click-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lorenzo Simionato <lore...@simionato.org>
Subject Request Parameter Autobinding
Date Sat, 20 Nov 2010 11:43:22 GMT
Hi, i've a couple of questions about page "Request Parameter Auto Binding" (section 2.3 of
the documentation).

1-Is it possible to disable the feature that: "binds automatically any request parameter values
to public Page fields with the same name"?
I see that it is possible for page autobinding but not for request parameters. I find this
feature very subtle, makes the code less clear and is 
possibly dangerous (class fields can be set by an attacker in a way that is not evident and
it is easy to make mistakes).

2-According to the documentation: "When binding these values Click will also attempt to convert
them to the correct type". However, if the 
conversion is not successful is the intended behavior to throw an exception?
Say i have a page:
public class MyPage extends Page {
   @Bindable
    protected Integer customerId;
}
and the following request is made: mypage.htm?customerId=xxx

In this case an exception is thrown.

3-Why the @Bindable annotation is used both for request parameters and for page autobinding
(if autobinding for pages is enabled of course)?
This makes it very confusing. It is not clear if @Bindable is used to get a parameter or put
something on the page.
In addition, it could lead to security problems.
For example, consider the page:
MyPage.java:
public class MyPage extends Page {
   @Bindable
    protected String welcomeMessage = "Welcome to my web site";
}
MyPage.htm:
$welcomeMessage

and an attacker makes the following request: mypage.htm?welcomeMessage=Fake message
So in this case we have a possible XSS attack.

Thanks,
Lorenzo Simionato
Mime
View raw message