Closed Bug 196958 Opened 22 years ago Closed 22 years ago

Javascript form auto submits when client views source, bypass javascript functions called onSubmit

Categories

(SeaMonkey :: General, defect)

Product:
SeaMonkey
Component:
General
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: keith, Assigned: asa)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.2) Gecko/20021126 I have a corporate page the calls a validation function via javascript when the client clicks submit, using mozilla clients can easily by pass the javascript function by viewing the source of the page. the submit simply states to call the function and return its value, true or false depending on whether errors were found with how form was filled out. It seems when the page is loaded in the view source the page is regenerated and the submit button activated, moving my oringal page forward, the user can then close the source and continue with the form. Having bypassed any rulesets laid out in the javascript code. Reproducible: Always Steps to Reproduce: 1. load initial page 2. Cntrl - u Actual Results: page i'm viewing the source for submits it's form, which is posted to an asp page that redirects the user to a new page. Expected Results: Form should not be submitting itself when someone views the source. <script type="text/javascript"> function checksubmit(formid) { msgreturn="" // check name is entered, must be a 2 letter or more word, followed by an inital ( maybe), followed by another word long then 2 characters var regpattern_name = /\w{2,}(\s\w{1}\.*)*\s\w{2,}/ // check telus id, a t ( maybe) followed by 6-8 digits, not cases sensitive var regpattern_telusid = /t*\d{6,8}/i // check e-mail, at least 2 numbers or letters, followed by an @ followed by at least 2 letters or numbers followed by a period, followed by at least 2 but no more then 5 letters or numbers var regpattern_email = /([a-zA-Z0-9_\.\-])+\@(([a-zA-Z0-9\-])+\.)+([a-zA-Z0-9]{2,4})+$/ // check number, ( 3 numbers) 3 numbers - 4 numbers var regpattern_phone =/1{0,1}\({0,1}\d{3}\){0,1}\-{0,1}{0,1}\d{3}\-{0,1}\d{4}/ // check postal code var regpattern_postal = /[A-Za-z]\d[A-Za-z]\s*\d[A-Za-z]\d/ // step 1 switch (formid) { case "WHOIS": formfield = eval("document."+ formid +"INFO."+formid+"FULLNAME.value") if ((formfield === "") || (regpattern_name.test(formfield) != true)) { msgreturn="You did not enter your name correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"TELUSID.value") if ((formfield == "") || (regpattern_telusid.test(formfield) != true)) { msgreturn=msgreturn + "You did not enter you TELUS ID correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"EMAIL.value") if ((formfield == "") || (regpattern_email.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter your email address correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"CCLTEMAIL.value") if ((formfield == "") || (regpattern_email.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the CCLT's email address correctly, please refer to the example \n" } break; // end step 1 checking // step 2 case "COMP": formfield = eval("document."+ formid +"INFO."+formid+"NAME.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the client's company name \n" } formfield = eval("document."+ formid +"INFO."+formid+"PNAME.value") if ((formfield == "") || (regpattern_name.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Primary Contact's name correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"PWORK.value") if ((formfield == "") || (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Primary Contact's work number correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"PCELL.value") if ((formfield != "") && (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Primary Contact's cell number correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"PEMAIL.value") if ((formfield != "") && (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Primary Contact's email correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"SNAME.value") if ((formfield != "") && (regpattern_name.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Secondary Contact's name correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"SWORK.value") if ((formfield != "") && (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Secondary Contact's work nubmer correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"SCELL.value") if ((formfield != "") && (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Secondary Contact's Cell nubmer correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"SEMAIL.value") if ((formfield != "") && (regpattern_phone.test(formfield) != true )) { msgreturn=msgreturn + "You did not enter the Secondary Contact's email correctly, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"STREET1.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the company's street address, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"CITY.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the company's city, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"POST.value") if ((formfield == "") || (regpattern_postal.test(formfield) != true)) { msgreturn=msgreturn + "You did not enter the company's postal code correctly, please refer to the example \n" } break; case "VOICE": formfield = eval("document."+ formid +"INFO."+formid+"CIRCUITS.