How automatic form fill works
The scan looks at the Name attribute of each form field to see if it matches the names listed on the Automatic Form Fill page. It ignores fields that are not available or whose input types include submit, reset, button, or image. It then sends the values you supply for the form fields to the URL found in the Action attribute.
There are certain conditions of operation:
- Your site must be configured so that its form fields (INPUT tags) are assigned names; otherwise Automatic Form Fill will having nothing to perform a match on.
- The Action attribute must contain a URL. Automatic Form Fill cannot run mailto and JavaScript™ actions; forms whose Action attribute contain either mailto or JavaScript™ references are ignored.
- The states of existing hidden fields and check boxes remain unchanged.
- With radio buttons, the value of the selected button is used. If a button is not selected, the scan checks the Auto Form Fill page for a matching radio button value. If there is no match, then the first button is used.
- With select fields, the selected option is used as long as it is not the first option to avoid selecting a value only provided as a "hint". If nothing is selected, the scan checks the Auto Form Fill page for a matching select field value. If there is no match, the last option is used.
Resolving conflicts in field matching
When there is a conflict in multiple form field matches, the scan job uses the following criteria to determine the match priority:
| Priority | Parameter | URL |
|---|---|---|
| 0 (exact match,) | Yes Example: country or region | Yes Example: www.example.com |
| 1 | No Example: regexp:coun |
Yes Example: www.example.com |
| 2 | Yes Example: country or region | No Example: no URL |
| 3 | No Example: regexp:cou | No Example: no URL |
If a form parameter matches more than one Automatic Form Fill item with the same priority level, the first match in the list will be used, so in the examples above, regexp:coun would be used before regexp:cou.
Determining what is submitted for forms
Forms are submitted as in the following table when 1 and either 2 or 3 of the following statements are true:
- Automatic Form Fill is made available.
- All text, textarea and password fields match an entry or they are pre-populated.
- The Fill unknown parameters with
default value option
is selected on the Automatic Form Fill page.
Control Type Field Name Pre-populated Form Submission Button No match No Not Posted No match Yes Not Posted Match No Not Posted Match Yes Not Posted check box No match No Not Posted No match Yes on Match No Not Posted Match Yes on Hidden No match No Empty No match Yes Prepopulated Match No Empty Match Yes Prepopulated Image No match NA Post the following: ImageName.y and ImageName.x Match NA Post the following: ImageName.y and ImageName.x Radio No match No First radio value No match Yes Prepopulated Match No Auto Form Fill value if it is one of the possible values, otherwise use the first radio value Match Yes Prepopulated Select NA NA If there are no options: Not Posted. NA NA If there is one option, then Post the one option. NA NA More than one option: If the selected option is not the first option, then Post the selected option value. NA NA More than one option: If there is a match and the Auto Form Fill value is one of the specified values, Post it. NA NA More than one option: If there is a match and the Auto Form Fill value is not one of the specified values, Post the last value. NA NA More than one option: If there is no match, Post the last value. Submit NA No Post: "Submit Query" NA Yes Post prepopulated value NA No Post: "Submit Query" Match Yes Post prepopulated value Text, Textarea, and Password No match No Default No match Yes Prepopulated Match No Post Auto Form Fill value Match Yes Post Auto Form Fill value