| SIMPLE HTML FORMS | | | | I will not go into great detail about how the formSubmit |
| 1. Bypassing Required Fields Surely you have met a | | | | function works. You should know that if the (textfield |
| webpage that requires you to fill all fields in a form in | | | | optionfield/option/..) field is left blank, the form will not be |
| order to submit it. It is possible to bypass these types | | | | submitted to process.php. Now comes the moment of |
| of restrictions on any webpage. If you take a look at | | | | truth, how do we modify the form so that onsubmit |
| the webpage's source and follow it down to the form's | | | | returns true everytime? The way we can access the |
| code, you will notice the onsubmit form attribute. | | | | form with javascript and do this |
| Hopefully by this time you have experienced the | | | | is:document.forms[x].onsubmit="return |
| power of javascript and you know that javascript has | | | | true;";ordocument.spamform.onsubmit="return true;"; |
| control over every single element in a webpage, | | | | Both of these 'queries' will allow you to submit the form |
| including forms.We can use javascript to our | | | | free of restrictions. The secret is how to execute |
| advantage in every page we view for we can modify, | | | | this. I do this using my browser's Location bar. All you |
| delete, or add any element to the webpage. In this | | | | have to do is enter this text into the location bar and |
| case we wish to clear the form's onsubmit attribute in | | | | press enter: |
| order for the form to be submitted successfully. | | | | [removed]document.spamform.onsubmit="return true;"; |
| The onsubmit attribute generally points to a function | | | | The above statement will not work because the |
| that checks the form to have the correct format. A | | | | 'query' will return a value javascript doesn't know what |
| function that does this may look something like | | | | to do with it so it dumps the returned value on the |
| this:function formSubmit(x) | | | | screen. We need a way to use this value and escape |
| {if(x.email.value=="") return false;return true; | | | | it from passing on to javascript. I know the exact way |
| } | | | | to do this, with alert()! |
| ... | | | | rn true;"); |
| <form method=post action="process.php" | | | | You will see an alertbox with "return true;" instead of |
| onsubmit="return formSubmit(this);"> | | | | dumping this value out to the webbrowser. Once you |
| ... | | | | have executed this query you will be able to enter |
| </form> | | | | whatever value into whatever field in spamform. |