struts-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Pierre Métras <gen...@sympatico.ca>
Subject Re: Request to reserve two hidden field names
Date Tue, 03 Oct 2000 15:31:20 GMT
Robert wrote:

> Over the last week in beginning to work with struts I have found
> myself creating hidden fields to pass information on which button
> the user has clicked. Then taking alternative "forwarding" actions
> in the associated Action class.
>
> ...
>
> I would like to propose a convention of reserving two hidden field names:
> "cmd" and "token" as a --first-- step to providing an
supplimental/alternative
> method
> of dispatching commands. That way if and when I can cleanly fit
> this method into struts it would be available to all.
>
> "cmd" would be the hidden field name to store commands.
> "token" would be hidden field to store tokens for commands
>             that need to assure transaction integrity which should
>             only be performed once. A token can be used only once,
>             and is destroyed after its use.
>

Just a question: why use hidden fields instead of having a class MenuForm
derived class ActionForm, with two instance variables 'cmd' and 'token'?

With hidden fields, a malicious user could see their content and change the
value of a field and resubmit a transaction. The only advantage I can see is
if you need to change their value with JavaScript code on the browser side,
without a round-up to the server.
If you use your own class, you don't need any more to reserve field names.
And you can add your menu behaviour without changing your JSP code: just
change your inheritance link in the form bean associated with the page, et
voilà!

Pierre Métras


Mime
View raw message