I have a pdf form, into which I want to fill a password generated in javascript, so that the user can print it. The password is sensitive and may not be send to the server, so this has to happen in client side javascript. In this post it is possible using adobe acrobat.
The Idea is, that one creates a pre-filled form with a unique value, and than replaces that value using somple search and replace in javascript when generating the final pdf for displaying the user.
Since I do not own actobat, I thought I try it with scribus.
I generated a test form in scribus and gave it the prefilled value %HELLO%. But looking at the resuling pdf, I do not see that I can replace the %HELLO% value by the password with simple text replacement.
It turns out, while this post already gives the answer in the code it does not explain it.
The value of TextField has to be converted to a sequence of hex-encoded unicode characters (so each 4 digits) and it has to start with "fffe". Using this string, one can do the search and replace in the pdf document.
The code also updates the "xref" in the pdf, which one has to do when the length of the pdf changes (or some elements are positioned different in the file). Since I did not change the length of the value of the TextField, I did not have to do that.
Related
I would like to create order number (following) in header, which would create automatically for each different opening the file by customer. Can I achieve this by using some functions in JS? or another? In attached screen this number should generate in each opening file
I presume that you are using Acrobat Pro to create the PDF form.
The quick and easy way to do this is to auto generate an order number based on the current date and time. Create a text field in your form (I've called mine "ordernumber"), double click it and go to the calculate tab then insert the following two lines into the custom calculation script box:
f = this.getField("ordernumber");
f.value = util.printd("yyyy/ddmm/hhmmss", new Date());
This will give you a unique order code (unless someone creates two orders in the same second!). You can change around the year (yyyy), day (dd), etc to make something that you like as a format.
If the order number needs to conform to an existing format or align with other systems then you would need to get the PDF to access an external database or something like that which would be a bit more complicated and beyond my knowledge.
It depends on whether your order number has to be unique only, or whether order numbers have to be consecutive.
In the first case, #Chris' answer pretty much gives the solution; you may be fiddling around with the base data, but that's it.
If the number has to be consecutive, there is a possibility if the use of the form can be limited to one single computer. In this case, you would create a Persistent Global Variable (which is a variable that is written back to the system, and can be reused the next time you open the document). See Acrobat JavaScript documentation for code samples. When you open the document, you read in that number, increment it and feed it into your order number field, and write it back.
If the number has to be consecutive, and the order form is used by several users, you will have to maintain the order number externally (which means, on a server). In this case, it might be even better to have a server-side order management, where the user may enter some base data, and then gets the prefilled order form made available.
I'm using mustache to escape user data before displaying it in html via javascript.
However, when I use it to display their data in form input fields (pre populating the form after retrieving their user data from the server via AJAX), it displays entities instead.
eg
Shaun's place
displays as
Shaun's place
I'd use the three bracket trick in Mustache, but doesn't that mean the data won't be escaped, therefore making the page vulnerable?
the data stored in MySQL is user profiles.
when I get it back from the server, I run the data through the following mustache code before saving it in a local object - the idea being I don't have to keep running it through multiple lots of mustache each time I wasn to display it in various places on the site. So here's an example of one of the keys, location, being process :
var t="{{x}}",o={x:serverObjectReturn.location},x=Mustache.render(t, o);
localUserDataObject.location=x;
not 100% sure what you mean by content-type - I'm using AJAX calls, and sending the data back as JSON. The AJAX function dataType is "json". Let me know if you needed something else and I'll edit
I update the form input field so they have their profile data loaded ready for editing like so:
$("#location").val(userData.location);
That's when I get:
Shaun's place
...whereas:
$("#testerDivLocation").html(userData.location);
shows
Shaun's place
Thank you.
Here is the documentation on the subject:
All variables are HTML escaped by default. If you want to return
unescaped HTML, use the triple mustache: {{{name}}}.
So you're right that it may open you up to vulnerabilities (XSS in particular). This is useful for data that you already known is safe to render in HTML, perhaps because you've escaped and/or sanitized it elsewhere.
Since input field values are a little different because they are more raw than plain HTML, you may need to do some custom escaping either on the server-side, or in javascript just prior to the render call. This means figuring out the set of all possible characters that put an input field at risk (quotes are obvious, but what about angle brackets <, >?)
An alternative is to leave the form field values blank in HTML-land and use JavaScript up set their values through the DOM. That feels much safer to me since you are no longer trying to embed the raw data into HTML code.
var t="<input type='text' name='firstname' value=''>";
var x=Mustache.render(t);
$('input', x).val(serverObjectReturn.firstname);
(Assumes jQuery is loaded for the $ call).
