[ https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464276 ]
Jeff Bischoff commented on MYFACES-1467: ---------------------------------------- I have also noticed the breakage in my code that Cristi noted. For some fields, I have disabled bound to a bean property, but required hard-coded to "true". In these cases, the new patch is causing me to get validation errors where I didn't used to see them. Of course as a user, this problem can be avoided with something like: <h:inputText disabled="#{bean.disabled}" required="#{not bean.disabled}" /> However, for those of us with large, existing applications that depend on the old behaviour, this would need to be changed in a LOT of places. IMHO, the old behaviour was rather intuitive. However, after reading this thread I think that perhaps the original way this was implemented was perhaps oversimplified. Validation should be skipped when the component is disabled or read-only, but not *whenever* the value is null. Is there a way we can keep the patch to fix the security hole, but yet restore the old behaviour specifically for disabled and read-only use cases? Jeff Bischoff > Validation doesn't run for required fields if submitted value is null > --------------------------------------------------------------------- > > Key: MYFACES-1467 > URL: https://issues.apache.org/jira/browse/MYFACES-1467 > Project: MyFaces Core > Issue Type: Bug > Components: General > Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT > Reporter: David Chandler > Assigned To: Matthias Weßendorf > Fix For: 1.1.5-SNAPSHOT > > Attachments: patch.txt > > > A component with a required value will not fail validation as expected if the > submitted value is null. This issue is not seen normally because browsers > send the value for an empty text field as an empty string. That is, the POST > data for an empty field1 will contain the field name but no value, like > field1=&field2=something. However, if you use a man-in-the-middle proxy such > as Paros to remove "fieldname=" from the POST data, the submitted value will > be null. UIInput.validate() skips validation for null submitted values, but > since requiredness is also part of validation, the requiredness check gets > skipped, too. -- This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: https://issues.apache.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira