0

I have an html form:

<form>
<input type="hidden" id="hiddenField"/>
...Other form fields
</form>

In this form I want to set a hidden field with xml data. Can anyone suggest if it is fine to set the hidden field directly with xml data. i.e. in my javascript function is it safe to directly set the hidden field with xml like: $(#hiddenFiled).val(xml); and get the xml in my java servlet?Please suggest.

Jeets
  • 3,189
  • 8
  • 34
  • 50

3 Answers3

0

No you can't keep xml without encoding You can opt either 

var stringValue=escape(xml); 
var xmlValue= unescape (stringValue)

in javascript

Though these methods has been depreciated in newer versions so you could find it in another library like http://underscorejs.org/#escapeUnderScoreJs

Also don't keep XML in hidden field if it holds andy sensitive information.

Sandeep Kumar
  • 783
  • 1
  • 5
  • 13
  • Thanks for the response. No the xml doesen't contain any sensitive info. If i correctly understand, your suggestion is to escape xml and then set it in hidden field like: var escapedXml=escape(xml); $(#hiddenFiled).val(escapedXml); Please confirm if i understood correctly. Also do we need some mechanism to decode it in servlet after getting it from request.getParameter? – Jeets Sep 13 '16 at 05:50
0

Hidden form fields are not for session tracking.

We have two mechanism for session tracking, they are cookies and URL rewriting, the latest for the people that doesn't have cookies enabled in their browsers, I could only understand sending a session id in a hidden field when you have your own session tracker and are not using the one that is already with your server container (HttpSession and all), but why re-invent the wheel?

Hidden fields are for passing information between pages, sometimes I use a and I clearly don't want that information displayed to the user

dghtr
  • 561
  • 3
  • 6
  • 20
0

Posting XML without javascript or browser plugins is impossible. You should not send it directly as a form parameter. See this answer for more info:.

Use a library that would encode them while sending to server, and decode them at the server side.

Underscore.js provides such functionality. See the documentation:

escape_.escape(string)
Escapes a string for insertion into HTML, replacing &, <, >, ", `, and ' characters. 

_.escape('Curly, Larry & Moe');  
=> "Curly, Larry &amp; Moe"

unescape_.unescape(string)
The opposite of escape, replaces &, <, >, ", ` and ' with their unescaped counterparts.

_.unescape('Curly, Larry &amp; Moe');
=> "Curly, Larry & Moe"

However, do keep in mind that usually browsers have limits over the amount of data that you can send through GET request (around 255 bytes). Hence it's always a good option to use POST instead of GET even when sending encoded XML.

Community
  • 1
  • 1
Raman Sahasi
  • 30,180
  • 9
  • 58
  • 71