I have a Spring MVC based JSP page which uses Displaytag to display a set of data. In the form on the page, the user can select either, or both of two checkboxes to display which subset of the data they want to see (Set "O", set "Q", or "B" both.)
The form and the display work fine on the first page, but the Displaytag pagination links at the bottom of the table contain malformed URLs. The result is that when the user clicks a link to display a different page, the checkboxes are reset and the user always sees "Both O and Q" even if they only wanted to see "Q" (for example).
I have added this parameter to the form that Displaytag uses to generate these URLs (according to the Displaytag documentation) but the value in the generated URLs does not change.
The form entry (type="o"):
<input type="hidden" id="type" name="type" value="o">
The pagination URL (type="b" for both):
http://localhost:8080/searchmain.html?d-443691-p=3&endDate=&_stateQuote=on&type=b&stateOrder=true
Can anyone shed any light on this?
Does anyone know how the URL parameters are generated?
Found the answer - posting it here so hopefully it will help someone else.
Displaytag generates the URL parameters for its pagination using the parameters on your initial HTTP REQUEST, not the RESPONSE. So if you are depending on some updated parameters coming back (as was this case), then your paging will produce incorrect results. In this case, the two checkboxes on the page were being used to update the hidden "type" field which was then passed back in the response. Unfortunately, the paging URLs were updated with the "type" field from the REQUEST which still contained the previous un-updated value (example "B") instead of the new updated value "O".
Whatever values you are hoping to find in the URL will have to be on the HTTP REQUEST you pass in, you cannot expect to utilize anything from the RESPONSE.
Makes sense, it just took a while to find it.
If you want to see the actual code, it's in this routine in TableTag.java in the Displaytag source:
protected void initHref(RequestHelper requestHelper)
Related
Let's say I have a simple CRUD application with a form to add new object and edit an existing one. From a security point of view I want to defend against cross-site scripting. Fist I would validate the input of submitted data on the server. But after that, I would escape the values being displayed in the view because maybe I have more than one application writing in my database (some developer by mistake inserts unvalidated data in the DB in the future). So I will have this jsp:
<%# taglib prefix="esapi" uri="http://www.owasp.org/index.php/Category:OWASP_Enterprise_Security_API" %>
<form ...>
<input name="myField" value="<esapi:encodeForHTMLAttribute>${myField}</esapi:encodeForHTMLAttribute>" />
</form>
<esapi:encodeForHTMLAttribute> does almost the same thing as <c:out>, it HTML escapes sensitive characters like < > " etc
Now, if I load an object that somehow was saved in the database with myfield=abc<def the input will display correctly the value abc<def while the value in the html behind will be abc<def.
The problem is when the user submits this form without changing the values, the server receives the value abc<def instead of what is visible in the page abc<def. So this is not correct. How should I implement the protection in this case?
The problem is when the user submits this form without changing the values, the server receives the value abc<def instead of what is visible in the page abc
Easy. In this case HTML decode the value, and then validate.
Though as noted in a few comments, you should see how we operate with the OWASP ESAPI-Java project. By default we always canonicalize the data which means we run a series of decoders to detect multiple/mixed encoding as well as to create a string safe to validate against with regex.
For the part that really guarantees you protection however, you normally want to have raw text stored on the server--not anything that contains HTML characters, so you may wish to store the unescaped string, if only that you can safely encode it when you send it back to the user.
Encoding is the best protection for XSS, and I would in fact recommend it BEFORE input validation if for some reason you had to choose.
I say may because in general I think its a bad practice to store altered data. It can make troubleshooting a chore. This can be even more complicated if you're using a technology like TinyMCE, a rich-text editor in the browser. It also renders html so its like dealing with a browser within a browser.
I am new in servlets, I would like to display results in the very same page that I am on when I click a search button, then the results should be on the very same page, how can I achieve that without going to another JSP or if I am supposed to do it behind the scene moving to another without the user noticing that its another page, how do I make it seem as if its the same page with results on it. Any shed of light is highly appreciated.
