-
Notifications
You must be signed in to change notification settings - Fork 747
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
inputTextarea: lack of user input validation (maxlength) #4420
Comments
|
Oops, this problem seems to be more general: improper input validation of |
…maxlength` in Mojarra (related to primefaces/primefaces#4420)
…maxlength` in MyFaces (related to primefaces/primefaces#4420)
|
Opened an issue at MyFaces as well: https://issues.apache.org/jira/browse/MYFACES-4279 |
|
Opened an issue at Mojarra as well: eclipse-ee4j/mojarra#4530 |
…puttextarea fix #4420 - inputTextarea: lack of user input validation (maxlength)
|
Just for documentation purposes: According the user guide, This often makes no sense and is probably due to auto-generation of documentation based on components' However, Thoughts? |
|
Hmmm I never tried it but can you actually use maxLength on p:password? |
|
In case of However, in case of |
|
Just tested in showcase with Gets rendered as: Meaning that |
|
I thought that is what RenderPassthroughAttributes did. So yeah because those derive from HTML Input it respects all their props. Is there any way we can generically enforce your maxlength check on these types? I haven't studied it closely enough. |
|
Unfortunately, I can still reproduce the insecure behavior using See the following example based on the PoC by @cnsgithub and https://github.com/primefaces/primefaces-test. Sample XHTML ( Sample bean ( |
|
feel free to create a new issue + PR |
1) Environment
2) Expected behavior
p:inputTextarea maxlengthmust be validated at server side as well.3) Actual behavior
maxlengthis validated on client side only. Client side validation can be bypassed.4) Steps to reproduce
In the modified showcase shown below, execute
$("textarea[maxlength=10]").val("A".repeat(100))in the console and press the Submit button. Set breakpoint inBasicView.setTextand notice 100 characters being written to the model.5) Sample XHTML
Add to
inputTextarea.xhtmlof showcase:6) Sample bean
BasicViewavailable in showcase is used.The text was updated successfully, but these errors were encountered: