irigsoft

So, is there solution if parent is Visible (not disabled and is Visible) ? like SecurityComponent in cakePhp: https://book.cakephp.org/3/en/controllers/components/security.html

OK, what is purpose of uniHiddenPanel ?

Thanks, so if I want to block any client side manipulation of any component (label, button, BitBtn, panel, groupbox, edit) then I just have to make it read-only (if it exists) right? If I made uniEdit.Visible = True and at runtime on Server Side I make it Visible = False and ReadOnly=True, then this will block editing on ClientSide, right ? Let me ask then how about buttons and blocking onClick events, is it possible?

Yes, I think so too. But here is an example that in cakePHP it is possible: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console "can we have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things: - Unknown fields cannot be added to the form. - Fields cannot be removed from the form. - Values in hidden inputs cannot be modified. It's very usefull stuffs." I try to find a way to protect from: "Form Parameter Tampering Form parameter tampering occurs when attackers modify the data submitted in a web form. This can be done by altering hidden fields, drop-down menus, or any other form elements. The goal is to submit information that the application was not expecting, such as a negative number for a product quantity to test how the server handles unexpected input. Such tampering can lead to a range of outcomes, from minor disruptions to significant security breaches, depending on the nature of the form and the data it handles."

Hi, here is some example project, try it DrawInCanvas_Mousemove_ex.zip

hello I have created my own designer and every project implemented with unigui is empty and created at runtime. With this implementation method, it is possible that some components are visible and others are not. Each component can have procedures (such as OnClick, OnChange, and others), and these procedures can be executed even when the component is not visible. I can't create the invisible components at runtime because some other (visible) component can write or read a caption or text value, or even perform a button click. But this could lead to a security hole and I'm looking for a way to stop this.

So what is purpose of uniHiddenPanel ? Why i should use it and where ?

Ok, but in some cases this is not possible, like this: 1. A client writes some text in uniEdit and clicks a button that will hide uniEdit and move to the next component. 2. A would-be attacker can extract the value from uniEdit and change it, even though the field is not visible! - I want to hide this uniEdit and disable changing its value until I send it to the server. Sometimes I run a form with text values filled in hidden uniEdit and this is a problem because an attacker can extract all the hidden components and change the value before the client uses it or sends it back to the server. maybe my question is not very clear but I am asking how safe is it to hide some components in the hidden panel and how safe is it from google devtools or others.

i give username just like example, at this input field can be save different data on client side, i just want to know how to protect them

if some can help to encoded HTML for MainForm to protect from DOM XSS

https://github.com/OWASP/CheatSheetSeries/blob/master/cheatsheets/DOM_based_XSS_Prevention_Cheat_Sheet.md Is it possible to apply some HTML Encoding like example above: To make dynamic updates to HTML in the DOM safe, we recommend: HTML encoding, and then JavaScript encoding all untrusted input, as shown in these examples: var ESAPI = require('node-esapi'); element.innerHTML = "<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData))%>"; element.outerHTML = "<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData))%>"; var ESAPI = require('node-esapi'); document.write("<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData))%>"); document.writeln("<%=ESAPI.encoder().encodeForJavascript(ESAPI.encoder().encodeForHTML(untrustedData))%>");

Hi, how you thing basic auth will protect your password ? can you share some documentations for that ? I thing you can use basic auth but must make own procedure for that.

How to replace characters in uniEdit onkeydown.

If someone can help please advice

Hi. How to disable changing uniEdit.Text from Client Side? Scenario: https://stackoverflow.com/questions/58080896/how-to-protect-my-form-input-field-data-from-a-user-to-changes-in-the-console 1. I have form that use uniEdit to keep some information, like userName 2.This uniEdit is owned by TuniHiddenPanel and that panel.Visible = False and uniEdit.Visible = False 3. when i Click some button , then I get uniEdit.Text and use it to save data to Database. My problem: uniEdit is visible with Google.Console and uniEdit.Text can be changed with console, is it possible to block or disable this? can we have 'Form tampering prevention' like SecurityComponent in cakePhp to prevent the following things: - Unknown fields cannot be added to the form. - Fields cannot be removed from the form. - Values in hidden inputs cannot be modified. It's very usefull stuffs.

1. try chrome mobile browser (i use unigui - professional) with this code: function keydown(sender, e, eOpts) { var val = sender.getValue(); var allowed = '!@#$%^&*_=.,/-[]{}|№"' + 'zxcvbnmasdfghjklqwertyuiop' + 'ZXCVBNMASDFGHJKLQWERTYUIOP' + '0123456789' ; //Cancel the event //event.stopEvent() ; event.preventDefault(); event.stopPropagation(); var c = event.key.charCodeAt(0); var k = event.key; if (k == "Unidentified" || c == 85 || c == 0) //for android chrome keycode fix { var val = sender.getValue(); c = val.charCodeAt(val.length - 1); k = val.charAt(val.length - 1); }; if (allowed.indexOf(k) > -1) { c = String.fromCodePoint (c + 5); //change last char - not work correct //val = val.substr(0, val.length-1); sender.setValue(val + c); //e.stopEvent() ; }; e.preventDefault(); } 2. Try this for test: 2.1 use this code on desktop browser and write by hand asdfgh, that must give you as result 2.2 try to write same text but on mobile chrome browser, that will give you different result string. Last character is not converted ! asdfgh -> fxiklm is correct result string

