ISML Tag - ISFORM

Name	ISFORM
Short Description	use instead of the HTML <FORM> tag

Introduction
Syntax
Example
Attributes
- site
- serverGroup
- secure

Product Version	7.4
Product To Version
Status	New Labels

Introduction

ISML provides the <ISFORM> tag, which should be used instead of the HTML <FORM> tag when a form triggers security-relevant changes. During compilation this tag will be replaced with a regular HTML <FORM> tag and a hidden field for the synchronizer token. The token itself will be set by the Web Adapter when delivering the page. A CSRFServlet handles the token generation and delivers it to the Web Adapter.
To enable authorized users to pass CSRFGuard, a synchronizer token has to be injected into all forms that trigger security-relevant changes. For CSRFGuard it is inserted as hidden form field with a fixed name.
Using the <ISFORM> ISML tag allows for a server-side token injection. The serverside token injection is the preferred way, because the token is provided together with the HTML.

Syntax

<isform
  [ site = "( {String} | {ISML expression} )" ]
  [ serverGroup = "( {String} | {ISML expression} )" ]
  [ secure = "( true | false )" ] >
</isform>

Example

The example below shows the typical use of the <ISFORM> tag. HTML <FORM> attributes (e.g., action, name, method etc.) are passed through unaltered to the parsed <FORM> tag.

HTML tag

<isform
  action="#URL(Action('ViewApplication-ProcessLogin'))#"
  site="PrimeTech-Site"
  servergroup="WFS"
  name="LoginForm">
</isform>

Attributes

There are three optional attributes.

`site`

site = String | ISML Expression

The name of the site the form points to. Must be specified if the form points to another site than the one from the current request and the site can not be extracted from the form's action URL (i.e., if a short URL is used instead of the default URL(Action(...)) pattern). The site is necessary for the Web Adapter to get the session for the correct site. If no site is specified, the site of the current request is used.

`serverGroup`

serverGroup = String | ISML Expression

The server group the form points to. The server group must be specified if the form's action leads to another server group (i.e., if the server group cannot be extracted from the form's action URL). If not specified, the default "site server group -> current request server group -> WFS" will be used.

`secure`

secure = true | false

If set to true, an input field with type="hidden" holding the token will be inserted. If set to false, no hidden input field will be inserted. If the attribute secure is not specified its value depends on the value of the attribute method.

Note

The W3C defines the use of the attribut method="get" as unsafe. At the same time get is the default of HTML attribute method.
This may lead to incorrect use of the attribute secure in combination with attribute method. See the table below for detailed information on how to make proper use of both attributes.

`secure=""`	ISML `method=""`	HTML `method=""`	CSRF protection
`true`	`post`	`post`	yes
`true`	`get`	`get`	ParseException
`true`	not specified	`get`	ParseException
`false`	`post`	`post`	no
`false`	`get`	`get`	no
`false`	not specified	`get`	no
not specified	`post`	`post`	yes
not specified	`get`	`get`	no
not specified	not specified	`get`	no

Reference - ISML Tags

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Table of Contents