web.dev wrote:
tr****@gmail.co m wrote:
><INPUT TYPE=button
OnClick=javasc ript:window.loc ation='edit.php ?
action=remote& ID=1234&pw='+th is.form.passwor d.value+;
VALUE=remote update>
1. Do not use the javascript pseudo-protocol. It
doesn't belong here and is not needed.
In the context of an intrinsic event attribute the - javascript
: - is
the syntax for a label. A worthless label as no - break - or -
continue - statement refers to it, or would be meaningful in the code.
2. It's generally a good idea to place quotes around
attribute values.
It is a requirement of valid HTML that quotes be used around attribute
values that contain certain characters, and those characters are common
in javascript source code.
It is also likely that the HTML parser may see the character sequences -
&ID - and - &pw - as unrecognised entities so they probably should be -
&ID - and - &pw -.
>The specific piece that I narrowed the error down to is:
+this.form.pas sword.value+;
The last addition is not necessary.
And a javascript syntax error.
Assuming you have an input element that's a password
type with a name 'password', recommended solution is
the following:
<input type = "password" name = "password">
<input type = "button"
onclick = "window.locatio n='edit.php?etc =etc&pw=' +
this.form.eleme nts['password'].value;"
value = "remote update">
Wouldn't:-
<form action="edit.ph p" method="GET">
<input type="hidden" name="ID" value="1234">
<input type="hidden" name="action" value="remote">
<input type="password" name="pw">
<input type="submit" value="remote update">
</form>
- be better yet as it is functional without any javascript dependency at
all. Though if any field is a password field sending the password value
as a text on a query string makes its interception trivial. A POST
request would be preferable.
Richard.