NetForms 2.5 User's Guide

Configuring Your Server


There are several configuration options available that you may adjust to best fit your Web-serving environment. These options are available in the NetForms menu commands, described below.


File Menu


Figure B: NetForms File menu

Open Status

If you wish to run NetForms without displaying the status window, merely click the "close box" on the left side of the window's title bar. This can be used when screen space is low, or to avoid desktop clutter when running NetForms on a non-dedicated server. To re-display the status window, select the "Open Status" command from the "File" menu.


Edit Menu

The NetForms "Edit" menu contains the standard Macintosh text-editing commands: Undo, Cut, Copy, Paste, and Clear.


Configuration Menu

Figure C, below, displays the contents of the "Configuration" menu.


Figure C: NetForms Configuration menu

Update Recent Database

The "Update Recent Database" command will scan all "recent lists" currently in memory, removing entries for files that no longer exist on the server. In other words, when you delete articles from your server, you can have them removed from the recent lists simply by selecting this menu item.

Misc. Configuration

There are several configuration options in the Misc. Configuration window. This window is divided into three "panels", accessed by clicking on "tabs" across the top of the window. The "Files" panel is shown in Figure D below, displaying the default settings provided by NetForms.


Figure D: "Files" panel of the NetForms Configuration dialog

Duplicate Files

One of the three "Duplicate Files" options will always be selected, and this determines what happens when a new article is added to the server that has the same filename as an existing article.

  1. Smart Resubmit When selected, NetForms will attempt to determine if the article is being resubmitted by the same author or is a new article by a new author. If the article is being submitted by the same author and within a short time period (15 minutes), the original article will be overwritten, allowing users to review their articles and re-submit them if necessary.

  2. Always Create Unique Name When chosen, articles will never be overwritten. In this case, if an article is created with a filename that already exists, the filename will be updated so that the file will not overwrite the older article. In essence, with this option, every submission will always be unique.

  3. Always Overwrite Old Files Selecting this option will cause NetForms to always overwrite older files. In this case, when a new article is created with a duplicate name, the older file will always be overwritten. This assures that no articles will ever be created with the exact same title.

Character Translation

NetForms provides one of three options which determine how NetForms will translate characters in HTML documents.

  1. No Translation This option causes NetForms to do nothing to the HTML content of your documents, and is the default option.

  2. Save As Mac Roman This option causes characters in the extended ASCII character set (those with ASCII values greater than 128) that are entered into form fields to be stored in created files as Macintosh extended characters. When such characters are viewed in a Macintosh text application, they will appear as the expected Mac extended characters (the apple symbol, the bullet symbol, etc.). When viewed in a web browser, however, unexpected "garbage characters" may appearŃparticularly if the browser is running on something other than the Mac OS.

  3. Convert HTML Entities When this option is selected, extended characters in the form data are converted into the HTML-defined "entity" codes, so that they appear correctly in HTML documents viewed in any Web browser.

The "Extras" panel, shown in figure E, contains more miscellaneous file-handling options.


Figure E: "Extras" panel of the NetForms Configuration dialog

Root Folder

Clicking this button displays a standard folder-selection dialog which tells NetForms where the web server's root folder is located. NetForms uses this path to resolve URLs into full paths when opening or creating documents specified in FDML files.

Note that this setting allows the NetForms application to reside anywhere on the server's hard drive you wish; it need not reside in the web server root folder.

By default, NetForms sets the Root Folder to the folder in which the NetForms.acgi application resides.

Ask Server for Root Folder

If your web server supports serving multiple domains from multiple root folders, make sure this box is checked. When checked, the web server is allowed to override the configured "Root Folder" setting with an additional parameter in the CGI AppleEvent sent to NetForms.

Previous/Next Link

The next two configuration options allow you to control the wording of the links that point to "previous" and "next" articles listed in the same menu document. The defaults are "Previous Article" and "Next Article," but you may choose alternative phrases, such as "Previous Recipe" and "Next Recipe," for example, or in the case of a non-English language, "vorherghend Artikel" and "nŠchste Artikel."

Recent Page File

There is also a "RecentList.html" page that can be used to specify how the recent list page will look. This is a simple HTML file that includes a command named "<INSERT_RECENT_LIST>". This page will be displayed as the recent page with the recent links included (as <LI> items) at the point of the <INSERT_RECENT_LIST>. If necessary, you can change the name of this page to suit your environment using the configuration window.

Finally, the "Security" panel in the Configuration window contains options which determine the level of security provided by NetForms. Because NetForms allows anyone with a Web browser to create and view documents, and send email messages, on your server, it is very important that you understand these security settings and configure them appropriately for your users.

The "Security" panel is shown below in Figure F.


Figure F: The "Security" panel of the NetForms Configuration dialog

Convert angle brackets to HTML entities

This checkbox determines whether or not articles containing the less-than (<) and greater-than (>) brackets should be converted into their HTML encoded equivalents for use on the Web. HTML reserves a small number of ASCII characters for use as formatting instructions, including the (<) and (>) brackets, and if these characters are to be used in the body of an HTML document they must be first converted. Checking the "Convert angle brackets..." option will convert these brackets into their HTML character tag equivalents, "<" (for less-than, '<') and ">" (for greater-than, '>'). When checked, articles containing greater than and less than symbols will not produce unexpected formatting when they are submitted and converted to HTML documents on your server.