You have to use javascript to receive the search results from the server. This technique is called ajax. Javascript libraries like jquery (or many others) can help you a lot with this.
Your form submits the search term to the current page, i.e. you can leave the form action attribute empty.
In your servlet check whether a search term has been submitted. If this is the case, execute your search function and write the result to the response.
You don't mention where you data is coming from, but that is fairly unimportant in this question. The data could come from a local variable, from DOM storage or have been served to you using AJAX. But here is an example of setting text data in a textarea element (there are nearly unlimited ways to format what you want, this is one example only). Dynamically changing your current page in this manner means that you do not need to navigate to another.
It works by getting a reference to the element by it's name ("data" in this case) using document.getElementById
We then set the element's content value to your data, and it is displayed in the textarea.
HTML
<input type="text"></input>
<div>
<textarea id="data"></textarea>
</div>
Javascript
var data = "Here is your data that was returned from your source";
document.getElementById("data").value = data;
On jsfiddle
I got a problem regarding request.getParameterMap()
In my jspx file multiply parameters are added when the user selects items out
of a table. now that i want to get them in my Controller
with request.getParameterMap(); it doesnt work with Firefox, Safari
but it works fine with chrome
anyone has an idea why it is so ?
thx for the replies .. the html form with the request parameters is build dynamicly at runtime using javascript, which seems to cause problems with widged based browsers like safari, firefox and most likely IE.
i will use ajax to get it work
The problem is not in the way that you are getting the parameter values from the map. It cannot be. The problem has to be in the HTML / Javascript / whatever that is creating the request on the client (browser) side.
It is most likely that you are doing something that is not strictly HTML (or whatever) compliant. Some browsers are treating it one way, and others another way. I suggest that you start by running an HTML validator over the page.
browser is not aware of request.getParameterMap() or any method in servlet api.
In your use case : you have a table of data , out of which user may select some rows and you need this data in server side for some action on those rows.
For eg : mark as read in GMAIL
select one or more rows in gmail and click ,mark as read will sent some request to google server and get those rows marked as read by user.
You can do it this way, you need to send primary key of your rows to server side with same parameter name
for eg: /delete?delId=1&delId=3&delId=7
and use request.getParameterValues() in server side to retrieve a list of ids to be deleted.
I'm trying to submit a form with a few textareas like this:
<textarea name="criticism[]" rows="3" cols="5"></textarea>
The textarea needs to have an array as the name because there can be an unlimited number of them on the page, added by the user with js.
The values are passed to the controller correctly.
In the controller I do params.flash() which seems to add the values to the seession, since if I do ${flash} in the template they are printed to the screen. However, I can't access them in any way. ${flash.criticism} returns null, and ${flash.criticism[x]} will return an out of bounds error.
Am I missing anything syntax wise?
Cheers :)
The flash scope is only available to the current request and the next one. To put something in the session use session.
However flash and session are not intended to store values. They are cookie limited to 4kb. To store something use the db and/or the cache
If you want to re-render your values in the next page, just pass the string array as a 'criticism' parameter to the next render method and use it in your template with ${criticism[x]}
At http://code.google.com/appengine/docs/java/urlfetch/usingjavanet.html some code is provided which makes POST request to a form where comments are submitted to that form.
I want to use similar code to make a POST request to a form that accepts data...But one major requirement is that when the form at "http://domain.com/submit.php" is to be submitted, it has a text field named "CAPTCHA" for which the relevant captcha is actually generated by "http://domain.com/captcha.php".
My question is, how to use HttpURLConnection to make a request to a form with 3 fields- "UserID" and "Password" and finally "Captcha" (which is generated by captcha.php)? I am particularly confused here with ref to the captcha, since each time a different captcha is generated... How do we know the value of this captcha, i.e. how do we display this captcha on screen, and then submit the form. Can we also track the response to such a submission?
I am new to Java, plus a total newbie to App Engine, so any help would be appreciated :)
Captchas are specifically designed to prevent people from doing the sort of thing you seem to be attempting to do.