You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@click.apache.org by sa...@apache.org on 2010/11/20 07:22:53 UTC
svn commit: r1037120 - in /click/trunk/click/documentation/docs: roadmap-changes.html upgrade-path.html

Author: sabob
Date: Sat Nov 20 06:22:53 2010
New Revision: 1037120

URL: http://svn.apache.org/viewvc?rev=1037120&view=rev
Log:
roadmap and upgrade path changes. CLK-726

Modified:
    click/trunk/click/documentation/docs/roadmap-changes.html
    click/trunk/click/documentation/docs/upgrade-path.html

Modified: click/trunk/click/documentation/docs/roadmap-changes.html
URL: http://svn.apache.org/viewvc/click/trunk/click/documentation/docs/roadmap-changes.html?rev=1037120&r1=1037119&r2=1037120&view=diff
==============================================================================
--- click/trunk/click/documentation/docs/roadmap-changes.html (original)
+++ click/trunk/click/documentation/docs/roadmap-changes.html Sat Nov 20 06:22:53 2010
@@ -76,7 +76,7 @@ Action support and light-weight stateful
 
 <dl>
   <dt><a name="2.3.0"></a>
-      <div class="release-header">Latest Development Release - Version 2.3.0 Milestone 1 - ?? October 2010</div>
+      <div class="release-header">Latest Development Release - Version 2.3.0 Milestone 1 - 28 November 2010</div>
   </dt>
   <dd>
       <div style="margin-left:-2em;margin-bottom:1em;">
@@ -137,6 +137,21 @@ Action support and light-weight stateful
         </li>
       </ul>
       <div style="margin-left: -2em; margin-top: 1.5em; margin-bottom: 1em;">
+        <b>Removed:</b>
+      </div>
+      <ul style="padding: 0em; margin-left:0em;margin-bottom: 2em">
+        <li class="change">
+          Removed the ability to automatically <tt>bypass validation</tt> for
+          Forms through JavaScript. This ability was added in 2.2.0 but raised
+          concerns over security and was dropped for 2.3.0. If you used this
+          feature in existing applications, please see the
+          <a href="upgrade-path.html#removed-bypass-validation">Upgrade path</a>
+          for a safe alternative to <tt>bypass validation</tt>. We apologize for
+          the inconvenience.
+          <p/>
+        </li>
+      </ul>
+      <div style="margin-left: -2em; margin-top: 1.5em; margin-bottom: 1em;">
         <b>Deprecated:</b>
       </div>
       <ul style="padding: 0em; margin-left:0em;margin-bottom: 2em">

Modified: click/trunk/click/documentation/docs/upgrade-path.html
URL: http://svn.apache.org/viewvc/click/trunk/click/documentation/docs/upgrade-path.html?rev=1037120&r1=1037119&r2=1037120&view=diff
==============================================================================
--- click/trunk/click/documentation/docs/upgrade-path.html (original)
+++ click/trunk/click/documentation/docs/upgrade-path.html Sat Nov 20 06:22:53 2010
@@ -111,6 +111,53 @@ versions please email the Click user gro
           However the majority of use cases are catered for by the new stateful
           controls: Table, Form, TabbedPanel, Field and AbstractLink.
       </li>
+      <li class="change"><a name="removed-bypass-validation"></a>
+          The <tt>bypass validation</tt> feature introduced in 2.2.0 raised security
+           concerns and was removed in this release.
+        <p/>
+        The main problem was with <tt>bypassValidation</tt> is that
+        an attacker can set the <tt>bypassValidation</tt> hidden field to true, thus bypassing
+        validation on the server. In addition , Form.isValid returned <tt>true</tt>
+        even when validation was bypassed.
+        <p/>
+        If you are currently using <tt>bypassValidation</tt> for dynamic forms,
+        you can bypass form validation by setting <tt>Form.setValidate(false)</tt>,
+        for example:
+        <pre class="prettyprint">
+public void onInit() {
+        super.onInit();
+
+        form.add(nameField);
+        form.add(checkbox);
+
+        // NB: when using form.submit() the submit button cannot be
+        // called 'submit'. If it is, the browser is likely to throw a JS exception.
+        checkbox.setAttribute("onclick", "form.submit()");
+
+        ...
+
+        // NB: Bind the submit button. If it wasn't clicked it means the Form was submitted
+        // using JavaScript and we don't want to validate yet
+        ClickUtils.bind(submit);
+
+        // If submit was not clicked, don't validate
+        if(form.isFormSubmission() && !submit.isClicked()) {
+            form.setValidate(false);
+        }
+
+        submit.setActionListener(new ActionListener() {
+
+            public boolean onAction(Control source) {
+                // We can safely call isValid from within the submit action handler
+                // since validation is always active if the submit button was clicked
+                if (form.isValid()) {
+                addModel("msg", "Form is valid after validation");
+            }
+                return true;
+            }
+        });
+    } </pre>
+      </li>
       <li class="change">
         The DateField control now accepts month and day names spelled in the 
         locale of the browser or application (see