Consider this form:
<form action="http://www.blabla.com?a=1&b=2" method="GET">
<input type="hidden" name="c" value="3" />
</form>
When submitting this GET form, the parameters a and b are disappearing.
Is there a reason for that?
Is there a way of avoiding this behaviour?
Isn't that what hidden parameters are for to start with...?
<form action="http://www.example.com" method="GET">
<input type="hidden" name="a" value="1" />
<input type="hidden" name="b" value="2" />
<input type="hidden" name="c" value="3" />
<input type="submit" />
</form>
I wouldn't count on any browser retaining any existing query string in the action URL.
As the specifications (RFC1866, page 46; HTML 4.x section 17.13.3) state:
If the method is "get" and the action is an HTTP URI, the user agent takes the value of action, appends a `?' to it, then appends the form data set, encoded using the "application/x-www-form-urlencoded" content type.
Maybe one could percent-encode the action-URL to embed the question mark and the parameters, and then cross one's fingers to hope all browsers would leave that URL as it (and validate that the server understands it too). But I'd never rely on that.
By the way: it's not different for non-hidden form fields. For POST the action URL could hold a query string though.
In HTML5, this is per-spec behaviour.
See Association of controls and forms - Form submission algorithm.
Look at "4.10.22.3 Form submission algorithm", step 17. In the case of a GET form to an http/s URI with a query string:
Let destination be a new URL that is equal to the action except that
its <query> component is replaced by query (adding a U+003F QUESTION
MARK character (?) if appropriate).
So, your browser will trash the existing "?..." part of your URI and replace it with a new one based on your form.
In HTML 4.01, the spec produces invalid URIs - most browsers didn't actually do this though...
See Forms - Processing form data, step four - the URI will have a ? appended, even if it already contains one.
What you can do is using a simple foreach on the table containing the GET information. For example in PHP :
foreach ($_GET as $key => $value) {
$key = htmlspecialchars($key);
$value = htmlspecialchars($value);
echo "<input type='hidden' name='$key' value='$value'/>";
}
As the GET values are coming from the user, we should escape them before printing on screen.
You should include the two items (a and b) as hidden input elements as well as C.
I had a very similar problem where for the form action, I had something like:
<form action="http://www.example.com/?q=content/something" method="GET">
<input type="submit" value="Go away..." />
</form>
The button would get the user to the site, but the query info disappeared so the user landed on the home page rather than the desired content page. The solution in my case was to find out how to code the URL without the query that would get the user to the desired page. In this case my target was a Drupal site, so as it turned out /content/something also worked. I also could have used a node number (i.e. /node/123).
If you need workaround, as this form can be placed in 3rd party systems, you can use Apache mod_rewrite like this:
RewriteRule ^dummy.link$ index.php?a=1&b=2 [QSA,L]
then your new form will look like this:
<form ... action="http:/www.blabla.com/dummy.link" method="GET">
<input type="hidden" name="c" value="3" />
</form>
and Apache will append 3rd parameter to query
When the original query has array, for php:
foreach (explode("\n", http_build_query($query, '', "\n")) as $keyValue) {
[$key, $value] = explode('=', $keyValue, 2);
$key = htmlspecialchars(urldecode($key), ENT_COMPAT | ENT_HTML5);
$value = htmlspecialchars(urldecode($value), ENT_COMPAT | ENT_HTML5);
echo '<input type="hidden" name="' . $key . '" value="' . $value . '"' . "/>\n";
}
To answer your first question yes the browser does that and the reason is
that the browser does not care about existing parameters in the action URL
so it removes them completely
and to prevent this from happening use this JavaScript function that I wrote
using jQuery in:
function addQueryStringAsHidden(form){
if (form.attr("action") === undefined){
throw "form does not have action attribute"
}
let url = form.attr("action");
if (url.includes("?") === false) return false;
let index = url.indexOf("?");
let action = url.slice(0, index)
let params = url.slice(index);
url = new URLSearchParams(params);
for (param of url.keys()){
let paramValue = url.get(param);
let attrObject = {"type":"hidden", "name":param, "value":paramValue};
let hidden = $("<input>").attr(attrObject);
form.append(hidden);
}
form.attr("action", action)
}
My observation
when method is GET and form is submitted, hidden input element was sent as query parmater. Old params in action url were wiped out. So basically in this case, form data is replacing query string in action url
When method is POST, and form is submitted, Query parameters in action url were intact (req.query) and input element data was sent as form data (req.body)
So short story long, if you want to pass query params as well as form data, use method attribute as "POST"
This is in response to the above post by Efx:
If the URL already contains the var you want to change, then it is added yet again as a hidden field.
