Is it a good practice to use an empty URL for a HTML form's action attribute? (action="")
Asked Answered
B

10

315

I am wondering if anyone can give a "best practices" response to using blank HTML form actions to post back to the current page.

There is a post asking what a blank HTML form action does here and some pages like this one suggest it is fine but I'd like to know what people think.

Banger answered 15/7, 2009 at 14:34 Comment(5)
Suggesting "best-practices" tag be applied to this.Stickweed
To doubly confirm, leave the action blank, or simply don't mention an action at all (like <form name="xyz" >). It will submit the action on its own.Ceresin
Not including the action attribute opens the page up to iframe clickjacking attacks, such as one in which an attacker wraps your page in an iframe and the iframe URL includes a query param with the same name as a form field. When the form is submitted, the query value is inserted into the database, so the user's identifying information (email, address, etc) has been compromised.Hutto
So then, what's the valid, secure way to submit a form to the current page?Wriest
Not including the action attribute is also invalid HTML. It is in the specification as a required attribute. Empty actions also have their own quirks: https://mcmap.net/q/101180/-forms-with-action-quot-quot.Thereabouts
C
305

The best thing you can do is leave out the action attribute altogether. If you leave it out, the form will be submitted to the document's address, i.e. the same page.

It is also possible to leave it empty, and any browser implementing HTML's form submission algorithm will treat it as equivalent to the document's address, which it does mainly because that's how browsers currently work:

8. Let action be the submitter element's action.

9. If action is the empty string, let action be the document's address.

Note: This step is a willful violation of RFC 3986, which would require base URL processing here. This violation is motivated by a desire for compatibility with legacy content. [RFC3986]

This definitely works in all current browsers, but may not work as expected in some older browsers ("browsers do weird things with an empty action="" attribute"), which is why the spec strongly discourages authors from leaving it empty:

The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces.

Crankshaft answered 15/7, 2009 at 15:10 Comment(3)
Possibly this has changed since your answer (its been almost three years), but as of today, HTML5 does not allow action=""—see my answer...Julieannjulien
@Julieannjulien Thanks. This probably hadn't changed. I've changed my answer to better reflect what the spec says.Crankshaft
Leaving out action attribute altogether is comfortable and I myself do so but @Paul Sweatte later in this post argues it opens the page up for iframe clickjacking attack. So is this still a recommended practice?Shanahan
J
85

Actually, the Form Submission subsection of the current HTML5 draft does not allow action="". It is against the spec.

The action and formaction content attributes, if specified, must have a value that is a valid non-empty URL potentially surrounded by spaces. (emphasis added)

The quoted section in mercator's answer is a requirement on implementations, not authors. Authors must follow the author requirements. To quote How to read this specification:

In particular, there are conformance requirements that apply to producers, for example authors and the documents they create, and there are conformance requirements that apply to consumers, for example Web browsers. They can be distinguished by what they are requiring: a requirement on a producer states what is allowed, while a requirement on a consumer states how software is to act.

The change from HTML4—which did allow an empty URL—was made because “browsers do weird things with an empty action="" attribute”. Considering the reason for the change, its probably best not to do that in HTML4 either.

Julieannjulien answered 13/3, 2012 at 3:35 Comment(5)
Does it allow the total absence of the action attribute altogether to indicate the form should submit to the document address? It seems to, since it says, "if specified."Bibliotheca
@Bibliotheca Yes, I believe HTML5 allows omitting the action attribute entirely, and defaults it to empty string. HTML4 did not, it specifies action as required.Julieannjulien
I agree with @Kerrick, it is allowed to omit the action attribute. Reading at current HTML5 draf, it seems that empty string is not allowed but the absence of the attribute is allowed. But in any case, for compatibility reasons, I recommend you to always include the "action" attribute and fill it with a valid non-empty URL (good practices are always the best way).Eubank
One potential gotcha: AngularJS will prevent submission of forms without an action attribute. Probably not a common problem, but it took me a while to figure out why parts of our legacy site started breaking.Homebody
This answer confused me, when I first read it 6 months ago I thought it was saying the accpeted answer is wrong. I think it may help to clarify that its preferable to leave the attribute out, but if the attrbiute exists, give it a none blank value.Kronick
H
21

Not including the action attribute opens the page up to iframe clickjacking attacks, which involve a few simple steps:

  • An attacker wraps your page in an iframe
  • The iframe URL includes a query param with the same name as a form field
  • When the form is submitted, the query value is inserted into the database
  • The user's identifying information (email, address, etc) has been compromised

References

Hutto answered 17/8, 2012 at 17:39 Comment(2)
Isn't the iframe URL contain GET parameters, while forms usually submitted using POST? So if the site only deals with the POST parameters then it shouldn't be a problem isn't it? At least I usually use the $_POST array in PHP only when processing forms.Feebleminded
@Feebleminded Yes, use $_POST instead of $_REQUEST to avoid this. If framework code uses $_REQUEST, use an iframe buster.Hutto
T
18

This will validate with HTML5.

