You are viewing limited content. For full access, please sign in.

Discussion

Discussion

Forms - What happened to my data?

Forms
Updated February 18, 2022
posted on February 25, 2019

After receiving the error below all my data is gone from what the user submitted. There is no history at all in Forms were I can retrieve the data.

I have lots of questions about this, like how to disable it, what it is for, why it doesn't use the age old method of allowing the user to correct his mistake, etc. But most of all, is the submission data destroyed from the system permanently?

This is the second feature which is removing submission data from systems automatically without any chance to recover or save the process. The first was something called "Validation" which we have turned off globally, then this thing came out of nowhere.

I am fine with having all these features to protect us, I just don't want any default automation in place that deletes user submission. We used to have suspensions where we could get involved, or red boxes that mark fields that need to be corrected, etc.

 

Caught exception: Laserfiche.Forms.CommonUtils.Exceptions.LFFormsException

Message: One or more form fields contains illegal character combinations (e.g., "&# or '<' next to (a-z, /, ?, !)"). Please resubmit the form without these characters. [LFF2111-RequestValidationException]

1 0
replied on February 18, 2022

Recover form with the data user entered after run into error when submit form/save draft is supported for classic form since Forms 10.4.4. New form designer with new form designer is not supported yet, but we are looking into it.

0 0
replied on March 4, 2019 Show version history

Hi Chad, this error occurred because the requestValidationmode is 4.0 by default for ASP.NET application and it will prevent submitting with field data contains HTML. We will enhance the experience by adding front end validation to detect whether the field data contains HTML and show error under the field before submitting. Before the front end validation is added, if you want to turn off the validation of the field data contains HTML, you can add following settings to the end of web.config under C:\Program Files\Laserfiche\Laserfiche Forms\Forms before "</configuration>"

<location path="Form/Submit">
<system.web>
<httpRuntime requestValidationMode="2.0"/>
</system.web>
</location>

 

3 0
View 5 previous replies
replied on March 5, 2019

Thanks for the info on how to enable/disable this, but I am not sure why I would want to enable it.

How would an XSS attack work thought a Form input field?

If I input <script>alert('hello world')</script> into a Single Line it does no good if it is treated as literal text.

0 0
replied on March 12, 2019

Forms has mechanism to prevent XSS attack in the field value, it won't execute the "<script>alert('hello world')</script>" entered in the Single Line field no matter on New Submission/Submitted Form/User Task.

0 0
replied on March 12, 2019

Let's keep the data in that case. Why are we dumping submissions that contain field values like:

<email@email.com>, brick&morter, etc

What was the objective of the 4.0 validation?

Shouldn't validation mode be 2.0 globally?

0 0
replied on March 14, 2019

This stopped working on me today. I pasted under the text '<configuration>' on the next line and everything went offline and displayed a 500 error.

0 0
replied on March 18, 2019

Hi Chad, I should make it more clear, you should put it to the bottom of the web.config instead of the top of the web.config, such as following:

0 0
replied on March 18, 2019

Hi Chad,

    The request validation mode 4.0 will validate all the requests while request validation mode 2.0 only validate .aspx page requests. The purpose of the request validation is to protect XSS attack, it is used as first gate to prevent XSS attack by not allowing unencoded HTML content to be processed by the server. For filling form, there is special handling inside Forms application to not execute the script entered by end user in the field data. but other places may not have such handling. So I would suggest you only change the request validation mode to 2.0 for submit form.

0 0
replied on March 18, 2019

Ok right under the </entityFramework> is working. I did notice that upgrading the application on a client server wiped this setting though. Is it possible to put this configuration somewhere that remains as a server configuration, there are a lot of 10.4 upgrades around the corner.

0 0
replied on March 22, 2019

Remaining the customized content in the web.config is not supported, you need to manually add it after upgrade.

0 0
replied on February 27, 2019

For this form, because it requests important information, I am going to remove any input that does not meet this requirement and notify the user of what was removed, using custom javascript.

I would like to do this globally though, I just can't understand the need to eliminate everything over one field, even if there is a good reason behind whatever the reason is, which was never made clear.

The new version of this form will be so much more reliable, and the solution is simple, I just have no way to distribute it to everyone who is creating forms processes.

0 0
replied on February 25, 2019

Chad, I have run into this before as well. It doesn't actually delete the users submission because it never makes it to the database, but I hear you on the fact that it should at least keep it in the browsers memory and allow them to make any corrections instead of losing all the data that they entered.

0 0
View 4 previous replies
replied on February 25, 2019

Yea these new security requirements are very brute force, I lost all the entered data and uploaded files without any chance to make a correction.

Also the request is so complicated, can't have x or y or z followed by a or b or c.

Doesn't a string hold any combination of characters? I am not worried about injection, that can be handled by treating every string literally.

0 0
replied on May 14, 2019

I've commonly experienced issues like this in the past when users are copying and pasting information from other sources. A classic example was pasting an email address into the email field.. John Smith <"john.smith@google.com"> which made forms really shit the bed after submission. Form's validation handling has improved since in the last few years though.

Making validation on certain forms optional helped with this a lot.. but finding the cause of the issue was a nightmare.. In our case, the only way we were able to do it was to sit with the end users and watch what they were doing until the error occurred. 

0 0
replied on May 20, 2019

In the coming release of Forms 10.4.1, there is a front end validation added for the invalid chars that not allowed which will prevent such value to be submitted, please play with this feature after 10.4.1 is released.

0 0
replied on September 2, 2020

Xiuhong, did the front end validation make it into the release of Forms 10.4.1? I didn't see anything for it in the list of changes.

 

0 0
replied on September 2, 2020

Hi Michael

I can confirm that we started seeing the front end validation after rolling out 10.4.1

1 0
replied on September 2, 2020

Hi Chad,

 

   That's great, thanks!

0 0
replied on September 2, 2020

Yes, the front end validation for invalid chars is added in Forms 10.4.1.

1 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...