Here is a modification of that code as to prevent duplicating vars in the URL:
foreach ($_GET as $key => $value) {
if ($key != "my_key") {
echo("<input type='hidden' name='$key' value='$value'/>");
}
}
Your construction is illegal. You cannot include parameters in the action value of a form. What happens if you try this is going to depend on quirks of the browser. I wouldn't be surprised if it worked with one browser and not another. Even if it appeared to work, I would not rely on it, because the next version of the browser might change the behavior.
"But lets say I have parameters in query string and in hidden inputs, what can I do?" What you can do is fix the error. Not to be snide, but this is a little like asking, "But lets say my URL uses percent signs instead of slashes, what can I do?" The only possible answer is, you can fix the URL.
I usually write something like this:
foreach($_GET as $key=>$content){
echo "<input type='hidden' name='$key' value='$content'/>";
}
This is working, but don't forget to sanitize your inputs against XSS attacks!
<form ... action="http:/www.blabla.com?a=1&b=2" method ="POST">
<input type="hidden" name="c" value="3" />
</form>
change the request method to' POST' instead of 'GET'.
Related
I'm building my first web app in Java. I came across this problem. When I have a get attribute like ?page=2 correctly submitted it goes missing after calling another get request. How can I keep the first one and append another one? Here are pics that help clear out my question
Before
After
Desired
Here are code snippets of my forms in .jsp page. This is used to sort the table with passing a column name:
<form action="GetUsersServlet" method="get">name
<input type="hidden" name="column" value="name">
<button class="sort" type="submit"></button>
</form>
How can I append the value to existing ?page=x attribute?
Use URLSearchParams method set on event click and set window.location.search to parsed params.
document.querySelector("button").onclick = () => {
const urlParams = new URLSearchParams(window.location.search);
urlParams.set("page", 2)
window.location.search = urlParams.toString()
}
I would like to know how can I solve this problem, let me explain: I want to create a search bar and send the user to a jsp view with the results. I created in my controller the next method :
#RequestMapping(value = "/search={productName}", method = RequestMethod.GET)
public ModelAndView getProducteByName(#PathVariable("productName") String productName) {
ModelAndView modelview = new ModelAndView("/productSearch");
List productsByName = productService.getProductByName(productName);
modelview.addObject("productsByName", productsByName );
return modelview;
And I have a form in a jsp file like this:
<!-- Search form -->
<form class="form-inline md-form form-sm mt-0" method="get" >
<i class="fas fa-search" aria-hidden="true"></i>
<input class="form-control form-control-sm ml-3 w-75" type="text" placeholder="Search" name="search"
aria-label="Search">
</form>
The problem is when I put anything to search in the bar search, it works put it puts me a ? in the url, so the controller doesn't understand the requestMapping.
Example: http://localhost:8080/projectbotigabio/search=potato
and it puts me: http://localhost:8080/projectbotigabio/?search=potato
I've tried a lot of things, including trying to putting as a method "post" instead of "get", but it doesn't work... any solution?
Web browsers only support 3 kinds of form submission:
method="get"
Every form value is added to the URL using ?name=value&name=value&...
method="post"
Every form value is added to POST with content type application/x-www-form-urlencoded and content name=value&name=value&...
method="post" enctype="multipart/form-data"
The POST request has content type multipart/form-data, and the content is a multipart with each part being a form value.
