HTML form

Last updated March 15, 2024

A webform, web form or HTML form on a web page allows a user to enter data that is sent to a server for processing. Forms can resemble paper or database forms because web users fill out the forms using checkboxes, radio buttons, or text fields. For example, forms can be used to enter shipping or credit card data to order a product, or can be used to retrieve search results from a search engine.

Description

Sample form. The form is enclosed in an HTML table for visual layout. Sample web form.png — Sample form. The form is enclosed in an HTML table for visual layout.

Forms are enclosed in the HTML <form> element. This HTML element specifies the communication endpoint the data entered into the form should be submitted to, and the method of submitting the data, GET or POST.

Elements

Forms can be made up of standard graphical user interface elements:

<text> — a simple text box that allows input of a single line of text.
<email> - a type of <text> that requires a partially validated email address
<number> - a type of <text> that requires a number
<password> — similar to <text>, it is used for security purposes, in which the characters typed in are invisible or replaced by symbols such as *
<radio> — a radio button
<file> — a file select control for uploading a file
<reset> — a reset button that, when activated, tells the browser to restore the values of the current form, to their initial values.
<submit> — a button that tells the browser to take action on the form (typically to send it to a server)
<textarea> — much like the <text> input field except a <textarea> allows for multiple rows of data to be shown and entered
<select> — a drop-down list that displays a list of items a user can select from

The sample image on the right shows most of these elements:

a text box asking for your name
a pair of radio buttons asking you to choose between gender values
a select box giving you a list of eye colors to choose from
a pair of check boxes to click on if they apply to you
a text area to describe your athletic ability
a submit button to send current form values to the server

These basic elements provide the most common graphical user interface (GUI) elements, but not all. For example, there are no equivalents to a tree view or grid view.

A grid view, however, can be mimicked by using a standard HTML table with each cell containing a text input element. A tree view could also be mimicked through nested tables or, more semantically appropriately, nested lists. In both cases, a server-side process is responsible for processing the information, while JavaScript handles the user-interaction. Implementations of these interface elements are available through JavaScript libraries such as jQuery.

HTML 4 introduced the <label> tag, which is intended to represent a caption in a user interface, and can be associated with a specific form control by specifying the id attribute of the control in the label tag's for attribute.^[1] This allows labels to stay with their elements when a window is resized and to allow more desktop-like functionality (e.g. clicking a radio button or checkbox's label will activate the associated input element).

HTML 5 introduces a number of input tags that can be represented by other interface elements. Some are based upon text input fields and are intended to input and validate specific common data. These include <email> to enter email addresses, <tel> for telephone numbers, <number> for numeric values. There are additional attributes to specify required fields, fields that should have keyboard focus when the web page containing the form is loaded, and placeholder text that is displayed within the field but is not user input (such as the 'Search' text displayed in many search input fields before a search term is entered). These tasks used to be handled with JavaScript, but had become so common that support for them was added to the standard. The <date> input type displays a calendar from which the user can select a date or date range.^[2]^[3] And the color input type can be represented as an input text simply checking the value entered is a correct hexadecimal representation of a color, according to the specification,^[4] or a color picker widget (the latter being the solution used in most browsers which support this attribute).

Submission

When data that has been entered into HTML forms is submitted, the names and values in the form elements are encoded and sent to the server in an HTTP request message using GET or POST. Historically, an email transport was also used.^[5] The default MIME type (internet media type), application/x-www-form-urlencoded, is based on a very early version of the general URI percent-encoding rules, with a number of modifications such as newline normalization and replacing spaces with "+" instead of "%20". Another possible encoding, Internet media type multipart/form-data, is also available and is common for POST-based file submissions.

Use with programming languages

Forms are usually combined with programs written in various programming language to allow developers to create dynamic web sites. The most popular languages include both client-side and/or server-side languages.

Although any programming language can be used on the server to process a form's data, the most commonly used languages are scripting languages, which tend to have stronger string handling functionality than programming languages such as C, and also have automatic memory management which helps to prevent buffer overrun attacks.

Client-side

The de facto client-side scripting language for web sites is JavaScript. Using JavaScript on the Document Object Model (DOM) leads to the method of Dynamic HTML that allows dynamic creation and modification of a web page within the browser.

While client-side languages used in conjunction with forms are limited, they often can serve to do pre-validation of the form data and/or to prepare the form data to send to a server-side program. This usage is being replaced, however, by HTML5's new input field types and required attribute.

