You are viewing limited content. For full access, please sign in.

Question

Question

Retrieve field value from iframe

Forms
Updated August 2, 2019
asked on August 1, 2019

I have an iframe on a Laserfiche form, and in the iframe the user enters some information, clicks a button, and it generates a resulting number. I want to save that number in one of the fields on the form, but I can't figure out how exactly to do that. Would someone be able to assist?

0 0

Replies

replied on August 1, 2019

Are the sites hosted on the same server? If not, you're going to run into some challenges because cross site scripting is a big security vulnerability and as a result is typically blocked.

0 0
View 9 previous replies
replied on August 2, 2019

By "the sites" do you mean Forms and the location of the iframe? Because the iframe came from an external website.

0 0
replied on August 2, 2019

What do you want to trigger the part that collects the number and puts it into the form?

0 0
replied on August 2, 2019

Clicking a button on the iframe is what (using the data from a few fields on the iframe) generates the number that I want to retrieve.

0 0
replied on August 2, 2019

That's where you're going to run into problems. You're talking about having events from an external website trigger changes on your form, which is the kind of thing browser security is trying to prevent.

I'm not saying it is impossible to get something working, it just isn't a "secure" way to do things so there's a lot of roadblocks.

0 0
replied on August 2, 2019

Do you have a recommendation for a better way to handle this? Essentially, the whole point is that the information entered before the button is pressed is private information that we don't want in Forms fields because we don't want it saved anywhere.

0 0
replied on August 2, 2019

Is the external site something you created? I think that's where I'm getting confused.

It is worth noting that you can add inputs to custom HTML that will not be saved when the form is uploaded, but it's hard to say without knowing more about the process.

Is the "number" an identifier, is it calculated? Basically, it depends what this external site is doing before I can really make a suggestion.

0 0
replied on August 2, 2019

It's not something we created. It's something that one of our partners created, where we're trying to integrate their processes with Laserfiche. The number is generated based on one of the fields entered.

So it's basically

User-entered number: Do not want to save

Number generated based on user-entered number: Do want to save

0 0
replied on August 2, 2019

Is the number something you can generate within the form itself without their site?

I know you don't want to save the user-entered number, but that is not required as long as you can utilize it without submitting the form.

Also, is their site hosted externally or within your network?

0 0
replied on August 2, 2019

If we were able to generate it within the form itself (in custom HTML I assume?) would we be able to ensure that someone who can view that HTML is not able to take the resulting number and try to generate the original number using what's in the HTML?

 

The site is hosted externally.

0 0
replied on August 2, 2019

No one other than the person viewing the form would be able to see any data entered into a Custom HTML input.

Custom HTML is static content as far as Forms is concerned, so it doesn't "save" changes at all. There's no "variable" to look at, and if the form is reviewed by someone else, the only thing they would see in the Custom HTML is the default HTML from the designer, not anything the user changed/added.

To take things further, you can use JavaScript to clear the fields out as soon as you generate the number.

For example,

  1. User enters number
  2. You generate the new number
  3. Delete the original
0 0
replied on August 2, 2019

I wasn't referring to the information actually entered into the form. I was referring to method with which the new number is generated. If it's a black box, like something hosted on another site, then the user wouldn't be able to see how the number is formed. But if the methodology with which the number is generated is exposed, is that not a security issue?

0 0
replied on August 2, 2019 Show version history

Okay then that would be a different story. If you don't want the methodology exposed, then you cannot include it directly on the form.

However, it depends on how it all functions. Is the vendor's site generating the number with web app, or on the page itself with JavaScript?

An iframe is no more private than content on the main form, the key difference for security is going to come from where the code is kept and executed.

Again, I don't really know enough about what your process does to give an exact solution, I just know that browsers won't want to cooperate with cross site script execution.

0 0
You are not allowed to follow up in this post.

Sign in to reply to this post.

Details
Related Posts
Loading ...