thanks but this is different case. I try to explain my purpose: 1. must work on desktop and on mobile browsers (chrome and others) 2. code from above work proper on desktop browser because event.key return value and I can check point 3 3. event.key must be from array string that I insert on allowed 4. event.keyCode not return correct keycode when use allowed .fromCodePoint (event.keyCode), like example when I press * (Star), I get keyCode = 106 = m, but * (star) = 42. By this reason I can use event.keyCode ! 5. on mobile chrome I can't get event.key, for that reason i use : if (k == "Unidentified" || c == 85 || c == 0) //for android chrome keycode fix { var val = sender.getValue(); c = val.charCodeAt(val.length - 1); k = val.charAt(val.length - 1); }; and try to get last char on text field, but if is only one char, i get k=Unidentified and c=85 6. I don't use jQuery ! 7. I can use onkeyup because there is some delay and on fast char entering different replacement is executed ! On your examples all is based on event.key , like i explain event.key is not work on mobile chrome) Problem: how can I find out (on mobile chrome) which key was pressed when it is the first character in the text field on onkeydown event on mobile chrome

Hi. I try to replace some characters in one TuniEdit on clientside. That code i use, but not work properly (differer) on Desktop and on mobile Chrome: function keydown(sender, e, eOpts) { var val = sender.getValue(); var allowed = '!@#$%^&*_=.,/-[]{}|№"' + '0123456789' ; var c = event.key.charCodeAt(0);//event.code;//event.code;//e.keyCode || e.which;//e.getCharCode();//e.keyCode; var k = event.key; //if is used in mobile chrome - event.key is unidentified - https://stackoverflow.com/questions/17139039/keycode-is-always-zero-in-chrome-for-android if (k == "Unidentified" || c == 85 || c == 0) //for android chrome keycode fix { var val = sender.getValue(); c = val.charCodeAt(val.length - 1); k = val.charAt(val.length - 1); }; if (allowed.indexOf(k) > -1)// || val.length > 0) { c = String.fromCodePoint (c + 5); //change last char - not work correct val = val.substr(0, val.length-1); sender.setValue(val + c); //e.stopEvent() ; }; e.preventDefault(); } UniEdit - Triggers (ButtonEdit).zip

Thanks.

In my case I want to click some button on the form and it will change the property of the text field. I will do that with addJS (if is possible). I will leave the functionality of the stock Android keyboard, but when I need to, I will change this property of the text field 'enterkeyhint' 'done'

Is it possible (and how) set this property with uniSession.AddJS () ?

Hi, try to set uniDBGrid.Column[X].AllowHTML := False; (Default = True), if is possible !

@snow and @Sherzod, maybe this will point some of solution or traubles https://stackoverflow.com/questions/58303424/onkeyup-doesnt-handle-enter-from-hard-keyboard Use dispatchKeyEvent to handle enter: override fun dispatchKeyEvent(event:KeyEvent):Boolean { if (event.getAction() === KeyEvent.ACTION_UP) { Toast.makeText(this,event.getKeyCode().toString(),Toast.LENGTH_SHORT).show() return true } } or https://www.outsystems.com/forums/discussion/33623/javascript-to-detect-enter-key-press-in-mobile-app/ document.getElementById("Input_TextVar") .addEventListener("keyup", function(event) { event.preventDefault(); if (event.keyCode === 13) { $actions.SearchMember(); } }); or https://www.outsystems.com/blog/posts/create-input-mask-for-mobile/ html: <input type="text" id="credit-card-mask" /> javascript: js ------ start var input = document.getElementById('credit-card-mask'), oldValue, regex = new RegExp(/^\d{0,16}$/g), mask = function(value) { var output = []; for(var i = 0; i < value.length; i++) { if(i !== 0 && i % 4 === 0) { output.push(" "); // add the separator } output.push(value[i]); } return output.join(""); }, unmask = function(value) {/^\d{0,16}$/g var output = value.replace(new RegExp(/[^\d]/, 'g'), ''); // Remove every non-digit character return output; }, keydownHandler = function(e) { oldValue = e.target.value; }, inputHandler = function(e) { var el = e.target, newValue = el.value ; newValue = unmask(newValue); if(newValue.match(regex)) { newValue = mask(newValue); el.value = newValue; } else { el.value = oldValue; } } ; input.addEventListener('keydown', keydownHandler ); input.addEventListener('input', inputHandler ); js ------- end declared android 11 bug: https://community.anytype.io/t/enter-key-doesnt-work-at-all-on-external-keyboards-on-android/1354/10 https://forum.jquery.com/portal/en/community/topic/how-to-get-a-enter-key-event-by-the-android

of course https://www.w3schools.com/jsref/obj_keyboardevent.asp and all on ClientEvents.ExtEvents :

Did you know that barcode scanners can be programmed to use a different prefix or suffix character, and your software can handle that character (like STX, or #, or whatever) in text fields. Not a much better idea, but it might turn out to be a solution. Another way is to change the default Android keyboard to another one. Another way you can also use "blur" on the client side and send an ajax event with some commands. 1. YOUREdit.JSInterface.JSAddListener('blur', 'function(){this.setValue(YOURFUNCTION(this.getValue()))}' ); or 2. ' ajaxRequest(this,''brender'',["_sKey_"]);' or 3. uniSession.AddJS('ajaxRequest (' + YOURForm.JSName + ',''blur'',["this=" + ' + YOUREdit.JSName + ',"_sKey_"]);');