Prevent XSS Attack

When using Hash Variable that uses URL parameter or user-inputted value in your custom JS scripts, ensure that these hash variable(s) are escaped!

Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.

Use ?javascript  hash variable escape. Example:

#requestParam.id?javascript#

Introduction

Custom HTML in Form Builder can be used to achieve advanced form design.

Get Started

The easiest way to see how the Custom HTML works is to use the existing built-in App Expenses Claims. Here are the steps:

  1. Start the Joget Server and open the App Center.

  2. Log in as admin and click on the pencil icon on the Expenses Claim to open the App Composer. (see Figure 1)


    Figure 1

  3. Click on  Expense Claim Form and you will be directed to the  Form Builder. 

  4. Click on the Custom HTML element on the canvas to open up the Configure Custom HTML properties. (see Figure 2). 

    Take note!
    <a href="setupCategory" target="_blank">

     
    Figure 2

  5. This Custom HTML is used to redirect to another page in the App when the user clicks on "Setup Category". 

  6. To see it working, head back to the App Composer and click the Launch button in the UI column.

  7. Click on Create a New Expense Claim button on the Dashboard, fill up the necessary details and click Continue Next Screen

  8. Here you will find the link. Click it to see it redirects you to the Setup Category page.

  9. Head back to the App Composer and open up the Expenses Claims Apps under UI column. 

  10. In UI Builder and take a look at the properties of Setup Category. Note that the <a> href attribute used in Custom HTML element was using the Menu ID to specify the page the link goes to. (see Figure 3)


    Figure 3

Custom HTML Properties

Edit Custom HTML

NameDescription
ID

Element ID will not be automatically be reflected in the database unless you toggled the Auto populate saved value and use the <input> element in the custom HTML.

The <input> Element

Any <input> element in the custom HTML will automatically create a database table column based on the name attribute.

To retrieve the value back, you can enable Auto Populate Saved Value? under Advanced Options below with value attribute available in the code to ensure the value will be stored and fetched in both the form and database..



Please see Form Element for more information about defining the ID and the list of reserved IDs.

Making it Hidden

You can name the ID as "hidden" and the content will be hidden away in the runtime/actual UI.



Custom HTML

Custom HTML in Form Builder can be used to achieve advanced form design by putting in any valid -

  1. HTML

    Sample
    <b>this text is in bold</b>
    Sample
    <input type="text" id="fname" name="fname" value="">

    The <input> Element

    Any <input> element in the custom HTML will automatically create a database table column based on the name attribute.

    To retrieve the value back, you can enable Auto Populate Saved Value? under Advanced Options below with value attribute available in the code to ensure the value will be stored and fetched in both the form and database.

  2. JavaScript (jQuery is supported)
    Don’t forget to put in <script type="text/javascript"></script> block

    Sample
    <script type="text/javascript">
alert("hello world");
</script>

  3. CSS
    Don’t forget to put in <style type="text/css"></style> block

    Sample
    <style type="text/css">
body{
 font-size: 100%;
}
</style>


Advanced Options

NameDescription
LabelElement Label to be displayed to the end-user.
Auto Populate Saved Value?

Toggle to the auto-populate saved value.

The <input> Element

Any <input> element in the custom HTML will automatically create a database table column based on the name attribute.

To retrieve the value back, you can enable Auto Populate Saved Value? under Advanced Options below with value attribute available in the code to ensure the value will be stored and fetched in both the form and database.

value attribute

The Auto populate is based on value attribute. The value attribute must be in the code to ensure the value will be stored and fetched in both the form and database.
Eg : 

<input type="text" id="myhtml" name="myhtml" value="">

Does not support the following input types: file, button, submit, reset & image

Sanitize Input Value?

 Checking the box will sanitize the input value before storing input data in the database. Please see Form Input Sanitization


Related Tutorials:

  • No labels