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the number of circuits to be supported, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"TICKETCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits had been recorded in the ticket system \n" } formfield = eval("document."+ formid +"INFO."+formid+"TASCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits in TAS have been moved \n" } formfield = eval("document."+ formid +"INFO."+formid+"BILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits have been added to the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"SLAUPLD.value") if (formfield == "") { msgreturn=msgreturn + "You did not choose an SLA document \n" } formfield = eval("document."+ formid +"INFO."+formid+"2GROUPCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the Tier 2 Groups are prepared to assume responsiblity \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINTERM.value") if (formfield == "") { msgreturn=msgreturn + "You did not select where TELUS' phyiscal responsiblity ends. \n" } formfield = eval("document."+ formid +"INFO."+formid+"CONTRACT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the contract file. \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINBILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the contract was in the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"CIRCUIT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the circuit diagrams. \n" } break; case "DATA": formfield = eval("document."+ formid +"INFO."+formid+"CIRCUITS.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the number of circuits to be supported, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"TICKETCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits had been recorded in the ticket system \n" } formfield = eval("document."+ formid +"INFO."+formid+"BILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits have been added to the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"SLA.value") if (formfield == "") { msgreturn=msgreturn + "You did not choose an SLA document \n" } formfield = eval("document."+ formid +"INFO."+formid+"2GROUPCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the Tier 2 Groups are prepared to assume responsiblity \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINTERM.value") if (formfield == "") { msgreturn=msgreturn + "You did not select where TELUS' phyiscal responsiblity ends. \n" } formfield = eval("document."+ formid +"INFO."+formid+"CONTRACT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the contract file. \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINBILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the contract was in the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"CIRCUIT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the circuit diagrams. \n" } break; case "ENHANCED": formfield = eval("document."+ formid +"INFO."+formid+"CIRCUITS.value") if (formfield == "") { msgreturn=msgreturn + "You did not enter the number of circuits to be supported, please refer to the example \n" } formfield = eval("document."+ formid +"INFO."+formid+"TICKETCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits had been recorded in the ticket system \n" } formfield = eval("document."+ formid +"INFO."+formid+"BILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the circuits have been added to the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"SLA.value") if (formfield == "") { msgreturn=msgreturn + "You did not choose an SLA document \n" } formfield = eval("document."+ formid +"INFO."+formid+"2GROUPCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the Tier 2 Groups are prepared to assume responsiblity \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINTERM.value") if (formfield == "") { msgreturn=msgreturn + "You did not select where TELUS' phyiscal responsiblity ends. \n" } formfield = eval("document."+ formid +"INFO."+formid+"CONTRACT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the contract file. \n" } formfield = eval("document."+ formid +"INFO."+formid+"MAINBILLCFRM.checked") if (formfield == false) { msgreturn=msgreturn + "You did not confirm that the contract was in the billing system \n" } formfield = eval("document."+ formid +"INFO."+formid+"CIRCUIT.value") if (formfield == "") { msgreturn=msgreturn + "You did not specify the location of the circuit diagrams. \n" } } if (msgreturn != "") { alert(msgreturn) return false; } else { return true; } } </script> <form name="WHOISINFO" method="post" action="../common/apps/process.asp" onSubmit="return checksubmit('WHOIS')"> <input type="hidden" name="next" value="../../apply/step2.asp" > <a href="javascript: if(document.WHOISINFO.onsubmit()) { document.WHOISINFO.submit() }"tabindex="5" onkeypress="javascript:document.WHOISINFO.submit()" onMouseOver="next.src='../common/icons/next2.gif';window.status='Next';return true;" onMouseOut="next.src='../common/icons/next.gif';window.status='';"><img src="../common/icons/next.gif" alt='Next' name="next" border="0" width="80" height="29"></a> </FORM
onkeypress="javascript:document.WHOISINFO.submit()" So _ANY_ keypress in that anchor (including the ctrl-u to bring up view-source) will submit the form. That's what the page says it should do.
Status: UNCONFIRMED → RESOLVED
Closed: 22 years ago
Resolution: --- → INVALID
Product: Browser → Seamonkey
You need to log in before you can comment on or make changes to this bug.