Login

Tamper safe HiddenFields

Author:
alexmeisel
Posted:
November 13, 2008
Language:
Python
Version:
1.0
Tags:
newforms field hidden froms
Score:
-2 (after 4 ratings)

This snippet prevents people from tampering with the data in hidden form fields. This is something you usually want unless you have some Javascript Vodoo going on on the browser side.

For the people scratching their heads:

This form class will dynamically create a clean function for every passed additional hidden field, which just returns the original value of the hidden field. So the data in the hidden field posted gets actually ignored when calling the (overwritten) clean_{field name} function.

This class is just an example using the protected hidden field feature for all passed field variables, which is probably not what you want. You have to add the editable fields the end of the init function in the class. Example: self.fields['bestbeer'] = forms.CharField(max_length=23)

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
class someInputForm(forms.Form):
    def __init__(self, protectedFields, *args, **kwargs):
        super(someInputForm, self).__init__(*args, **kwargs)
        for key, value in protectedFields.iteritems(): # For Python 2.6 just use items()
            self.fields[key] = forms.CharField(initial = value, widget = forms.HiddenInput())
            item = value
            def cleanthis(item = item): # Sometimes you have to decide if you love Python for this or not ;-)
                return item
            setattr(self, 'clean_%s' %(key), cleanthis)

# Example:
hiddenData = {'action': 'add', 'hash': '05ff2cba6e002b09288a99701ad5cfc9'}
form = someInputForm(hiddenData)

More like this

  1. Prevent form tampering of hidden fields by theju 5 years, 2 months ago
  2. Easier prefix handling for forms by gsakkis 4 years, 10 months ago
  3. Complex Form Preview by smagala 5 years, 11 months ago
  4. Sign a string using SHA1, then shrink it using url-safe base65 by simon 6 years, 6 months ago
  5. FieldsetForm by Ciantic 7 years, 11 months ago

Comments

brooks_lt (on November 13, 2008):

Am I the only person confused by this?

#

aarond10ster (on November 18, 2008):

Nope... I am also scratching my head...

#

alexmeisel (on January 1, 2009):

I updated the documentation to clarify a few things for the people scratching their heads ... or not being very familiar how python works (setattr) and how to use django forms in a 'complicated' environment.

#

mark0978 (on January 13, 2009):

It creates pseudo anonymous functions that are put into the clean portion of the form for all the protected/hidden fields.

So that when they get "cleaned" they get the value that they had when they left the server, instead of the value they had when the came back from the browser.

Interesting idea, but I have to wonder, if, at the point the form is being returned from the browser, you know those values, why, did you ever send them to the browser in the first place?

#

alexmeisel (on April 9, 2009):

mark0978: You want to send hidden data if there is some javascript picking it up ... doing some magic with it.

I'm used to ignore those fields but I have seen a lot of django based applications which carry some state from one step to another. Hidden form fields are obviously the wrong way to do it (use sessions instead!!), but that doesn't stop people still doing it.

#

Please login first before commenting.