So, I know that when I submit a form whose method is POST that the server receives the contents of that form and then processes them accordingly, and then returns a page with the desired content. What I am trying to learn is what exact query url is being passed to the server side script when I submit a form on a website that does not belong to me. The reason I want this query string is so that I can make use of the server side script programatically with my own data. There is no public API served by this website, but I would like to formulate my own.
So my question is, is there a way to intercept the POST as a query string URL? Perhaps by using a javascript console in browser?
I know I can look at the source code for the page and find the names/values of the form fields. However, there also happens to be a hidden field on this page whose properties are set by javascript during validation at submission time. How should I go about this?
You can use an extension for intercept the data : Tamper Data on FireFox
https://addons.mozilla.org/fr/firefox/addon/tamper-data/
You can intercept and modify all headers requests
Related
I have a website and when a user follows an internal link I would like to pass some extra information to a new page, so JavaScript on the destination page could do some useful highlighting.
There is an option to pass that information via the link parameters (GET), but it will generate lots of virtually duplicate pages and break pretty URLs concept. Another way is to make a webapp using AJAX, but it will also bound content to a single URL.
How can I transparently pass some information to the new page during navigation w/o messing with site's URL structure?
You could store the data in local storage or session storage, and retrieve it again on the destination page.
So you have a few options.
Form Submission
First option post a form with the data. Add a hidden form, on the anchor click capture the click event, set the hidden fields with the values you want to send to the next page, and submit the form. On the next page, read the post parameters in the backend and update the page.
Local Storage
On click of the anchor, set localStorage to the values you want to appear on the next page. When the next page loads, read the localStorage values and update the page. Note: The server will not have access to the values
Ajax with pushState
Use Ajax to submit the form. When the Ajax call returns, use window.history.pushState to update the url with whatever url you want to be displayed to the user.
One of the options not mentioned is to create a dirty URL:
/destination/param1/value1/...
then strip additional parameters at server-side and redirect:
/destination
keeping additional values stored at server-side (e.g. via sessions). I still prefer using sessionStorage in a real application, but it worth mentioning anyway.
What do you mean it will "bind content to a single url"? AJAX request is the first thing that comes to my mind as the solution to this problem. You dont have to use the url of the page to make the ajax request, you can build the url inside your javascript based on whatever conditions exist in your application.
Besides AJAX and passing parameters in the URL, the only other thing I can think of is to use Cookies. That of course runs into problems if the user has cookies disabled. I think an Ajax call to your server is the most robust way of handling the problem.
What would be the "best" approach to dealing with forms which have to work without and with JavaScript enabled?
Would it be better to create different routes for each, like
AJAX request: route "API/contact" and return res.send("message")
without JavaScript: route "contact"and return a redirect with a query param of "message"
Or in one route and detect xhr and render it depending on this?
Or is there a better way of dealing with the problem of taking the user to the res.send("") when the JavaScript isn't enabled to give the user feedback on the submit?
To clarify:
I have a site which is working with AJAX requests for its forms to avoid full page loads. It lacks the fallback when JavaScript is not enabled and thus when a user clicks submit on a form, he receives the data from the post back with res.send and it replaces the whole page, instead of the desired effect which would be to just update a label with the "success/fail" message. The question then remains as above which would be the neat way of dealing with this?
Probably the best thing to do would be to check the X-Requested-With header and check that it contains XMLHttpRequest (but this might get deprecated as the new fetch API will slowly come into browser.
Based on that value, you might want to return a JSON payload, or eventually trigger a server side rendering, therefore returning an HTML page ready-to-be-consumed.
As an alternative, you can return a redirect response with a particular query string value; once the page is loaded, you will check for that value (using qs for example, or deparam in jquery and manipulate the client side accordingly.
Your server routes have nothing to do with client-side javascript. You don't need javascript to receive a "res.send" message.
I am using html5, javascript and JSP for my project. I want to know if there is some method that i can used to execute a query from my servlet without actually posting back the page. i know it can be done in ASP.net but i do n't how it can be be done in java script and JSP. Actually i have a dynamic webpage displaying data from server.what i want is that in a click event of button i want to execute a query form server and update it on the page. i know i can submit the form but it will submit the page which i want to avoid.Any suggestion......
regards
nquazi
You can use an AJAX request to submit inputs and get back an output without reloading that page. Here is a previous stackoverflow answer that shows you how to do a HTTP GET request.
HTTP GET request in JavaScript?
You will then need to process your inputs, run the query, and send back an output on the backend server.
I'm using variable passing through a URL (ie ".derp.html?name=derp?lname=herp") to a popup (which uses these parameters to prefill information on the page). Although these pages are internal, I want to create more security. I do not want someone to type in their own link and submit a form with fake values.
I was thinking of having a function run once the link is opened instead, which opens the popup, and sends the parameters through variables to the new window, instead of through the URL. However, I would still need to send values to the java script function...
Anything else I can do to be more secure?
EDIT: Let me rephrase then... This is not public, this is internal. I'm not expecting users to try and hack into the system to create fake forms.
I can't do server-side validation because I'm working with very old methods like tabular data control in IE. There is no real data base to verify anything.
You can POST the values, instead of appending them to the URL. This is what HTML forms are for. For example:
<form action="derp.html" method="POST" target="myNewWindow">
<input type="hidden" value="derp" name="name"/>
<input type="hidden" value="derp" name="lname"/>
Click to open in a new window
</form>
You have two options
1) Instead of using GET method (sending parameter in URL), use POST method and the parameters will not be in HTML URL anymore and you can do it by Javascript. However, a person who want to send fake values to you server, still is able to do so, but it's just a bit harder.
2) Create a hash function(Javascript code) which encode all the parameters before submit the URL and decode it upon received on server side. http://en.wikipedia.org/wiki/Hash_function
Either way, will not provide you 100% security, and still you should perform parameter validation on-server side.
you can change it to a post request...but that's about all you can do if the logic is front-side...other than obfuscating the variable names.
I am trying to implement GSA(Google Search Appliance) in my app. I want to use the REST(JSON) call that the GSA provides. The point for this question is that, the GSA needs a POST request in order to return the JSON response.
Now when I made a new dummy HTML page with a form and make a POST request with parameters I get a successful response(JSON)
But, when I try using the $.post(...) method to send a POST request to the URL I am not getting the actual response, but some error page.
I just wanted to know is there a difference between a standard submit and an ajax form submit. If yes, is there any workaround for this situation.
Please Help. Thanks in Advance.
If you want to submit the form through ajax but in the conventional way, You should have a look at jquery form plugin . Just make your submit button to type button and on click submit your form thorugh .ajaxSubmit(). I think this will solve your problem.
GSA search protocol is based on HTTP GET. All search parameters need to be passed in via query string. Also, out of box, GSA only returns either HTML or XML results. You could apply an xslt that transforms xml to JSON -- but I'm yet to find one that works really well (i.e., I've found a couple but they don't return valid JSON in all instances).