You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@click.apache.org by sa...@apache.org on 2010/11/20 07:22:53 UTC
svn commit: r1037120 - in /click/trunk/click/documentation/docs:
roadmap-changes.html upgrade-path.html
Author: sabob
Date: Sat Nov 20 06:22:53 2010
New Revision: 1037120
URL: http://svn.apache.org/viewvc?rev=1037120&view=rev
Log:
roadmap and upgrade path changes. CLK-726
Modified:
click/trunk/click/documentation/docs/roadmap-changes.html
click/trunk/click/documentation/docs/upgrade-path.html
Modified: click/trunk/click/documentation/docs/roadmap-changes.html
URL: http://svn.apache.org/viewvc/click/trunk/click/documentation/docs/roadmap-changes.html?rev=1037120&r1=1037119&r2=1037120&view=diff
==============================================================================
--- click/trunk/click/documentation/docs/roadmap-changes.html (original)
+++ click/trunk/click/documentation/docs/roadmap-changes.html Sat Nov 20 06:22:53 2010
@@ -76,7 +76,7 @@ Action support and light-weight stateful
<dl>
<dt><a name="2.3.0"></a>
- <div class="release-header">Latest Development Release - Version 2.3.0 Milestone 1 - ?? October 2010</div>
+ <div class="release-header">Latest Development Release - Version 2.3.0 Milestone 1 - 28 November 2010</div>
</dt>
<dd>
<div style="margin-left:-2em;margin-bottom:1em;">
@@ -137,6 +137,21 @@ Action support and light-weight stateful
</li>
</ul>
<div style="margin-left: -2em; margin-top: 1.5em; margin-bottom: 1em;">
+ <b>Removed:</b>
+ </div>
+ <ul style="padding: 0em; margin-left:0em;margin-bottom: 2em">
+ <li class="change">
+ Removed the ability to automatically <tt>bypass validation</tt> for
+ Forms through JavaScript. This ability was added in 2.2.0 but raised
+ concerns over security and was dropped for 2.3.0. If you used this
+ feature in existing applications, please see the
+ <a href="upgrade-path.html#removed-bypass-validation">Upgrade path</a>
+ for a safe alternative to <tt>bypass validation</tt>. We apologize for
+ the inconvenience.
+ <p/>
+ </li>
+ </ul>
+ <div style="margin-left: -2em; margin-top: 1.5em; margin-bottom: 1em;">
<b>Deprecated:</b>
</div>
<ul style="padding: 0em; margin-left:0em;margin-bottom: 2em">
Modified: click/trunk/click/documentation/docs/upgrade-path.html
URL: http://svn.apache.org/viewvc/click/trunk/click/documentation/docs/upgrade-path.html?rev=1037120&r1=1037119&r2=1037120&view=diff
==============================================================================
--- click/trunk/click/documentation/docs/upgrade-path.html (original)
+++ click/trunk/click/documentation/docs/upgrade-path.html Sat Nov 20 06:22:53 2010
@@ -111,6 +111,53 @@ versions please email the Click user gro
However the majority of use cases are catered for by the new stateful
controls: Table, Form, TabbedPanel, Field and AbstractLink.
</li>
+ <li class="change"><a name="removed-bypass-validation"></a>
+ The <tt>bypass validation</tt> feature introduced in 2.2.0 raised security
+ concerns and was removed in this release.
+ <p/>
+ The main problem was with <tt>bypassValidation</tt> is that
+ an attacker can set the <tt>bypassValidation</tt> hidden field to true, thus bypassing
+ validation on the server. In addition , Form.isValid returned <tt>true</tt>
+ even when validation was bypassed.
+ <p/>
+ If you are currently using <tt>bypassValidation</tt> for dynamic forms,
+ you can bypass form validation by setting <tt>Form.setValidate(false)</tt>,
+ for example:
+ <pre class="prettyprint">
+public void onInit() {
+ super.onInit();
+
+ form.add(nameField);
+ form.add(checkbox);
+
+ // NB: when using form.submit() the submit button cannot be
+ // called 'submit'. If it is, the browser is likely to throw a JS exception.
+ checkbox.setAttribute("onclick", "form.submit()");
+
+ ...
+
+ // NB: Bind the submit button. If it wasn't clicked it means the Form was submitted
+ // using JavaScript and we don't want to validate yet
+ ClickUtils.bind(submit);
+
+ // If submit was not clicked, don't validate
+ if(form.isFormSubmission() && !submit.isClicked()) {
+ form.setValidate(false);
+ }
+
+ submit.setActionListener(new ActionListener() {
+
+ public boolean onAction(Control source) {
+ // We can safely call isValid from within the submit action handler
+ // since validation is always active if the submit button was clicked
+ if (form.isValid()) {
+ addModel("msg", "Form is valid after validation");
+ }
+ return true;
+ }
+ });
+ } </pre>
+ </li>
<li class="change">
The DateField control now accepts month and day names spelled in the
locale of the browser or application (see