myfaces-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Jeff Bischoff (JIRA)" <...@myfaces.apache.org>
Subject [jira] Commented: (MYFACES-1467) Validation doesn't run for required fields if submitted value is null
Date Fri, 12 Jan 2007 17:59:27 GMT

    [ https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464276
] 

Jeff Bischoff commented on MYFACES-1467:
----------------------------------------

I have also noticed the breakage in my code that Cristi noted. For some fields, I have disabled
bound to a bean property, but required hard-coded to "true". In these cases, the new patch
is causing me to get validation errors where I didn't used to see them.

Of course as a user, this problem can be avoided with something like:

<h:inputText disabled="#{bean.disabled}" required="#{not bean.disabled}" />

However, for those of us with large, existing applications that depend on the old behaviour,
this would need to be changed in a LOT of places. IMHO, the old behaviour was rather intuitive.
However, after reading this thread I think that perhaps the original way this was implemented
was perhaps oversimplified. Validation should be skipped when the component is disabled or
read-only, but not *whenever* the value is null. Is there a way we can keep the patch to fix
the security hole, but yet restore the old behaviour specifically for disabled and read-only
use cases?

Jeff Bischoff

> Validation doesn't run for required fields if submitted value is null
> ---------------------------------------------------------------------
>
>                 Key: MYFACES-1467
>                 URL: https://issues.apache.org/jira/browse/MYFACES-1467
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
>            Reporter: David Chandler
>         Assigned To: Matthias We├čendorf
>             Fix For: 1.1.5-SNAPSHOT
>
>         Attachments: patch.txt
>
>
> A component with a required value will not fail validation as expected if the submitted
value is null. This issue is not seen normally because browsers send the value for an empty
text field as an empty string. That is, the POST data for an empty field1 will contain the
field name but no value, like field1=&field2=something. However, if you use a man-in-the-middle
proxy such as Paros to remove "fieldname=" from the POST data, the submitted value will be
null. UIInput.validate() skips validation for null submitted values, but since requiredness
is also part of validation, the requiredness check gets skipped, too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

       

Mime
View raw message