-1

My JavaScript code doesn't work:

<script type="text/javascript">

    function verify() {
        var amount = document.getElementById("amount");
        var commission = document.getElementById("commission");
        var commissionPayed = parseFloat(amount) * parseFloat(commission);
            msg = "Withdraw Amount: " + amount.value + "\n Commission payed: " + commissionPayed.value;
            //all we have to do is return the return value of the confirm() method
            return confirm(msg);
    }

The form itself:

      <form action="Controller" method="post" onSubmit="return verify()">
                             <h1>Withdraw</h1>
             <input type="hidden" name="command" id="command" value="withdrawAction">
             <input type="hidden" name="commission" id="commission" value="${commission}">
             <p>Amount: <input type="text" name="amount" id="amount"/></p>  
             <input type="submit" name="name" value="Withdraw" onclick="confirmation()"/></p>

      </form>

In the message I get the commissionPayed as undefiened value. What am I doing wrong?

Is there a way to use JSP inside the script such as ${object}?

Can I do the entire calculation in JSP?

BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
Adi Mor
  • 2,145
  • 5
  • 25
  • 44

2 Answers2

1

.value is a member of each form element, not each numeric value.

function verify(){
    var amount = document.getElementById("amount").value;
    var commission = document.getElementById("commission").value;
    var commissionPayed = parseFloat(amount) * parseFloat(commission);
    msg = "Withdraw Amount: " + amount + "\n Commission payed: " + commissionPayed;
    //all we have to do is return the return value of the confirm() method
    return confirm(msg);
}

Of course, for security reasons, you need to perform this same calculation again on the server – JavaScript calculations are suitable only for user confirmation. Tools such as Greasemonkey, Tamper Data, and Firebug exist; you cannot trust the web browser to provide accurate calculations for back-end business logic.

If you include any server-side variables in the HTML, CSS, or JavaScript code (especially string values), they need to be properly escaped (using a function suitable for the data format in question, or else a cross-site scripting (XSS) attack may be possible. The page I link to includes example snippets of vulnerable JSP code.

For example, JSP has a tag called <c:out> that performs HTML escaping. However, if you were to rely on it within a JavaScript code block (or in a style attribute), your script might not be secure.

Community
  • 1
  • 1
PleaseStand
  • 31,641
  • 6
  • 68
  • 95
  • Did you enter valid numbers into both the text box and the hidden form field? [It works for me.](http://jsfiddle.net/dYA5N/1/) By the way, you can check for a NaN ([Not a Number](http://en.wikipedia.org/wiki/NaN)) value using the [isNaN function](https://developer.mozilla.org/en/Core_JavaScript_1.5_Guide/Functions#isNaN_Function). – PleaseStand Apr 19 '11 at 10:54
0

can i do the entire calculation in jsp? ... I'd do it on the server side, yes. Should not trust such a calculation on the client side.

To get a value out in the jsp you can use a standard tag: <c:out value="${user.firstName}"/>

There are a bunch of tutorials on the tag subject if you google a little too. For example http://www.developer.com/java/ejb/article.php/1447551/An-Introduction-to-JSP-Standard-Template-Library-JSTL.htm

vector
  • 7,334
  • 8
  • 52
  • 80