[
https://issues.apache.org/jira/browse/TAP5-321?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=12644601#action_12644601
]
Yunhua Sang commented on TAP5-321:
----------------------------------
In my opinion, in this case there should be an error been raised to avoid
potential security issue.
> Persisted field somehow shares its value across sessions.
> ---------------------------------------------------------
>
> Key: TAP5-321
> URL: https://issues.apache.org/jira/browse/TAP5-321
> Project: Tapestry 5
> Issue Type: Bug
> Components: tapestry-core
> Affects Versions: 5.0.16
> Environment: Windows Vista Home Premium Service Pack1
> java version "1.6.0_07"
> Jetty 6.1.11
> Reporter: Yunhua Sang
> Assignee: Howard M. Lewis Ship
> Priority: Critical
>
> In a page, when a field with @Persist annotation whose type is List and has a
> default inline value, then its behavior looks like a static field, i.e. its
> value can be shared by different requests from different sessions.
> Example:
> Java code:
> public class PersistentDemo {
> @Property
> @Persist
> private List<String> messages = new ArrayList();
> void onActionFromUpdateMessages()
> {
> this.messages.add("foo1");
> this.messages.add("foo2");
> }
> }
> Page:
> <html xmlns:t="http://tapestry.apache.org/schema/tapestry_5_0_0.xsd";>
> <p>
> Messages:
> <span id="messages">${messages}</span>
> </p>
> <ul>
> <li>
> <t:actionlink t:id="updateMessages">Update the
> messages</t:actionlink>
> </li>
> </ul>
> </html>
> Steps to reproduce:
> 1. Open the PersistentDemo by Firefox.
> 2. Click the link to update messages.
> 3. Close Firefox window.
> 4. Open an IE Window for this page, will see the updated messages.
>
--
This message is automatically generated by JIRA.
-
You can reply to this email to add a comment to the issue online.
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
