Server side validation should be performed as well.
h:inputText maxlength is validated on client side only. However, client side validation may be bypassed easily.
I created a small github project to reproduce this behaviour: https://github.com/cnsgithub/mojarra-ajax/tree/myfaces (branch myfaces)
- git clone https://github.com/cnsgithub/mojarra-ajax
- git checkout myfaces
- run mvn clean package jetty:run
- after the server has started, open http://localhost:8080/maxlength.xhtml
- Enter some characters and press the Submit button. Everything is fine.
- Press the Hack button. 100 characters are written to the model.
This issue was first found in PrimeFaces, see https://github.com/primefaces/primefaces/issues/4420. Other components may be affected as well.