[jira] Commented: (MYFACES-1467) Validation doesn't run for required fields if submitted value is null

Wed, 18 Oct 2006 06:11:36 -0700 

    [ 
http://issues.apache.org/jira/browse/MYFACES-1467?page=comments#action_12443261 
] 
            
David Chandler commented on MYFACES-1467:
-----------------------------------------

I suspect there are still other issues here, but to get the immediate security 
problem resolved, I will proceed with Adam's suggestion to patch the decode() 
method of the TextInput Renderer. It turns out that 
HtmlRendererUtils.decodeUIInput() is logging a warning when it detects the 
missing client_id in the request, but is taking no further action. It seems 
this would be a fine place to set the submitted value to the empty string so as 
to trigger requiredness validation. Thoughts?

        if(paramMap.containsKey(clientId))
        {
            ((EditableValueHolder) component).setSubmittedValue(paramMap
                    .get(clientId));
        }
        else
        {
            log.warn(
                "There should always be a submitted value for an input if it"
                + " is rendered, its form is submitted, and it is not disabled"
                + " or read-only. Component : "+
                RendererUtils.getPathToComponent(component));
        }

Thanks,
/dmc

> Validation doesn't run for required fields if submitted value is null
> ---------------------------------------------------------------------
>
>                 Key: MYFACES-1467
>                 URL: http://issues.apache.org/jira/browse/MYFACES-1467
>             Project: MyFaces Core
>          Issue Type: Bug
>          Components: General
>    Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
>            Reporter: David Chandler
>         Assigned To: Matthias Weßendorf
>         Attachments: patch.txt
>
>
> A component with a required value will not fail validation as expected if the 
> submitted value is null. This issue is not seen normally because browsers 
> send the value for an empty text field as an empty string. That is, the POST 
> data for an empty field1 will contain the field name but no value, like 
> field1=&field2=something. However, if you use a man-in-the-middle proxy such 
> as Paros to remove "fieldname=" from the POST data, the submitted value will 
> be null. UIInput.validate() skips validation for null submitted values, but 
> since requiredness is also part of validation, the requiredness check gets 
> skipped, too.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

Reply via email to