You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "Francois Armand (JIRA)" <de...@tapestry.apache.org> on 2008/08/01 11:22:32 UTC
[jira] Created: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Field validation is bypassed if form action url is used as a GET url
--------------------------------------------------------------------
Key: TAPESTRY-2547
URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
Project: Tapestry
Issue Type: Bug
Components: tapestry-core
Affects Versions: 5.0.13
Reporter: Francois Armand
Priority: Blocker
We have a form, the simpliest one is ok, say this one on "TestPage" page :
<t:form>
<t:textfield t:id="field" t:validate="required" t:value="value" />
<t:submit/>
</t:form>
This form is supposed to required a a non empty value for value.
All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Howard M. Lewis Ship (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620279#action_12620279 ]
Howard M. Lewis Ship commented on TAPESTRY-2547:
------------------------------------------------
Also, there's no validation, because no field updates will occur, because there's no t:formdata.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
Re: [jira] Updated: (TAPESTRY-2547) Field validation is bypassed
if form action url is used as a GET url
Posted by Fernando Padilla <fe...@alum.mit.edu>.
please allow method=GET forms :) At times those are handy for other
reasons.
but yes if there is no t:formdata, then you can assume a "corrupted"
form submit, and can just mark it "invalidated" at the get go :) Or
totally ignore that form action.
Howard M. Lewis Ship (JIRA) wrote:
> [ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
>
> Howard M. Lewis Ship updated TAPESTRY-2547:
> -------------------------------------------
>
> Priority: Major (was: Blocker)
>
> Typing a form's URL into as a GET will perform no work, because the t:formdata query parameter will be empty.
>
> I'm thinking of making Tapestry reject requests that use a GET to invoke a form, or have no t:formdata entries.
>
>> Field validation is bypassed if form action url is used as a GET url
>> --------------------------------------------------------------------
>>
>> Key: TAPESTRY-2547
>> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
>> Project: Tapestry
>> Issue Type: Bug
>> Components: tapestry-core
>> Affects Versions: 5.0.13
>> Reporter: Francois Armand
>>
>> We have a form, the simpliest one is ok, say this one on "TestPage" page :
>> <t:form>
>> <t:textfield t:id="field" t:validate="required" t:value="value" />
>> <t:submit/>
>> </t:form>
>> This form is supposed to required a a non empty value for value.
>> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
>> The result is that the form may be successful with inconsistent data, in our case a null value.
>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Updated: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Howard M. Lewis Ship (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship updated TAPESTRY-2547:
-------------------------------------------
Priority: Major (was: Blocker)
Typing a form's URL into as a GET will perform no work, because the t:formdata query parameter will be empty.
I'm thinking of making Tapestry reject requests that use a GET to invoke a form, or have no t:formdata entries.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "David Couderc (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12629278#action_12629278 ]
David Couderc commented on TAPESTRY-2547:
-----------------------------------------
You can still bypass validation by forging the parameter, there should be a way to ensure that the parameter has not been tampered with.
Also, the t:formdata may reveal data that you do not expect : for instance the loop component, used whitout a
PrimaryKeyEncoder expose the whole object (with private fields or children classes you may not even be aware of).
Maybe the parameter should be encripted too.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
> Assignee: Howard M. Lewis Ship
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Massimo Lusetti (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620475#action_12620475 ]
Massimo Lusetti commented on TAPESTRY-2547:
-------------------------------------------
Well I've external devices (handheld / palm PCs) which are used to collect data and perform operations then when are put back into the cradle there's a custom application which download data from the devices and send it to a custom tapestry page/component which process the data and simply return a status code.
I've to hardcode (sort of) the t:formdata parameter into the application to let tapestry correctly handle the http post and this turned out to work as expected but this put the upgrade of server side (T5 web application) and client side (T5 IoC swing application) into a nightmare cause t:formadata parameter changes so i cannot upgrade the server side without release and distribute and upgrade to all clients.
So this could be a use case where having T5 process the form without t:formdata parameter is a very big plus.
It's just me using the power of T5 this way?
This is all production code already in use since April.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Francois Armand (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620287#action_12620287 ]
Francois Armand commented on TAPESTRY-2547:
-------------------------------------------
I believe that rejecting the form is a good option, for now I can't see any cases where it would be a good idea to try to handle such a malformed form.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Francois Armand (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12618968#action_12618968 ]
Francois Armand commented on TAPESTRY-2547:
-------------------------------------------
A trivial workaround exists : we just have to perform all validation on onValidateFromForm, but it's really painful. Moreover, data consistency is always a critical area, and T5 is close to a final version, so I choose blocker priority.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
> Priority: Blocker
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
Posted by "Josh Canfield (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12620485#action_12620485 ]
Josh Canfield commented on TAPESTRY-2547:
-----------------------------------------
I was recently working on a page that needed to accept query parameters but where the request was not generated from a form submit. Consider "http://localhost/app/search?field=title&value=hello&sort=asc" as a REST api, where sort is optional. Putting this into an activation context is not so appealing.
I was thinking that it would be great to have an annotation @QueryParameter, or modify @Parameter to accept query=true. You could attach validators that triggered an error event on failure...
I ended up coding it up by calling _request.getParameter() directly...
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org
[jira] Closed: (TAPESTRY-2547) Field validation is bypassed if form
action url is used as a GET url
Posted by "Howard M. Lewis Ship (JIRA)" <de...@tapestry.apache.org>.
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel ]
Howard M. Lewis Ship closed TAPESTRY-2547.
------------------------------------------
Resolution: Duplicate
Assignee: Howard M. Lewis Ship
An outright reject of the form submission should get the job done.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
> Assignee: Howard M. Lewis Ship
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org