Web browsers cannot build the URL you want, so you have to do it yourself, i.e. prevent the web browser from sending the POST request, and send your own request using Ajax. If that's what you want, put on your learning hat and start studying how that works.
I recommend that you stop trying to use a non-standard URL syntax, and use the standard GET processing.
Either way, I suggest you learn more about how HTML forms work, before you try deviating from the standards any further.
I am researching jmeter and I have a question.
My first question: in case : (github )
input autocapitalize="off" autocorrect="off" autofocus="autofocus" class="form-control input-block" id="login_field" name="login" tabindex="1" type="text"
input class="form-control form-control input-block" id="password" name="password" tabindex="2" type="password"
In case the website don't have field "name", how can I pass the param to website ? can we use css or xpath to pass the param to website ?
My second question:
How to test the response value from the site ? (from the picture the response data not right, still on login page)
Thanks for reading and supporting me to correct this ...
As per HTML Forms article
The Name Attribute
To be submitted correctly, each input field must have a name attribute.
Actually you should't worry about HTML markup, JMeter acts on protocol level and provides record-and-replay functionality. See Apache JMeter Proxy Step by Step for configuration instructions.
You can use Response Assertion to add a check whether response is still login page or not. For example if the user is logged in - he shouldn't see username input any more. See How to Use JMeter Assertions in Three Easy Steps article for more information on conditionally failing JMeter samplers.
how to get button id from jsp to servlet instead of getting the button value
<input id="${section.id}" type="submit" name="submit" value="Edit">
how to get that id in servlet?
You can't that id is for client side use only. You will need to set the name or value to match the id of the element.
Alternatively as a workaround you could create a hidden input field that contains the id value by adding something like this to your JSP:
<input type="hidden" name="submit_id" value="${section.id}" />
This will then be available in the servlet upon form submit under the submit_id parameter.
String submitId = (String)request.getParameter("submit_id");
The only way you would be able to do that is by intercepting the form submit using javascript and setting the id as an extra post/get parameter.
the only way is make a javascript function that change your button value for the id , but i dont know why you want to do that, you could use a hidden input to send the data in the form
<input type="hidden" name="id" value="the_id_number" />
You cannot get any button id value to servlet. When a request from browser is submitted, all the input fields(input tag) will be transferred to server.The value of each input attribute can be accessed using the name of that field.All other fields like id, class etc are used for css and JavaScript functionalists.You should not design to pass the button id to server side.Think of other methods like hidden input fields
This is probably due to my misunderstanding and incomplete information of JSP and JSTL. I have a web page where I have input elements such as
<input name="elementID" value="${param.elementID}"/>
When I am trying to save the form, I check for that elementID and other elements to conform to certain constraints "numeric, less than XXX". I show an error message if they don't. All the parameters are saved and user does not need to type it again after fixing the error.
After saved, when I am redirecting to the same page for the object to be edited, I am looking a way to set the parameter like request.setParameter("elementID",..) Is there a way to do this ? However the only thing I can find is request.setAttribute.
HTTP responses does not support passing parameters.
JSP/Servelets allows you to either use request.setAttribute or session.setAttribute for that purpose. Both methods are available when processing the page you're redirecting to, So basically, you got it right...
Also, from what you describe, you may want to check client-side validation: don't submit the form until you're validating it using client-side scripting (javascript)
After the servlet processes the form, (ie. saves the user input in the database), have the servlet forward (not redirect, because that would lose the request params) the request to the same jsp which contains the form. So there is no need to set the params since the servlet is just passing back the same request object.
The jsp which contains the form should have inputs similar to this:
<form>
...
<input type="text" value="${elementid}"/>
...
</form>
The syntax ${varname} is EL. So if the elementid already has a value, it that textfield will contain that value. Alternatively if you have not used EL and/or JSTL, you use scriptlets (but that is highly unadvisable, EL and/or JSTL should be the way):
<form>
...
<input type="text" value="<%= request.getParameter("elementid") %>"/>
...
</form>
I had to include <%# page isELIgnored="false"%> to my jsp to allow code like ${elementid} to work