Using Spring 2.5 tag library,
I have an Integer value in a command form that's rendered on my page using <form:input path="budget" htmlEscape="true" />
When the value is > 999, it renders the number as value="x,xxx" on the page. My validation isn't expecting the comma and rejects the value.
Is there a fix for the rendering, or do I need to fix the validation and parsing?
As usual, I was just being blind, and discovered that there was a custom property editor bound to the command form in the controller. It was causing the input field to render with commas.
That would have been fine, if there also wasn't a JavaScript validation that rejected the field for having commas in it.
Related
I'm currently working on a Spring MVC project where we are migrating all our jsp files to thymeleaf. I'm aware that the spring form tag has an htmlEscape attribute that will escape user input when rendering, such as when the user submits an invalid form and the user input is rendered bound to the form. An example of this:
<form:form method="post" id="someForm" modelAttribute="${commandName}" htmlEscape="true" autocomplete="off">
<div class="form-group">
<input type="text" id="username" value="<c:out value='${inputValue}'/>"/>
<input type="password" id="password" />
<input type="submit" class="btn btn-lg btn-block-sm" value="<spring:message code="header.content.close"/>" tabindex="0" />
<input type="hidden" name="_eventId" value="continue"/>
</div>
</form:form>
This fits under the umbrella of output-escaping, which is something that happens on the server side when processing a template to render.
An example of an xss attack this prevents is if the user entered
<script>alert("gotcha");</script> for the username, and some arbitrary value for the password. The form will rerender with the entered username bound to the form. The htmlEscape="true" attribute in the form tag will cause this output to be escaped to mitigate xss. So the username field will contain <script>alert("gotcha");</script> when the bound form rerenders with the error, instead of the actually entered valid html
Is there a standard way to achieve this same functionality in thymeleaf?
A few possibilities I see:
This is already built into thymeleaf.
I'm aware that the spring thymeleaf package uses unbescape to perform output escaping on some attributes, for example SpringValueTagProcessor which I believe escapes output on th:value attributes. However, I'm not sure this is equivalent, and fear there may be security holes left unfilled if this was done in a way that only partially mitigates what the spring form htmlEscape fully mitigates.
If so, please explain how this covers the same cases that htmlEscape does.
There is an existing Spring / Spring MVC solution that is flexible enough to not rely on jsp.
If so, what?
There is a common solution to this for thymeleaf which involves some modification of the template parsing engine.
If so, please explain.
Here is a brief article to give you an idea of what I mean regarding the spring form behavior. Regarding this article, it appears that setting the defaultHtmlEscape to false globally in the web.xml only overrides the default value of HtmlEscapeTag, which appears to only work for spring tags. Thus I don't think the solution can be applied to thymeleaf.
I would appreciate any direction here.
Escaping of output text is done automatically if you use th:text. In rare cases, you can use th:utext if you want to use unescaped text, but you have to be aware of the security implications. See Process thymeleaf variable as html code and not text for some more info.
I ended up getting an answer on the GitHub discussions for the Thymeleaf project here, which I will summarize and clarify:
HTML escaping is built into Thymeleaf form elements by default.
This is evidenced by th:input processor source code. Note the use of getDisplayString which performs html output escaping via org.springframework.web.util.HtmlUtils
I went through and manually checked all the uses of getDisplayString where htmlEscape is false and can verify that in these cases, the output is HTML escaped before displaying (in the case of SpringErrorTagProcessor and SpringUErrorsTagProcessor), they don't output any content to escape (SpringSelectedValueComparator returns a boolean), or the expression is a bound object (SPELVariableExpressionEvaluator).
See GitHub issue thymeleaf/thymeleaf-docs#84 for information regarding the docs being updated accordingly.
I am trying to use a kendo numeric text box with angular validation (ng-required) however I'm not able to get it working. The ng-required attribute on this element has no effect on the form validation status.
From my understanding, the reason why this doesn't work is because kendo numeric text box uses k-ng-model to store it's value, whereas the angular validation works only with ng-model.
Has anyone else seen this issue, are there any workarounds?
I have found a workaround that involves using the kendo-numeric-text-box along with a hidden input field which makes use of ng-model.
<input data-kendo-numeric-text-box data-k-ng-model="numValue"/>
<input type="hidden" data-ng-model="numValue" data-ng-required="true" />
My graphic design requires all fields in HTML forms to be lowercase. Example:
<tr><th><label for="id_pressure_Hg">pressure Hg</label></th><td><input
id="id_pressure_Hg" type="text" name="pressure_Hg" /></td></tr>
Django forms, however, per default make my labels with capital first letter. Since I have a lot of fields and many forms are created from a model (through a modelform), the "label" attribute is not a viable solution.
Is there a way to modify the function which translates field names into field labels?
you can try this.
example..
in your forms.py
value = forms.CharField(label=u'', widget=forms.TextInput())
in your HTML file.
<ul>
<li>value Value : {{form.value}}</li>
</ul>
you can modify the form.value in your CSS or JQuery. i has this attribute as an input in html.. id=id_value and name=value
i used ci_csrf_token hidden field in my forms.but any form in my script get alert with Acunetix Web Vulnerability Scanner.
alert details :
Cookie input ci_csrf_token was set to " onmouseover=prompt(965267) bad="
The input is reflected inside a tag element between double quotes.
in view source:
<input type="hidden" name="ci_csrf_token" value="\\" onmouseover=prompt(965267) bad=\"" />
can anyone help me to solve it?
You need to html attribute encode the token before you put it into the hidden field. Do you add it to the form on the client side or the server side? If you do it on the server side, you may want to do input validation to make sure the token is on the expected format.
I'm validating the input field that's bound to path. I'm using hibernate-validator 4 for this.
Now I'd like to highlight the age label so it pops out of the page (bold, red colour etc.).
However I'm wondering what the cleanest way to do this is.
<spring:hasBindErrors name="*"/> seems to be for the whole form object instead of for a specific field. Any input is appreciated.
Spring provides special jsp tags for forms, which support this task (highlighing in case of error):
For example this jsp
...
<%# taglib prefix='form' uri='http://www.springframework.org/tags/form'%>
...
<form:form method="post"
commandName="myCommand">
<form:input path="name"
cssClass="normalLayout"
cssErrorClass="normalLayout error"/>
<form:errors path="name"
cssClass="errorMessage"/>
</form:form>
...
In this case: the input field uses the css class "normalLayout" if every thing is ok, and the css classes "normalLayout" and "name" if there is a validation error for the field.
form:errors is to print the error message generated while validation.
#see http://static.springsource.org/spring/docs/3.0.x/spring-framework-reference/html/view.html#view-jsp-formtaglib