Mozilla XML - XForms: urlencoded-post encoding wrong?

Author

XForms: urlencoded-post encoding wrong?

Eric Hanson

2005-05-14, 7:51 am

Hi,

First time Mozilla XForms user, very exciting stuff...

Question -- is method="urlencoded-post" supposed to be delmiting
name/value pairs with semicolons? PHP doesn't seem to like this, and
ends up only getting the very first var, for example $_POST['foo'] gets
set to:

asdfasdf;bar=howdy;wang=asfdasf;

and $_POST['bar'] and $_POST['wang'] don't get set at all. Seemed a
little weird to me. "Normal" HTML forms seperate n/v pairs with an
ampersand. Here's a full header dump:

POST /foo.php HTTP/1.1
Host: 24.22.56.63:8080
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
Gecko/2005
0507 Firefox/1.0+
Accept:
text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
Accept-Language: en-us,en;q=0.5
Accept-Encoding: gzip,deflate
Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
Keep-Alive: 300
Connection: keep-alive
Content-Length: 39
Content-Type: application/x-www-form-urlencoded

foo=asdfasdf;bar=howdy%21;wank=asfdasf;

Also, when I switch to method="post", the submit button suddenly does
nothing. Any ideas on this? Here's the form:

<h:html xmlns:h="http://www.w3.org/1999/xhtml"
xmlns="http://www.w3.org/2002/xforms">
<h:head>
<h:title>Search</h:title>
<model>
<instance><data xmlns="">
<foo/>
<bar>howdy!</bar>
<wank att="ribute" />
</data></instance>
<submission action="http://24.22.56.63:8080/foo.php"
method="urlencoded-post" id="s" />
</model>
</h:head>
<h:body>
<h:p>
<input ref="foo"><label>Foo</label></input>
<input ref="bar"><label>Bar</label></input>
<input ref="wank"><label>Wank</label></input>
<submit submission="s"><label>Submit!</label></submit>
</h:p>
</h:body>
</h:html>

Thanks,
Eric

Martin Honnen

2005-05-14, 7:28 pm

Eric Hanson wrote:

> First time Mozilla XForms user, very exciting stuff...
>
> Question -- is method="urlencoded-post" supposed to be delmiting
> name/value pairs with semicolons? PHP doesn't seem to like this, and
> ends up only getting the very first var, for example $_POST['foo'] gets
> set to:
>
> asdfasdf;bar=howdy;wang=asfdasf;
>
> and $_POST['bar'] and $_POST['wang'] don't get set at all. Seemed a
> little weird to me.

As for PHP you can set arg_separator.input to allow other characters
than & as the separator.

--

Martin Honnen
http://JavaScript.FAQTs.com/

Eric Hanson

2005-05-14, 7:28 pm

Alright, thanks. That seems like more of a bandaid than a solution but
it'll get me going I guess. I wonder who should budge, PHP or XForms?

Also, has anybody gotten method="post" to work at all??

Thanks,
Eric

Aaron Reed

2005-05-16, 7:43 pm

Eric Hanson wrote:
> Hi,
>
> First time Mozilla XForms user, very exciting stuff...
>
> Question -- is method="urlencoded-post" supposed to be delmiting
> name/value pairs with semicolons? PHP doesn't seem to like this, and
> ends up only getting the very first var, for example $_POST['foo'] gets
> set to:
>
> asdfasdf;bar=howdy;wang=asfdasf;
>
> and $_POST['bar'] and $_POST['wang'] don't get set at all. Seemed a
> little weird to me. "Normal" HTML forms seperate n/v pairs with an
> ampersand. Here's a full header dump:
>
>
> POST /foo.php HTTP/1.1
> Host: 24.22.56.63:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
> Gecko/2005
> 0507 Firefox/1.0+
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Content-Length: 39
> Content-Type: application/x-www-form-urlencoded
>
> foo=asdfasdf;bar=howdy%21;wank=asfdasf;
>
>
>
>
> Also, when I switch to method="post", the submit button suddenly does
> nothing. Any ideas on this? Here's the form:
>
> <h:html xmlns:h="http://www.w3.org/1999/xhtml"
> xmlns="http://www.w3.org/2002/xforms">
> <h:head>
> <h:title>Search</h:title>
> <model>
> <instance><data xmlns="">
> <foo/>
> <bar>howdy!</bar>
> <wank att="ribute" />
> </data></instance>
> <submission action="http://24.22.56.63:8080/foo.php"
> method="urlencoded-post" id="s" />
> </model>
> </h:head>
> <h:body>
> <h:p>
> <input ref="foo"><label>Foo</label></input>
> <input ref="bar"><label>Bar</label></input>
> <input ref="wank"><label>Wank</label></input>
> <submit submission="s"><label>Submit!</label></submit>
> </h:p>
> </h:body>
> </h:html>
>
> Thanks,
> Eric
>

Hi Eric,

If you look at the xforms:submission element, there is a @seperator that
you can use to specify the seperator that you want to use when
urlencoding. The default is ';' per spec, but you can make it '&' if
you want.

For your second problem, are you using a nightly or the preview release?
if you are using a nightly, get the latest and look in the JS Console
for any errors. Let me know if you see any or not.

