struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Taylor Cowan" <tay...@bondisoftware.com>
Subject Re: Request to reserve two hidden field names
Date Tue, 03 Oct 2000 15:47:56 GMT
> Just a question: why use hidden fields instead of having a class MenuForm
> derived class ActionForm, with two instance variables 'cmd' and 'token'?

Just glancing at the example application bundled with struts I found this:

<struts:hidden property="action"/>

In other cases the "action" is sent as a request parameter in the URL.
So even the example of how to use struts, which is basically all newbies
have to go on, uses a hidden field to pass info back to the servlet.  Just
simply having two instance variables 'cmd' and 'token' doesn't solve the
problem of informing server side objects about which button or link the user
selected.

Taylor

----- Original Message -----
From: "Pierre Métras" <genepi@sympatico.ca>
To: <struts-dev@jakarta.apache.org>
Sent: Tuesday, October 03, 2000 10:31 AM
Subject: Re: Request to reserve two hidden field names


> Robert wrote:
>
> > Over the last week in beginning to work with struts I have found
> > myself creating hidden fields to pass information on which button
> > the user has clicked. Then taking alternative "forwarding" actions
> > in the associated Action class.
> >
> > ...
> >
> > I would like to propose a convention of reserving two hidden field
names:
> > "cmd" and "token" as a --first-- step to providing an
> supplimental/alternative
> > method
> > of dispatching commands. That way if and when I can cleanly fit
> > this method into struts it would be available to all.
> >
> > "cmd" would be the hidden field name to store commands.
> > "token" would be hidden field to store tokens for commands
> >             that need to assure transaction integrity which should
> >             only be performed once. A token can be used only once,
> >             and is destroyed after its use.
> >
>
> Just a question: why use hidden fields instead of having a class MenuForm
> derived class ActionForm, with two instance variables 'cmd' and 'token'?
>
> With hidden fields, a malicious user could see their content and change
the
> value of a field and resubmit a transaction. The only advantage I can see
is
> if you need to change their value with JavaScript code on the browser
side,
> without a round-up to the server.
> If you use your own class, you don't need any more to reserve field names.
> And you can add your menu behaviour without changing your JSP code: just
> change your inheritance link in the form bean associated with the page, et
> voilà!
>
> Pierre Métras


Mime
View raw message