On 02/10/2014 02:53 PM, Gert van Oss wrote:
>
> On 10 Feb 2014, at 14:48, Stefan Hornburg (Racke) <[email protected]> wrote:
>
>> On 02/10/2014 02:37 PM, Gert van Oss wrote:
>>> Hi,
>>>
>>> I’m trying to build a small app to comment on images. Probably I’m almost
>>> there but currently stuck with updating a ‘file.yml' by a html-form.
>>>
>>> I’ve made two routes (shown below) “get ‘/:id/edit’ for showing the form
>>> with the particular image to comment on. When hitting save the ‘post
>>> ‘/edit’ will be called. My problem is that the post route doesn’t have the
>>> $id initialised. Is there someone around who can tell me how to solve this
>>> or point to me what I’m doing wrong?
>>>
>>
>> Do you have a hidden from field in your form which passes the id to the post
>> route?
>>
>> Regards
>> Racke
>
>
> I don’t have a hidden field. I tried but then still wasn’t successful.
> (see below.. I skipped some fields)
>
> <form method="post" action="/edit">
>
> <input type="text" name="id" id="id" value="[% data.id %]"
> disabled="disabled"/>
>
> <textarea name="description" rows="20" cols="20" id="Description">[%
> data.description %]</textarea>
>
> <input type="submit" name="submit" value="Save" class="submit-button" />
> </form>
>
Ok, so the question is whether the correct id appears in the rendered HTML form
and thus is available to
the post route?
And writing the data from this form directly into your file opens a big hole
for XSS if you display
the same data on your website. Also we could do some YAML injection :-).
Regards
Racke
--
LinuXia Systems => http://www.linuxia.de/
Expert Interchange Consulting and System Administration
ICDEVGROUP => http://www.icdevgroup.org/
Interchange Development Team
_______________________________________________
dancer-users mailing list
[email protected]
http://lists.preshweb.co.uk/mailman/listinfo/dancer-users
