While testing I noticed that my application crashed with an error from the persistence layer. I found out that the reason is invalid form data submitted using enter in a tr:inputText that is contained in a tr:from with a defaultCommand.
Usually that submit should never make it to the action handler because I have
a tr:validateLength that prevents it.
That validator works fine if the submit button is clicked.
However if the user simply hits enter in an input field that VALIDATION IS
SKIPPED.
It works fine if I use f:validateLength instead of tr:validateLength, however
there's no client side validation in that case (and the error message is
uglier).
I am using Trinidad 1.2.8 with Mojarra 1.2._08-b06 and Facelets 1.1.14.
Here's relevant snippet from my code. I added the f:validateLength just for
testing:
<!-- Fax -->
<tr:inputText id="fax" label="#{Output.FAX}" value="#{_currentBranch.fax}"
required="true" maximumLength="128">
<tr:validateLength minimum="8" maximum="128"/>
</tr:inputText>
<!-- E-Mail -->
<tr:inputText id="email" label="#{Output.EMAIL}" value="#{_currentBranch.email}"
required="true" maximumLength="128">
<tr:validateLength minimum="7" maximum="128"/>
<f:validateLength minimum="7" maximum="128"/>
</tr:inputText>
<!-- Save Button -->
<tr:commandButton id="saveButton"
action="#{branchControllert.save}"
text="Save"/>
See attachments for the different behaviour depending on how the form is
submitted.
You can see that the "Fax" input field is not validated at all when the form is
submitted using the default command.
IMHO this should be considered a serious bug, because effectively it removes
one layer
of security. I am pretty sure that there are lots of apps out there where
checks on the
business and persistence layer are missing.
<<inline: submit-by-click.png>>
<<inline: submit-by-enter.png>>
