Return-Path: Delivered-To: apmail-click-dev-archive@www.apache.org Received: (qmail 55003 invoked from network); 21 Nov 2010 00:55:40 -0000 Received: from unknown (HELO mail.apache.org) (140.211.11.3) by 140.211.11.9 with SMTP; 21 Nov 2010 00:55:40 -0000 Received: (qmail 55084 invoked by uid 500); 21 Nov 2010 00:56:12 -0000 Delivered-To: apmail-click-dev-archive@click.apache.org Received: (qmail 55053 invoked by uid 500); 21 Nov 2010 00:56:12 -0000 Mailing-List: contact dev-help@click.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: dev@click.apache.org Delivered-To: mailing list dev@click.apache.org Received: (qmail 55046 invoked by uid 99); 21 Nov 2010 00:56:11 -0000 Received: from nike.apache.org (HELO nike.apache.org) (192.87.106.230) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Nov 2010 00:56:11 +0000 X-ASF-Spam-Status: No, hits=2.2 required=10.0 tests=FREEMAIL_ENVFROM_END_DIGIT,FREEMAIL_FROM,RCVD_IN_DNSWL_NONE,SPF_PASS,T_TO_NO_BRKTS_FREEMAIL X-Spam-Check-By: apache.org Received-SPF: pass (nike.apache.org: domain of sabob1@gmail.com designates 74.125.83.42 as permitted sender) Received: from [74.125.83.42] (HELO mail-gw0-f42.google.com) (74.125.83.42) by apache.org (qpsmtpd/0.29) with ESMTP; Sun, 21 Nov 2010 00:56:04 +0000 Received: by gwb10 with SMTP id 10so3834880gwb.29 for ; Sat, 20 Nov 2010 16:55:43 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=domainkey-signature:received:received:message-id:date:from :user-agent:mime-version:to:subject:references:in-reply-to :x-enigmail-version:content-type:content-transfer-encoding; bh=j9B/QSApJqTyuM+KvPGsBzRUyDRLdI6C3fNDaSqaLI0=; b=Twyp5wCpbniCWb3jYPZh/aHNlo6gJ6AgR6WIE5IR44mg1jcPddbzzvFCd22QTXjRoU lrMSgR1J6sVnJ05hLlqcLovNZT+1+/O3zeX0M9Asa1Z+9PNRjiGawcHwCuwTWJDcvGzI +xdTI+ChAHj5aH6B6meUuD0ib7aKRZlQOcC/c= DomainKey-Signature: a=rsa-sha1; c=nofws; d=gmail.com; s=gamma; h=message-id:date:from:user-agent:mime-version:to:subject:references :in-reply-to:x-enigmail-version:content-type :content-transfer-encoding; b=x9HhXGxdVoQb0erU9dqRRoMRH+9OwtkooDw1RjDcvbEwL322pgkJPNK3f8CkqY/wGN pdt73C3qONP7in90OlVVxiNl8CxCma+pvRweeJUjrMyemUmouzQClGC8lerIROsvwKHH pfwpYrbqTL+KOZLr7W9m7ZSylxmk/FdCOI248= Received: by 10.90.3.39 with SMTP id 39mr3481085agc.131.1290300941818; Sat, 20 Nov 2010 16:55:41 -0800 (PST) Received: from [10.1.1.3] (124-171-30-160.dyn.iinet.net.au [124.171.30.160]) by mx.google.com with ESMTPS id t23sm3774134ano.7.2010.11.20.16.55.39 (version=TLSv1/SSLv3 cipher=RC4-MD5); Sat, 20 Nov 2010 16:55:41 -0800 (PST) Message-ID: <4CE86E0A.5060608@gmail.com> Date: Sun, 21 Nov 2010 11:55:38 +1100 From: Bob Schellink User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.12) Gecko/20101027 Lightning/1.0b2 Thunderbird/3.1.6 MIME-Version: 1.0 To: dev@click.apache.org Subject: Re: Request Parameter Autobinding References: <22679463.212761290230773510.JavaMail.jira@thor> <4CE7CE8F.9010706@gmail.com> In-Reply-To: X-Enigmail-Version: 1.1.1 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: 7bit X-Virus-Checked: Checked by ClamAV on apache.org Just a bit of history on binding. In Click 1.4 binding was introduced because people wanted a shortcut for binding and converting input params. This was in the Java 1.4 days, pre annotation. So public fields was used as binding. With Java 1.5 Bindable was introduced but backward compatibility was kept in place. (If you want to use public fields in your pages that should not be bound, you can set autobinding="annotation" and public fields won't be touched.) So the intention wasn't to support both public fields and @Bindable. It was for preserving backwards compatibility. I understand the argument of splitting @Bindable into two behaviors -> @InputParameter (which sets and coerce the value vs @AddToModel which adds the value to the model. The Bindable design also raised these issues: https://cwiki.apache.org/confluence/display/CLICK/Java+5+Support but this work was never completed. Kind regards Bob On 21/11/2010 01:49, Lorenzo Simionato wrote: > On Nov 20, 2010, at 14:35 , Bob Schellink wrote: > > Here what i meant is that if you declare a field as @Bindable you are clearly aware that it can be set in some way by the user. > If you have a public field (ok, it's rare) this is not that obvious. > > Here the XSS was just an example. The fact that one can set a value that i intended only for output is disturbing. > As a couple of other examples: > -suppose the welcomeMessage is the title of the page. It's not nice that one can put an arbitrary title on the page, even if it is escaped properly. > > -suppose one modifies the RequestTypeConverter as explained in the documentation to dynamically load customers from the db. > In a page one would like to do something with a customer object and then print the details, so we could have something like: > MyPage.class > public class MyPage extends Page { > @Bindable protected Customer customer = loadCustomer(3); > > pubic void action() { > customer.set.....(); > } > > MyPage.html > $customer.name > > a different customer can be loaded with a request like mypage.htm?customer=56 > (this example is a little weird but is just to get the idea) > > > These are just examples and maybe if all is handled very carefully by the programmer there would not be any problems. > However, they demonstrate that it is easy to make something that does not work as intended. > As a last example consider SQL Injections: if you escape the input properly you do not have the problem. On the other hand, > to prevent the problem even if you are not that careful PHP has introduced magic quotes and in Java we have preparedStatements (yes i'm simplifying a lot the things here!). The concept is that this double role of public field and ones annotated with @Bindable (as parameters and variables added to the page) it does not seem a good idea to me. > > -- > Lorenzo