<form action="#">
Toowoomba answered 25/4, 2012 at 11:12 Comment(7)
I haven't tried it, but conceptually wouldn't that scroll to the top of the page after submission?Banger
@Graphain Yes, the browser will scroll to the top of the page after a post since the URL now has a #.Toowoomba
Couldn't you use action="." ?Calgary
action="?" works well too. It validates and points to the current page without and query string data.Fachan
action="." is a bad idea for the general case. An URL like example.com/login is mapped to merely example.com/.Hover
Actually I found a second way the action="." becomes invalid: When you have your <base href="" /> set... then the action will be to the url set here! Very anoying, and because many people don't know this many packages that have forms and include templates tend to break :(Thremmatology
This answer is only valid if the user wants to scroll to the top of the page.Pinckney
P
13

IN HTML 5 action="" IS NOT SUPPORTED SO DON'T DO THIS. BAD PRACTICE.

If instead you completely negate action altogether it will submit to the same page by default, I believe this is the best practice:

<form>This will submit to the current page</form>

If you are sumbitting the form using php you may want to consider the following. read more about it here.

<form method="post" action="<?php echo htmlspecialchars($_SERVER["PHP_SELF"]);?>">

Alternatively you could use # bear in mind though that this will act like an anchor and scroll to the top of the page.

<form action="#">
Pinckney answered 8/9, 2016 at 16:34 Comment(6)
You ommit the action attribute, is the form still open to exploits are detailed on the frist page on the link?Kappenne
@RichardYoung Sorry I don't understand your question. Please rephrase.Pinckney
The $_SERVER["PHP_SELF"] variable can be used by hackers. If PHP_SELF is used in your page then a user can enter a slash (/) and then some Cross Site Scripting (XSS) commands to execute. If you omit the action attribute, are you still vulnerable to this?Kappenne
Yes, you are. The action attribute can be added back in client side and given any value of choice. However using the htmlspecialchars() function stops people from people from using your php script against you.Pinckney
I knew about the htmlspecialchars() function but was just hoping if I ommited the action that I could get around it. Thanks for clearing that up for me.Kappenne
Omitting the required action attribute is a violation of the HTML specification.Thereabouts
S
4

I think it's best to explicitly state where the form posts. If you want to be totally safe, enter the same URL the form is on in the action attribute if you want it to submit back to itself. Although mainstream browsers evaluate "" to the same page, you can't guarantee that non-mainstream browsers will.

And of course, the entire URL including GET data like Juddling points out.

Stickweed answered 15/7, 2009 at 14:40 Comment(0)
H
2

Just use

?

<form action="?" method="post" enctype="multipart/form-data" name="myForm" id="myForm">

It doesn't violate HTML5 standards.

Hamitic answered 8/9, 2015 at 12:29 Comment(1)
I didn't downvote but your method will drop all the get params. A form on the following url would break example.com/update_user?user_id=1 because the form will submit to example.com/update_user?Uncircumcision
W
1

I used to do this a lot when I worked with Classic ASP. Usually I used it when server-side validation was needed of some sort for the input (before the days of AJAX). The main draw back I see is that it doesn't separate programming logic from the presentation, at the file level.

Wingspread answered 15/7, 2009 at 14:44 Comment(1)
why not? I think it's not connected. I can have a form post the data to the same page and build this page with proper separation of controller and view.Attending
B
1

I use to do not specify action attribute at all. It is actually how my framework is designed all pages get submitted back exact to same address. But today I discovered problem. Sometimes I borrow action attribute value to make some background call (I guess some people name them AJAX). So I found that IE keeps action attribute value as empty if action attribute wasn't specified. It is a bit odd in my understanding, since if no action attribute specified, the JavaScript counterpart has to be at least undefined. Anyway, my point is before you choose best practice you need to understand more context, like will you use the attribute in JavaScript or not.

Bluff answered 13/4, 2013 at 1:59 Comment(0)
D
0

When you put empty action then some security filtration consider it malicious or phishing. Hence they can block your page. So its advisable not to keep action= blank.

Dekow answered 14/10, 2020 at 4:49 Comment(0)

© 2022 - 2024 — McMap. All rights reserved.