Server-side execution

Server-side code can do a vast assortment of tasks to create dynamic web sites that, for technical or security reasons, client-side code cannot — from authenticating a login, to retrieving and storing data in a database, to spell checking, to sending e-mail. A significant advantage to server-side over client-side execution is the concentration of functionality onto the server rather than relying on different web browsers to implement various functions in consistent, standardized ways. In addition, processing forms on a server often results in increased security if server-side execution is designed not to trust the data supplied by the client and includes such techniques as HTML sanitization. One disadvantage to server side code is scalability —server side processing for all users occurs on the server, while client side processing occurs on individual client computers.

Interpreted languages

Some of the interpreted languages commonly used to design interactive forms in web development are PHP, Python, Ruby, Perl, JSP, Adobe ColdFusion and some of the compiled languages commonly used are Java and C# with ASP.NET.

PHP

PHP is one very common language used for server-side "programming" and is one of the few languages created specifically for web programming.^[6]^[7]

To use PHP with an HTML form, the URL of the PHP script is specified in the action attribute of the form tag. The target PHP file then accesses the data passed by the form through PHP's $_POST or $_GET variables, depending on the value of the method attribute used in the form. Here is a basic form handler PHP script that will display the contents of the first_name input field on the page:

form.html

<!DOCTYPE html><htmllang="en"><head><title>Form</title></head><body><formaction="form_handler.php"><p><label>Name: <inputname="first_name"/></label></p><p><buttontype="submit">Submit</button></p></form></body></html>

form_handler.php

<!DOCTYPE html><?php// requesting the value of the external variable "first_name" and filtering it.$firstName=filter_input(INPUT_GET,"first_name",FILTER_SANITIZE_STRING);?><htmllang="en"><head><title>Output</title></head><body><p><?phpecho"Hello, ${firstName}!";/* printing the value */?></p></body></html>

The sample code above uses PHP's filter_input() function to sanitize the user's input before inserting it onto the page. Simply printing (echoing) user input to the browser without checking it first is something that should be avoided in secure forms processors: if a user entered the JavaScript code <script>alert(1)</script> into the firstname field, the browser would execute the script on the form_handler.php page, just as if it had been coded by the developer; malicious code could be executed this way. filter_input() was introduced in PHP 5.2. Users of earlier PHP versions could use the htmlspecialchars() function, or regular expressions to sanitize the user input before doing anything with it.

Perl programming language

Perl is another language often used for web development. Perl scripts are traditionally used as Common Gateway Interface applications (CGIs). In fact, Perl is such a common way to write CGIs that the two are often confused. CGIs may be written in other languages than Perl (compatibility with multiple languages is a design goal of the CGI protocol) and there are other ways to make Perl scripts interoperate with a web server than using CGI (such as FastCGI, Plack or Apache's mod_perl).

Perl CGIs were once a very common way to write web applications. However, many web hosts today effectively only support PHP, and developers of web applications often seek compatibility with them.

A modern Perl 5 CGI using the CGI module with a form similar to the one above might look like:

form_handler.pl

#!/usr/bin/env perlusestrict;useCGIqw(:standard);my$name=param("first_name");printheader;printhtml(body(p("Hello, $name!"),),);

Form-to-email scripts

Among the simplest and most commonly needed types of server-side script is that which simply emails the contents of a submitted form. This kind of script is frequently exploited by spammers, however, and many of the most popular form-to-email scripts in use are vulnerable to hijacking for the purpose of sending spam emails. One of the most popular scripts of this type was "FormMail.pl" made by Matt's Script Archive. Today, this script is no longer widely used in new development due to lack of updates, security concerns, and difficulty of configuration.

Form builders

Some companies offer forms as a hosted service. Usually, these companies give some kind of visual editor, reporting tools and infrastructure to create and host the forms, that can be embedded into webpages.^[8] Web hosting companies provide templates to their clients as an add-on service. Other form hosting services offer free contact forms that a user can install on their own website by pasting the service's code into the site's HTML.

History

HTML forms were first implemented by the Viola browser.^[9]

Related Research Articles

In computing, Common Gateway Interface (CGI) is an interface specification that enables web servers to execute an external program to process HTTP or HTTPS user requests.

