Re: [Trinidad} defaultCommand of tr:form skips validations

Thu, 19 Jun 2008 07:00:08 -0700 

Perhaps I have time to check on the weekend.
There is already a bug like this in jira. Patches
are welcome too.

On Thu, Jun 19, 2008 at 6:44 AM, Stephen Friedrich <[EMAIL PROTECTED]> wrote:
> While testing I noticed that my application crashed with an error from the
> persistence layer.
> I found out that the reason is invalid form data submitted using enter in a
> tr:inputText that is contained in a tr:from with a defaultCommand.
>
> Usually that submit should never make it to the action handler because I
> have
> a tr:validateLength that prevents it.
>
> That validator works fine if the submit button is clicked.
> However if the user simply hits enter in an input field that VALIDATION IS
> SKIPPED.
> It works fine if I use f:validateLength instead of tr:validateLength,
> however
> there's no client side validation in that case (and the error message is
> uglier).
>
> I am using Trinidad 1.2.8 with Mojarra 1.2._08-b06 and Facelets 1.1.14.
>
> Here's relevant snippet from my code. I added the f:validateLength just for
> testing:
>
>    <!-- Fax -->
>    <tr:inputText id="fax" label="#{Output.FAX}"
> value="#{_currentBranch.fax}" required="true" maximumLength="128">
>        <tr:validateLength minimum="8" maximum="128"/>
>    </tr:inputText>
>
>    <!-- E-Mail -->
>    <tr:inputText id="email" label="#{Output.EMAIL}"
> value="#{_currentBranch.email}" required="true" maximumLength="128">
>        <tr:validateLength minimum="7" maximum="128"/>
>        <f:validateLength minimum="7" maximum="128"/>
>    </tr:inputText>
>
>    <!-- Save Button -->
>    <tr:commandButton id="saveButton"
>                      action="#{branchControllert.save}"
>                      text="Save"/>
>
> See attachments for the different behaviour depending on how the form is
> submitted.
> You can see that the "Fax" input field is not validated at all when the form
> is
> submitted using the default command.
>
> IMHO this should be considered a serious bug, because effectively it removes
> one layer
> of security. I am pretty sure that there are lots of apps out there where
> checks on the
> business and persistence layer are missing.
>



-- 
Matthias Wessendorf

further stuff:
blog: http://matthiaswessendorf.wordpress.com/
sessions: http://www.slideshare.net/mwessendorf
mail: matzew-at-apache-dot-org

Reply via email to