I've been freelance working on the development of a web app for a company, and I realised that in any of the textboxes you can just type html tags or lines of javascript, which is obviously very problematic as I don't want the users to be able to do things that mess how it looks or functions. Is there a way of making sure html/javascript can't be written into text boxes?
The best approach is to assume that all data being POSTed, or sent via the URI to the server is malicious, until you check explicitly that it is not (Perl actually has a taint mode to enforce this), and validate the data received is valid for the data type you're expecting. You shouldn't rely on validation (only) on the client, as a malicious user may craft special requests without actually using your front end.
Despite the fact that I dont have a lot of info for the problem I will give a try, so be nice to me!! (please provide some more info)
Html or Javascript they have some common expressions, you can exclude those from the textfields by writing a custom javascript validator.
You should validate any user input (textboxes, etc.). This means in example that if you are asking for a number, then you check that the user input is a number, and reject anything else.
You can't (and you should not) "forbid to write HTML/JavaScript", you must "check that the input is valid against what you are expecting".
You should validate the input as soon as you want to use it. If you have some sort of input, keypress, keyup or similar event handler, you should validate the data before using it.
Also you should not inject user data as HTML. In example, don't use element.innerHTML = data; but instead use element.textContent = data; so the data are not parsed as HTML but just injected as text. (if you are using jQuery, use $(...).text(data) instead of $(...).html(data).
Is there any way to create simple fillable embeded PDFs that allows me to extract the text via JS or ASP?
Now I know there are some libraries like iTextSharp, pdf2html etc. but I have found that these are just either overly complex or insufficient for my needs.
The scenario is this, I am trying to embed a tax document which the client may fill out, upon saving the document, the fields are then extracted into an object. As of now I have converted the PDF to SVG with inkscape but this still feels a bit bloated.
I just want to iterate through each field and store it accordingly.
Here's an example of one of the documents:
http://www.cra-arc.gc.ca/E/pbg/tf/t4/t4flat-fill-13b.pdf
One of the ways is to employ FDF or XFDF submits.
Basically, browser displays the PDF, user fills it and clicks a submit button. PDF viewer sends information about filled fields to specified URL.
You can choose format of the submit while creating the PDF.
Following is from the XML Forms Data Format Specification
FDF is a simplified version of PDF. PDF and FDF represent information
with a key/value pair, also referred to as an entry. This example
shows the T and V keys with values enclosed in parentheses:
/T(Street)/V(345 Park Ave.)
XFDF, on the other hand, represents an entry with an XML
element/content or attribute/value pair, as shown in the correspond
XFDF:
<field name="Street">
<value>345 Park Ave.</value>
</field>
Please make sure that not all PDF viewers might be able to submit forms data.
I am using the below javascript to load the captcha in my site. This is working fine.But in my first login it defaultly show the number "5AbD". How can i change it.
http://wiki.asp.net/page.aspx/1369/simple-captcha-code-in-javascript/
I user the above link javascrtipt. I can't able to post this script here..
You dont provide many details, but often something like this is related to a random number being generated every time with the same seed. If you rolled your own captcha I would look into how you are generating the string. Commonly one passes the system tick count as the random number seed.
Otherwise, you don't really provide enough information for anyone to give a helpful answer.
Edit:
1) After seeing your code, first I want to say that as captcha this is extremely flawed. The whole point is that a bot cant determine the code and automatically enter it. This is why they are usually images generated on the server. It is difficult to extract the value from an image.
2) It is showing the same value every time because you have not coded it otherwise. You are literally starting with the same -hard coded- value and modifying that. Look into the Math.random() function for generating a random number for the initial value instead of hard coding that. But, referencing point #1, I would scrap this whole javascript thing altogether because as captcha it's useless because a bot could just grab the value of that control and fill out the form with it.
3) The steps for implementing captcha are usually something like: generate the random string on the server, save that string to session, generate an image with that string (with some noise/font funkiness to prevent an image processor from easily being able to read the text), then display the image on the page. The actual string value never leaves the server. When the form is submitted, you just compare the user value with the value you previously stored in the session. But rather than go through all of that (unless the whole point is as a learning exercise), you might think about using any of the pre-made captcha controls such as recaptcha, etc. Either way, look into the random number function, because as long as you are always starting with the same hard coded values then you will always get the same result.