I need to be able give users a link to my site with a parameter that will control their experience on the destination page, but, of course, Moqui does not allow parameters to be passed as a GET transaction. What are ways that I can work around that? It needs to be something that can be sent in an email, via sms and audibly.
An error message would be helpful know exactly what you are running into, but it sounds like the constraint to mitigate XSRF attacks.
The error message for this situation explains the issue and the recommended solution: "Cannot run screen transition with actions from non-secure request or with URL parameters for security reasons (they are not encrypted and need to be for data protection and source validation). Change the link this came from to be a form with hidden input fields instead."
You can pass URL parameters to screens to be used in code that prepares data for presentation, but not to transitions for code that processes input. The solution is to use a hidden form with a link or button to submit the form (that can be styled as a link or button or however you want). This is slightly more HTML than a plain hyperlink with URL parameters, but not a lot more and there are examples in various places in the Moqui itself.
If you are using an XML Screen/Form you can use the link element to do this with the #link-type attribute set to "hidden-form" or "hidden-form-link" (which just uses a hyperlink styled widget instead of a button styled one). If the #link-type attribute is set to "auto" (which is the default) it will use a hidden-form automatically if link goes to a transition with actions.
In plain HTML one possible approach looks something like this:
<button type="submit" form="UserGroupMemberList_removeLink_0">Remove</button>
<form method="post" action=".../EditUserGroups/removeGroup" name="UserGroupMemberList_removeLink_0">
<input type="hidden" name="partyId" value="EX_JOHN_DOE">
<input type="hidden" name="userGroupId" value="ADMIN">
</form>
Note that the button element refers to the form to submit, so can be placed anywhere in the HTML file and the form element can be placed at the end or anywhere that is out of the way (to avoid issues with nested forms which are not allowed in HTML).
Related
I am perfectly aware that I can sanitize innerHTML-bound data using:
<div innerhtml.bind="someData | sanitizeHTML"></div>
However, based on my observations, this sanitization only removes <script> tags. It doesn't protect the user from event-driven content such as:
"Hi! I am some HTML-formatted data from the server! <button onclick="getRekt();">Click me for butterflies!</button>"
Is there a better way to prevent ANY type of javascript or event callbacks from being rendered on the element?
The sanatizeHTML value converter is a very simple sanitizer, and only remove the scripts tags. See the code here.
You can create your own value converter with a more complex santizer. Check this answer for more details about how to sanitize html in a browser.
But don't forget to never trust the browser, if you can it's better to sanitize the html in the server side before to send it to the browser to display it.
I would have 10 bootstrap buttons on a single html page.
Each button opens a ootstrap modal filled with a html fragmen via an ajax request.
<div class="modal fade" id="myModal"></div>
$('#myModal').modal();
Should I create 10 different divs with 10 different ids? Or even 10 different instances?
var dialogInstance1 = new BootstrapDialog({
title: 'Dialog instance 1',
message: 'Hi Apple!'
});
or
should I create ONE dialog?
I would expect kind of caching problems when I open modal1, then just when I open modal2 I see still for some miliseconds modal1 html fragment from a prvious ajax request.
And how should I create those modals? The samples should this:
$('#myModal').modal();
and the instantiation? This is very confusing.
Can someone please share his experience how to approach with many bootstrap modals?
I would expect kind of caching problems when I open modal1, then just when I open modal2 I see still for some miliseconds modal1 html fragment from a prvious ajax request.
Assuming you're referring to data-remote's caching, you will probably be able to disable that in Bootstrap v3.2.0 (see https://github.com/twbs/bootstrap/pull/13183/ ).
However, I'd still recommend against using data-remote since it doesn't give you much control. It:
doesn't provide or easily let you do any error handling
doesn't give any "loading..." indication
forces you have to generate modal HTML on the server side (as opposed to, e.g., returning JSON from the server and using client-side templating)
IMO, you should:
include just one instance of the blank modal markup
setup your own click event handlers on the buttons that summon your modal
initiate the AJAX request in your click event handler
use client-side templating to generate a corresponding modal using the results of the request
use $(...).modal() or $(...).modal('show') (depends on how your templating works) to show the modal after the templating completes
I have a long form made up of multiple sections, each with its own questions. Each section can be saved independently with an <input type="submit" value="Save" /> button.
Each section is loaded dynamically into the page (and there are a variable number of sections).
Each form is authored separately as an Ajax.Begin() ajax form, but with dynamic loading of the forms it appears UnobstrusiveJavaScript will not bind the submit buttons and they perform a standard postback.
What is the simplest way to reconnect the ajax functionality of the submit buttons?
After checking the source of UnobstrusiveJavaScript (which is quite small) it leaves permanent event handlers using .on('submit') so it should just work with dynamically loaded pages.
Turns out the master form was missing the inclusion of UnobstrusiveJavaScript:
#Scripts.Render("~/bundles/jqueryval")
Worth checking fiddler when this sort of thing occurs :)
in a login page, i want to use sendKeys to password input
but the "sendkeys" doesn't work;
how should i do?
here is html
<fieldset class="txt" id="psd">
<label>password:</label>
<script type="text/javascript">
IntPassGuardCtrl("logpswd", "2", "chklogon()",Ipsdstyle");</script>
<span id="logpswd_pgc">
<embed id="logpswd" type="application/x-pass-guard" input0="0" class="psdstyle"></span>
<input name="LOG_PSWD" type="hidden" id="LOG_PSWD"> </fieldset>
someone said can use JNA ,but the partial i do not know much.
the password control can use mouse click,then focus on; and use the
keybord input infomation;
so i want to use mouse click the control,but use webdriver actions
doesn't work, do you have some ways to solve the problem?
Looks like your application uses an embeded object to capture the password field. Unfortunately, the web browser (and thus WebDriver) doesn't know how to interact with the field since its not standard.
However, there might be a chance to do what you need to do. It looks like your HTML includes a hidden input field that might be tied to the embeded object. The embeded object might just set the value of the (encrypted?) password in the input#LOG_PSWD element. If this is the case, you can use WebDriver's executeScript method to inject the value of the password.
I don't know what language bindings you use, but this is how you would write it in Ruby:
password = "some$3cretP#ssword"
hidden_password = #driver.find_element(:id => "LOG_PSWD")
#driver.execute_script("arguments[0].setAttribute(arguments[1], arguments[2])", hidden_password, "value", password)
Then try to login from there. More than likely the password text will not show up in the control itself since you are injecting it directly to the hidden input.
Give that a shot and let us know what happens. If you can give us more information about the embeded object, we might be able to find some other workarounds if this one doesn't work.
I am using a dijit.form.TextBox for a login form but cannot make browser-saved passwords appear in it like they would in a standard HTML input field.
Is there any way of doing this?
If I understand the question correctly, the problem you are running into is that the template of dijit.form.TextBox has autocomplete="off" hard-coded into the input field.
There seem to be some reasons behind this: http://bugs.dojotoolkit.org/ticket/9562
If you really wanted, you could easily override the template to make this driven by a widget attribute instead, and I've done so in the past. However, if I recall correctly, one browser or the other still won't "just work", possibly because the field gets inserted into the document dynamically and not as part of the initial page. Bottom line: your mileage may vary.
It doesn't seem to be well-documented, but look at the example in the tests directory. Simply use the normal input attributes for password obfuscation. Is that what you're talking about?
<input id="q23" type="password" name="password" class="medium"
dojoType="dijit.form.TextBox">