[
https://issues.apache.org/jira/browse/DELTASPIKE-752?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=14185009#comment-14185009
]
Gerhard Petracek commented on DELTASPIKE-752:
---------------------------------------------
i'll add a config for it that it's easier to customize ClientWindow without
customizing the renderer.
however, you can create shorter unique ids easily by storing the created ids in
the session since the ids just need to be unique within the session.
you can get down to 2 characters since v1.0.4 introduces a (configurable)
maximum window-count anyway (or e.g. 1 character if you limit the window-count
to 9 concurrent windows per session or ...).
we did that in codi and it only breaks 1-2 quite exotic use-cases.
> ensure a secure maximum length of the window-id
> -----------------------------------------------
>
> Key: DELTASPIKE-752
> URL: https://issues.apache.org/jira/browse/DELTASPIKE-752
> Project: DeltaSpike
> Issue Type: Bug
> Components: JSF-Module, JSF22-Module
> Affects Versions: 1.0.3
> Reporter: Heiko Kopp
> Priority: Critical
> Fix For: 1.0.4
>
>
> if the window-id is too long, we would need to escape it to avoid XSS.
--
This message was sent by Atlassian JIRA
(v6.3.4#6332)