Thanks,
--Aaron

Aaron Reed

2005-05-16, 7:43 pm

Aaron Reed wrote:

> Eric Hanson wrote:
>
>
> Hi Eric,
>
> If you look at the xforms:submission element, there is a @seperator that
> you can use to specify the seperator that you want to use when
> urlencoding. The default is ';' per spec, but you can make it '&' if
> you want.
>
> For your second problem, are you using a nightly or the preview release?
> if you are using a nightly, get the latest and look in the JS Console
> for any errors. Let me know if you see any or not.
>
> Thanks,
> --Aaron

Technically, you'll need to use: separator="&"

Aaron Reed

2005-05-16, 7:43 pm

Eric Hanson wrote:

> Hi,
>
> First time Mozilla XForms user, very exciting stuff...
>
> Question -- is method="urlencoded-post" supposed to be delmiting
> name/value pairs with semicolons? PHP doesn't seem to like this, and
> ends up only getting the very first var, for example $_POST['foo'] gets
> set to:
>
> asdfasdf;bar=howdy;wang=asfdasf;
>
> and $_POST['bar'] and $_POST['wang'] don't get set at all. Seemed a
> little weird to me. "Normal" HTML forms seperate n/v pairs with an
> ampersand. Here's a full header dump:
>
>
> POST /foo.php HTTP/1.1
> Host: 24.22.56.63:8080
> User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b2)
> Gecko/2005
> 0507 Firefox/1.0+
> Accept:
> text/xml,application/xml,application/xhtml+xml,text/html;q=0.9,text/plain;q=0.8,image/png,*/*;q=0.5
> Accept-Language: en-us,en;q=0.5
> Accept-Encoding: gzip,deflate
> Accept-Charset: ISO-8859-1,utf-8;q=0.7,*;q=0.7
> Keep-Alive: 300
> Connection: keep-alive
> Content-Length: 39
> Content-Type: application/x-www-form-urlencoded
>
> foo=asdfasdf;bar=howdy%21;wank=asfdasf;
>
>
>
>
> Also, when I switch to method="post", the submit button suddenly does
> nothing. Any ideas on this? Here's the form:
>
> <h:html xmlns:h="http://www.w3.org/1999/xhtml"
> xmlns="http://www.w3.org/2002/xforms">
> <h:head>
> <h:title>Search</h:title>
> <model>
> <instance><data xmlns="">
> <foo/>
> <bar>howdy!</bar>
> <wank att="ribute" />
> </data></instance>
> <submission action="http://24.22.56.63:8080/foo.php"
> method="urlencoded-post" id="s" />
> </model>
> </h:head>
> <h:body>
> <h:p>
> <input ref="foo"><label>Foo</label></input>
> <input ref="bar"><label>Bar</label></input>
> <input ref="wank"><label>Wank</label></input>
> <submit submission="s"><label>Submit!</label></submit>
> </h:p>
> </h:body>
> </h:html>
>
> Thanks,
> Eric
>

Hey Eric,

With your "post" bug, if you look in your JS Console and see an error
like: Security check failed! Trying to submit data to a different
domain than document", you are trying to submit data to a server that is
different from the server that the original form was served from which
is a violation of the mozilla security model. You can allow for this
behavior by changing your hostperm.1 file as is noted in bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=284519

Hope this helps,
--Aaron

Eric Hanson

2005-05-17, 4:22 am

Aha! That worked, thanks.

Eric

Eric Hanson

2005-05-17, 4:22 am

Gotcha. It was the security check. I moved the doc and all works
great now.

What's the status of this behavior? For the application I'm working on
this is pretty close to a show stopper. I'm trying to make an app
where xforms hosted potentially all over the web post to repositories
on other hosts. Any hope of getting around this?

Thanks,
Eric

Aaron Reed

2005-05-18, 8:01 pm

Eric Hanson wrote:
> Gotcha. It was the security check. I moved the doc and all works
> great now.
>
> What's the status of this behavior? For the application I'm working on
> this is pretty close to a show stopper. I'm trying to make an app
> where xforms hosted potentially all over the web post to repositories
> on other hosts. Any hope of getting around this?
>
> Thanks,
> Eric
>

Sorry Eric, I started a reply yesterday and got sidetracked and didn't
get it finished. Here it is:

Looks like it is here to stay unless Mozilla changes their minds at some
future date. Here is the Mozilla security policy that is currently
limiting us:
http://lxr.mozilla.org/mozilla/sour...rity_Model.html

Given the current state of user uncertainty surrounding browser security
in general, I can't really fault Mozilla for this conservative approach.
When we ship our final version, we hope to support a whitelisting pref
or some way for the user to set his trust level. We are also going to
try to get the 'xml file on the server' approach some more exposure and
hopefully it'll get some wider adoption among servers that are expecting
XML-based interaction with clients. Though the format may be different
than what is mentioned in the security model document under 'Delegation'.

Is this going to kill your application idea? Or will you have influence
enough with the 'repositories on other hosts' to maybe get them to adopt
the XML file approach. If so, we'd like your feedback when we have it
firmed up a bit more.

Thanks,
--Aaron

Eric Hanson

2005-05-19, 7:31 pm

I read that document but I don't understand how it relates, and I think
something is being misunderstood here, most likely on my end. So let
me just restate the problem I'm having.

I have a form, say on the domain foo.com, which contains an XForm. The
XForm submits via method="urlencoded-post" to another domain, bar.com.
So far we're in the clear, this works fine.

But, if the method is changed to method="post", this generates a
security exception.

I don't understand what is different about these two approaches, or
what makes one more of a security breach than the other. As far as I
know, this is a common practice in plain HTML forms, and allowed by the
XForms spec.

Is this a restriction because XForms support is added as a Mozilla
extension, rather than part of the core?

Eric