[MYFACES-4279] inputText: lack of user input validation (maxlength) - ASF JIRA

XML

Word

Printable

JSON

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 2.3.2, 2.3-next-M1
Fix Version/s: 2.3-next-M1, 2.3.4
Component/s: General
Labels:
- bypass
- inputText
- length
- security
- validation

Description

Expected Behaviour

Server side validation should be performed as well.

Actual Behaviour

h:inputText maxlength is validated on client side only. However, client side validation may be bypassed easily.

Steps to reproduce

I created a small github project to reproduce this behaviour: https://github.com/cnsgithub/mojarra-ajax/tree/myfaces (branch myfaces)
To reproduce:

git clone https://github.com/cnsgithub/mojarra-ajax
git checkout myfaces
run mvn clean package jetty:run
after the server has started, open http://localhost:8080/maxlength.xhtml
Enter some characters and press the Submit button. Everything is fine.
Press the Hack button. 100 characters are written to the model.

This issue was first found in PrimeFaces, see https://github.com/primefaces/primefaces/issues/4420. Other components may be affected as well.

Attachments

Issue Links

links to

GitHub Pull Request #52

Activity

People

Assignee:: Unassigned

Reporter:: cnsgithub

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Dates

Created:: 14/Jan/19 09:32

Updated:: 25/Sep/19 13:43

Resolved:: 06/May/19 08:37

Time Tracking

Estimated:

Not Specified

Remaining:

0h

Logged:

20m