Hi, i've a couple of questions about page "Request Parameter Auto Binding"
(section 2.3 of the documentation).
1-Is it possible to disable the feature that: "binds automatically any request
parameter values to public Page fields with the same name"?
I see that it is possible for page autobinding but not for request parameters.
I find this feature very subtle, makes the code less clear and is
possibly dangerous (class fields can be set by an attacker in a way that is not
evident and it is easy to make mistakes).
2-According to the documentation: "When binding these values Click will also
attempt to convert them to the correct type". However, if the
conversion is not successful is the intended behavior to throw an exception?
Say i have a page:
public class MyPage extends Page {
@Bindable
protected Integer customerId;
}
and the following request is made: mypage.htm?customerId=xxx
In this case an exception is thrown.
3-Why the @Bindable annotation is used both for request parameters and for page
autobinding (if autobinding for pages is enabled of course)?
This makes it very confusing. It is not clear if @Bindable is used to get a
parameter or put something on the page.
In addition, it could lead to security problems.
For example, consider the page:
MyPage.java:
public class MyPage extends Page {
@Bindable
protected String welcomeMessage = "Welcome to my web site";
}
MyPage.htm:
$welcomeMessage
and an attacker makes the following request: mypage.htm?welcomeMessage=Fake
message
So in this case we have a possible XSS attack.
Thanks,
Lorenzo Simionato