When not checked, NetForms will simply leave the brackets in the user-entered text when it is inserted. This allows users to enter HTML tags and markup their articles.

The security advantage of selecting this option is that you will be able to prevent authors from embedding HTML tags in their articles, including formatting commands, images, and links to other pages. The downside, of course, is that if this option is selected, users won't have the option of entering HTML tags on their own to enhance the formatting of their pages.

Restrict access to Root Folder

When this checkbox is checked, all NetForms activity is restricted to the configured Root Folder. No file outside this folder can be opened, read from, written to, or created in any way whatsoever. This rule is applied to all NetForms primary and supplemental directives, so that, for instance, the COPY command cannot be used to save files to other mounted volumes.

This option is enabled by default, and there is rarely a reason to turn it off. Older versions of NetForms did not support Mac OS alias resolution, so allowing access outside the Root Folder provided a means of accessing other volumes. Now, however, you can access any folder on any mounted volume simply by placing an alias of the folder inside the Root Folder.

On the other hand, there are very good reasons for leaving it on. When you permit NetForms to access files outside the Root Folder, any file, even those within the System Folder, can be opened, read, or overwritten using the appropriate NetForms commands. This is particularly dangerous if you provide FTP upload abilities to your users, or if you disable some of the other security settings described below. In such a situation, a malicious user with knowledge of FDML syntax could upload or submit an FDML file which contained directives instructing NetForms to overwrite your System or Finder files with meaningless garbage Ń thus quickly turning your server into an expensive paperweight.

Prohibit FDML tags in form fields

When this option is checked, then NetForms pre-screens all input form data and rejects any post that contains any FDML tags.

Again, this setting exists to prevent malicious users with knowledge of FDML syntax from submitting data that creates a new FDML file on your server, which could be written to return the contents of sensitive files via the user's Web browser.

Don't serve files with creator code: "XXXX"

This security setting is required to prevent transmission of files protected using a security scheme that exists in all versions of WebSTAR. WebSTAR will not serve files with a creator code of 'WWW˝', the creator code of WebSTAR itself. Many of WebSTAR's own auxiliary files are protected this way, and some third-party CGI applications also make use of this security scheme.

Because NetForms FDML directives can be written to provide access to any files, regardless of their file creator, this security setting should be enabled to prevent access to WebSTAR files.

The protected creator code can be customized by the NetForms administrator, in case you use different web server software, or want to prohibit NetForms from serving other files based on creator code.

FDML files must have suffix: "XXXX"

This security setting causes NetForms to double-check the file suffix of FDML files before processing their contents. If the suffix of the file does not match the configured value (which defaults to ".fdml" and rarely need to be changed), then NetForms merely returns an error message to the user who submitted the form.

In earlier releases, NetForms would process any file containing FDML commands which was specified in a form's ACTION attribute. This posed a potential security risk because a hacker could enter FDML commands into documents saved with an ".html" or ".txt" extension, and NetForms could then be used to retrieve files from the web server using that new, bogus, FDML file. Enabling this option causes NetForms to reject any FDML file not ending with the configured suffix. By default, the suffix is set to ".fdml". Obviously, the configured suffix should not be used as the suffix of any files created via CREATEDOC or TEXTSTORE directives.

Form and FDML must be on same server

When you enable this security setting, you are preventing other web sites from "hijacking" your NetForms system.

Because the URL which defines the location of your FDML file, such as "http://your.server.com/NetForms.acgi$/Recipes/Recipe.FDML", can be accessed from anywhere on the Internet, someone at another web site could duplicate or copy the HTML form which provides user input to your FDML, and store that HTML file on their own web site. Then, anyone using that form on the other web site would submit data to your server to be processed by NetForms. This is known as "hijacking" your form.

This can cause many undesirable effects, such as skewing survey data collected via the form, or overloading your web server with more traffic than it was designed to withstand.

When this option is enabled, NetForms verifies that the HTML form used to submit data and the FDML file which will process the data reside on the same machine. If they do not, an error message is returned to the web browser and the form data is not processed.

Prohibit root-relative file paths

When this option is enabled, file paths in FDML directives must be specified relative to the FDML file, and may not be specified relative to the configured Root Folder. In other words, file paths that begin with a slash character ('/') are prohibited.

This limits the activity of an individual FDML file to its own folder and any subfolders within that folder. This feature is useful when many users have the capability of creating their own, separate NetForms systems, and you wish to ensure that documents created by these separate systems are not mixed together and remain within each user's individual directory space.

Auto-Map Menu


Figure G: NetForms Auto-Map menu

WebSTAR .FDML Files to CGI

Choosing this command causes NetForms to create a new "Action" and "Suffix Mapping" in WebSTAR. This will update your server's configuration so that all URLs ending in ".FDML" will automatically be handled by NetForms. This allows you to simplify your HTML <FORM> tags, because the ACTION attribute specified in the FORM tag becomes simply the URL of the FDML file.

Note that this command only works with WebSTAR, and it assumes that the file "NetForms.acgi" is located in the web server root folder. Other web servers cannot be automatically set up by NetForms, even though they may support "actions" and "suffix mappings". Consult your web server's documentation for information on setting up a NetForms action and suffix mapping manually.


[ Previous | Table Of Contents | Next ]

Copyright © 1996-8 Maxum Development Corporation
820 South Bartlett Road - Suite 104
Streamwood, IL 60107
http://www.maxum.com/