Dynamic HTML, or DHTML, is a term which was used by some browser vendors to describe the combination of HTML, style sheets and client-side scripts that enabled the creation of interactive and animated documents. The application of DHTML was introduced by Microsoft with the release of Internet Explorer 4 in 1997.

Server-side scripting is a technique used in web development which involves employing scripts on a web server which produces a response customized for each user's (client's) request to the website. Scripts can be written in any of a number of server-side scripting languages that are available. Server-side scripting is distinguished from client-side scripting where embedded scripts, such as JavaScript, are run client-side in a web browser, but both techniques are often used together. The alternative to either or both types of scripting is for the web server itself to deliver a static web page.

A website is a collection of web pages and related content that is identified by a common domain name and published on at least one web server. Websites are typically dedicated to a particular topic or purpose, such as news, education, commerce, entertainment, or social media. Hyperlinking between web pages guides the navigation of the site, which often starts with a home page. The most-visited sites are Google, YouTube, and Facebook.

Cross-site scripting (XSS) is a type of security vulnerability that can be found in some web applications. XSS attacks enable attackers to inject client-side scripts into web pages viewed by other users. A cross-site scripting vulnerability may be used by attackers to bypass access controls such as the same-origin policy. During the second half of 2007, XSSed documented 11,253 site-specific cross-site vulnerabilities, compared to 2,134 "traditional" vulnerabilities documented by Symantec. XSS effects vary in range from petty nuisance to significant security risk, depending on the sensitivity of the data handled by the vulnerable site and the nature of any security mitigation implemented by the site's owner network.

<span class="mw-page-title-main">Web application</span> Application that uses a web browser as a client

A web application is application software that is accessed using a web browser. Web applications are delivered on the World Wide Web to users with an active network connection.

XForms is an XML format used for collecting inputs from web forms. XForms was designed to be the next generation of HTML / XHTML forms, but is generic enough that it can also be used in a standalone manner or with presentation languages other than XHTML to describe a user interface and a set of common data manipulation tasks.

Web development is the work involved in developing a website for the Internet or an intranet. Web development can range from developing a simple single static page of plain text to complex web applications, electronic businesses, and social network services. A more comprehensive list of tasks to which Web development commonly refers, may include Web engineering, Web design, Web content development, client liaison, client-side/server-side scripting, Web server and network security configuration, and e-commerce development.

URL redirection, also called URL forwarding, is a World Wide Web technique for making a web page available under more than one URL address. When a web browser attempts to open a URL that has been redirected, a page with a different URL is opened. Similarly, domain redirection or domain forwarding is when all pages in a URL domain are redirected to a different domain, as when wikipedia.com and wikipedia.net are automatically redirected to wikipedia.org.

A query string is a part of a uniform resource locator (URL) that assigns values to specified parameters. A query string commonly includes fields added to a base URL by a Web browser or other client application, for example as part of an HTML document, choosing the appearance of a page, or jumping to positions in multimedia content.

In the context of a web browser, a frame is a part of a web page or browser window which displays content independent of its container, with the ability to load content independently. The HTML or media elements in a frame may come from a web site distinct from the site providing the enclosing content. This practice, known as framing, is today often regarded as a violation of same-origin policy.

XMLHttpRequest (XHR) is a JavaScript class containing methods to asynchronously transmit HTTP requests from a web browser to a web server. The methods allow a browser-based application to make a fine-grained server call and store the results in XMLHttpRequest's responseText attribute. The XMLHttpRequest class is a component of Ajax programming. Prior to Ajax, an HTML form needed to be completely sent to the server followed by a complete browser page refresh.

A dynamic web page is a web page constructed at runtime, as opposed to a static web page, delivered as it is stored. A server-side dynamic web page is a web page whose construction is controlled by an application server processing server-side scripts. In server-side scripting, parameters determine how the assembly of every new web page proceeds, and including the setting up of more client-side processing. A client-side dynamic web page processes the web page using JavaScript running in the browser as it loads. JavaScript can interact with the page via Document Object Model (DOM), to query page state and modify it. Even though a web page can be dynamic on the client-side, it can still be hosted on a static hosting service such as GitHub Pages or Amazon S3 as long as there is not any server-side code included.

<span class="mw-page-title-main">Web template system</span> System in web publishing

A web template system in web publishing allows web designers and developers work with web templates to automatically generate custom web pages, such as the results from a search. This reuses static web page elements while defining dynamic elements based on web request parameters. Web templates support static content, providing basic structure and appearance. Developers can implement templates from content management systems, web application frameworks, and HTML editors.

