Prevent XSS Attack

When using Hash Variable that uses URL parameter or user-inputted value in your custom JS scripts, ensure that these hash variable(s) are escaped!

Make use of hash variable escape keywords, see Hash Variable - Escaping the Resultant Hash Variable.

Use ?javascript  hash variable escape. Example:

#requestParam.id?javascript#

Introduction

Custom HTML in Form Builder can be used to achieve advanced form design.

Get Started

The easiest way to see how the Custom HTML works is to use the existing built-in App Expenses Claims. Here are the steps:

  1. Start the Joget Server and open the App Center.

  2. Log in as admin and click on the pencil icon on the Expenses Claim to open the Design App. (see Figure 1)


    Figure 1

  3. Click on  Expense Claim Form and you will be directed to the  Form Builder. 

  4. Hover the mouse over the Custom HTML element on the canvas and click on Edit to open up the Edit Custom HTML properties. (see Figure 2). 

    Take note!
    <a href="setupCategory" target="_blank">


    Figure 2

  5. This Custom HTML is used to redirect to another page in the App when the user clicks on "Setup Category". 

  6. To see it working, head back to the Design App and click the Launch button in the Userview column.

  7. Click on Create a New Expense Claim button on the Dashboard, fill up the necessary details and click Continue Next Screen

  8. Here you will find the link. Click it to see it redirects you to the Setup  Category page.

  9. Head back to the Design App and open up the Expenses Claims Apps under Userview column. 

  10. In Userview Builder and take a look at the properties of Setup Category. Note that the <a> href attribute used in Custom HTML element was using the CustomID to specify the page the link goes to. (see Figure 3)


    Figure 3

Custom HTML Properties

Edit Custom HTML

NameDescription
ID

Element ID will not be automatically be reflected in the database unless you toggled the Auto populate saved value and use the <input> element in the custom HTML.

The <input> Element

Any <input> element in the custom HTML will automatically create a database table column based on the name attribute. 

To retrieve the value back, you can enable Auto Populate Saved Value? under Advanced Options below.


Please see Form Element for more information about defining the ID and the list of reserved IDs.

Making it Hidden

You can name the ID as "hidden" and the content will be hidden away in the runtime/actual userview.



Custom HTML

Custom HTML in Form Builder can be used to achieve advanced form design by putting in any valid -

  1. HTML

    Sample
    <b>this text is in bold</b>
    Sample
    <input type="text" id="fname" name="fname" value="">

    The <input> Element

    Any <input> element in the custom HTML will automatically create a database table column based on the name attribute. 

    To retrieve the value back, you can enable Auto populate saved value? under Advanced Options below.

  2. JavaScript (jQuery is supported)
    Don’t forget to put in <script type="text/javascript"></script> block

    Sample
    <script type="text/javascript">
alert("hello world");
</script>

  3. CSS
    Don’t forget to put in <style type="text/css"></style> block

    Sample
    <style type="text/css">
body{
 font-size: 100%;
}
</style>


Advanced Options

NameDescription
LabelElement Label to be displayed to the end-user.
Auto populate saved value?

Toggle to the auto-populate saved value.

The <input> Element

Any <input> element in the custom HTML will be automatically retrieved so long as the name attribute is the same as the database table column

Does not support the following input types: file, button, submit, reset & image

Sanitize Input Value?

Checking the box will sanitize the input value before storing input data to database. Please see Form Input Sanitization

Related Tutorials:

  • No labels