You are absolutely correct Przemyslaw. Realizing that form validation is cursory at best and easily bypassed at worst is a good approach.
One of the hard-learned lessons that (it seems) few developers get is that _ALL_ data received from the user is suspect, not only in content but in type. For example, code that suffers from SQL injection vulnerabilities is written by people who don't understand this concept. I still use the validator as a first line of defense, because it is quick and (relatively) easy to implement and the response time is quicker for the user, however all data gets the final validation check by the model/business logic layer (with the appropriate exception thrown if invalid). Cheers, Bryan Hanks -- Original Message -- From: "Przemyslaw Lupinski" <[EMAIL PROTECTED]> Subject: Cancel button and security Date: Fri, 15 Jul 2005 08:01:15 +0200 Hello, Many developers use tag <html:cancel/> to perform action without validation (and for other reasons). It's usefull but it can be danger because of security. If we don't serve cancel button in every Action or BaseAction then it's possible to perform some actions without validation. How? It's very simple. Just putting parameter in url org.apache.struts.taglib.html.CANCEL=1 or adding form element <input type="hidden" name="org.apache.struts.taglib.html.CANCEL" value="1">. I've tried this trick in many sites written in Struts. I advise to remember about this problem if we don't have a validation in business layer. -- Przemyslaw Lupinski --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