In HTML, a file-select control is a component of a web form with which a user can select a local file. When the form is submitted, the file is uploaded to the web server. There, when the file arrives, some action usually takes place, such as saving the file on the web server. However, the particular action that takes place is determined by the server-side script to which the form is submitted.

<span class="mw-page-title-main">Vaadin</span>

Vaadin is an open-source web application development platform for Java. Vaadin includes a set of Web Components, a Java web framework, and a set of tools that enable developers to implement modern web graphical user interfaces (GUI) using the Java programming language only, TypeScript only, or a combination of both.

Cross-site request forgery, also known as one-click attack or session riding and abbreviated as CSRF or XSRF, is a type of malicious exploit of a website or web application where unauthorized commands are submitted from a user that the web application trusts. There are many ways in which a malicious website can transmit such commands; specially-crafted image tags, hidden forms, and JavaScript fetch or XMLHttpRequests, for example, can all work without the user's interaction or even knowledge. Unlike cross-site scripting (XSS), which exploits the trust a user has for a particular site, CSRF exploits the trust that a site has in a user's browser. In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account.

Mustache is a web template system. Mustache is described as a logic-less system because it lacks any explicit control flow statements, like if and else conditionals or for loops; however, both looping and conditional evaluation can be achieved using section tags processing lists and anonymous functions (lambdas). It is named "Mustache" because of heavy use of braces, { }, that resemble a sideways moustache. Mustache is used mainly for mobile and web applications.

The following outline is provided as an overview of and topical guide to the Perl programming language:

The following outline is provided as an overview of and topical guide to web design and web development, two very related fields:

References

↑ "HTML/Elements/label". w3.org wiki. 19 May 2023.
↑ Satrom, Brandon (November 2011). "Better Web Forms with HTML5 Forms". MSDN Magazine. Microsoft. Retrieved 2014-02-20.
↑ "Forms – HTML5". w3.org. W3C. Retrieved 2014-02-20.
↑ "input type=color – color-well control". w3.org. W3C. Retrieved 2014-10-31.
↑ User-agent support for email based HTML form submission, using a 'mailto' URL as the form action, was proposed in RFC 1867 section 5.6, during the HTML 3.2 era. Various web browsers implemented it by invoking a separate email program, using their own rudimentary SMTP capabilities, or by becoming Internet suites by implementing entire Email clients. Although sometimes unreliable, it was briefly popular as a simple way to transmit form data without involving a web server or CGI scripts.
↑ "PHP: Hypertext Preprocessor".
↑ "Encyclopedia Web".
↑ Garofalo, Josh. "Intro to Online Forms and Form Builders". Blitzen Blog.
↑ "ViolaWWW". webdesignmuseum.org. Web Design Museum. Retrieved 17 February 2022.

External links

Forms in HTML documents, the W3C's spec page for forms in HTML 4.
HTML5 forms specification
Wikibooks: HyperText Markup Language/Forms
Try out HTML properties.

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "HTML/Elements/label". w3.org wiki. 19 May 2023.

[2] Satrom, Brandon (November 2011). "Better Web Forms with HTML5 Forms". MSDN Magazine. Microsoft. Retrieved 2014-02-20.

[3] "Forms – HTML5". w3.org. W3C. Retrieved 2014-02-20.

[4] "input type=color – color-well control". w3.org. W3C. Retrieved 2014-10-31.

[5] User-agent support for email based HTML form submission, using a 'mailto' URL as the form action, was proposed in RFC 1867 section 5.6, during the HTML 3.2 era. Various web browsers implemented it by invoking a separate email program, using their own rudimentary SMTP capabilities, or by becoming Internet suites by implementing entire Email clients. Although sometimes unreliable, it was briefly popular as a simple way to transmit form data without involving a web server or CGI scripts.

[6] "PHP: Hypertext Preprocessor".

[7] "Encyclopedia Web".

[8] Garofalo, Josh. "Intro to Online Forms and Form Builders". Blitzen Blog.

[9] "ViolaWWW". webdesignmuseum.org. Web Design Museum. Retrieved 17 February 2022.

[1]

[2]

[3]

[4]

[5]

[6]

[7]

[8]

[9]