[dancer-users] updating a form
Stefan Hornburg (Racke)
racke at linuxia.de
Mon Feb 10 13:58:46 GMT 2014
On 02/10/2014 02:53 PM, Gert van Oss wrote:
> On 10 Feb 2014, at 14:48, Stefan Hornburg (Racke) <racke at linuxia.de> wrote:
>> On 02/10/2014 02:37 PM, Gert van Oss wrote:
>>> I’m trying to build a small app to comment on images. Probably I’m almost there but currently stuck with updating a ‘file.yml' by a html-form.
>>> I’ve made two routes (shown below) “get ‘/:id/edit’ for showing the form with the particular image to comment on. When hitting save the ‘post ‘/edit’ will be called. My problem is that the post route doesn’t have the $id initialised. Is there someone around who can tell me how to solve this or point to me what I’m doing wrong?
>> Do you have a hidden from field in your form which passes the id to the post route?
> I don’t have a hidden field. I tried but then still wasn’t successful.
> (see below.. I skipped some fields)
> <form method="post" action="/edit">
> <input type="text" name="id" id="id" value="[% data.id %]" disabled="disabled"/>
> <textarea name="description" rows="20" cols="20" id="Description">[% data.description %]</textarea>
> <input type="submit" name="submit" value="Save" class="submit-button" />
Ok, so the question is whether the correct id appears in the rendered HTML form and thus is available to
the post route?
And writing the data from this form directly into your file opens a big hole for XSS if you display
the same data on your website. Also we could do some YAML injection :-).
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
More information about the dancer-users