You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tapestry.apache.org by "David Couderc (JIRA)" <de...@tapestry.apache.org> on 2008/09/08 22:27:44 UTC
[jira] Commented: (TAPESTRY-2547) Field validation is bypassed if
form action url is used as a GET url
[ https://issues.apache.org/jira/browse/TAPESTRY-2547?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12629278#action_12629278 ]
David Couderc commented on TAPESTRY-2547:
-----------------------------------------
You can still bypass validation by forging the parameter, there should be a way to ensure that the parameter has not been tampered with.
Also, the t:formdata may reveal data that you do not expect : for instance the loop component, used whitout a
PrimaryKeyEncoder expose the whole object (with private fields or children classes you may not even be aware of).
Maybe the parameter should be encripted too.
> Field validation is bypassed if form action url is used as a GET url
> --------------------------------------------------------------------
>
> Key: TAPESTRY-2547
> URL: https://issues.apache.org/jira/browse/TAPESTRY-2547
> Project: Tapestry
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.13
> Reporter: Francois Armand
> Assignee: Howard M. Lewis Ship
>
> We have a form, the simpliest one is ok, say this one on "TestPage" page :
> <t:form>
> <t:textfield t:id="field" t:validate="required" t:value="value" />
> <t:submit/>
> </t:form>
> This form is supposed to required a a non empty value for value.
> All goes fine if we click on ok, but if a twisted tester try to enter directly the action url in the browser ( t5app/testpage.form), the field level validation are bypassed (but all form events are throws and so the one done in "onValidateFormFrom" arecorrectly performed).
> The result is that the form may be successful with inconsistent data, in our case a null value.
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tapestry.apache.org
For additional commands, e-mail: dev-help@tapestry.apache.org