ISML Tag - ISFORM

Name

ISFORM

Short Description

use instead of the HTML <FORM> tag

Table of Contents

Product Version

7.4

Product To Version

 

Statusfinal

1 Introduction

ISML provides the <ISFORM> tag, which should be used instead of the HTML <FORM> tag when a form triggers security-relevant changes. During compilation this tag will be replaced with a regular HTML <FORM> tag and a hidden field for the synchronizer token. The token itself will be set by the Web Adapter when delivering the page. A CSRFServlet handles the token generation and delivers it to the Web Adapter.
To enable authorized users to pass CSRFGuard, a synchronizer token has to be injected into all forms that trigger security-relevant changes. For CSRFGuard it is inserted as hidden form field with a fixed name.
Using the <ISFORM> ISML tag allows for a server-side token injection. The serverside token injection is the preferred way, because the token is provided together with the HTML.

2 Syntax

<isform
  [ site = "( {String} | {ISML expression} )" ]
  [ serverGroup = "( {String} | {ISML expression} )" ]
  [ secure = "( true | false )" ] >
</isform>

3 Example

The example below shows the typical use of the <ISFORM> tag. HTML <FORM> attributes (e.g., action, name, method etc.) are passed through unaltered to the parsed <FORM> tag.

HTML tag

<isform
  action="#URL(Action('ViewApplication-ProcessLogin'))#"
  site="PrimeTech-Site"
  servergroup="WFS"
  name="LoginForm">
</isform>

4 Attributes

There are three optional attributes.

4.1 site

site = String | ISML Expression

The name of the site the form points to. Must be specified if the form points to another site than the one from the current request and the site can not be extracted from the form's action URL (i.e., if a short URL is used instead of the default URL(Action(...)) pattern). The site is necessary for the Web Adapter to get the session for the correct site. If no site is specified, the site of the current request is used.

4.2 serverGroup

serverGroup = String | ISML Expression

The server group the form points to. The server group must be specified if the form's action leads to another server group (i.e., if the server group cannot be extracted from the form's action URL). If not specified, the default "site server group -> current request server group -> WFS" will be used.

4.3 secure

secure = true | false

If set to true, an input field with type="hidden" holding the token will be inserted. If set to false, no hidden input field will be inserted. If the attribute secure is not specified its value depends on the value of the attribute method.

Note

The W3C defines the use of the attribut method="get" as unsafe. At the same time get is the default of HTML attribute method.
This may lead to incorrect use of the attribute secure in combination with attribute method. See the table below for detailed information on how to make proper use of both attributes.

secure=""

ISML method=""

HTML method=""

CSRF protection

true

post

post

yes

true

get

get

ParseException

true

not specified

get

ParseException

false

post

post

no

false

get

get

no

false

not specified

get

no

not specified

post

post

yes

not specified

get

get

no

not specified

not specified

get

no

Reference - ISML Tags

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Support Tickets