocs folder, as opposed to your required folder.
I would recommend one of two options:
<form action="<?php echo base_url(abc/1); ?" method="post">
<?php form_open('abc/1')' ?>
Number 2 is the better one, as it works with CodeIgniter's CSRF functionality, and adds the base_url() automatically.
Hope this helps.
I have a legacy HTML form that I want to make into a Spring form. Do I need to switch all of the form tags to Spring form tags or could I mix and match them as I please?
In other words, something like this:
<form:form modelAttribute="mymodel" action="/somecontroller/someaction" method="post">
<input type="text" name="something" value="">
</form:form>
instead of this (using only Spring form tags):
<form:form modelAttribute="mymodel" action="/somecontroller/someaction" method="post">
<form:input path="something" />
</form:form>
You can use regular <input /> elements within a <form:form /> without any problems. This is the conventional way to add submit buttons to a Spring form.
See here for more information.
I am working with Spring MVC 2.5.
Oftentimes, I am only using one form in all my JSP. Now I need to add another form into the same JSP.
My question is, will Spring MVC still support the same lifecycle method whichever form I submit?
I mean, the same databinding, validation, errorhandling, form controller etc?
<div>
<form:form method="post" commandName="station">
</form>
</div>
<div>
<form:form method="post" commandName="fields">
</form>
</div>
The old-style controllers you're using can only support one command object, and therefore only one form, at a time. #Arthur's answer shows that you can't really put both forms on one page, because any given controller will only supply one form object, you'll never get both active at once.
If you want to do this, you're going to have to stop using the old-style controllers (which are obsolescent in Spring 2.5, and deprecated in Spring 3), and use annotated controllers, which are much more flexible. You can mix up your forms pretty much as complex you want.
Spring SimpleFormController just support one kind of Command object. So if you want to use two distinct Spring form into The same JSP, you have to create two SimpleFormController. And inside your JSP, do as follows to avoid some exception
<c:if test="${not empty station}">
<div>
<form:form method="post" commandName="station">
</form>
</div>
</c:if>
<c:if test="${not empty fields}">
<div>
<form:form method="post" commandName="fields">
</form>
</div>
</c:if>