1

In a JSF page a select is populated based on logged in user privileges. The aziende4ReportList contains only data related to the logged in user

 <h:selectOneMenu  id="comboAziende"  value="#{provaController.azienda}"  required="true" >
                    <f:selectItems value="#{provaController.aziende4ReportList}" />
                </h:selectOneMenu>

I thought the data sent to the server with the post could be tampered so I did a check sending a value outside the list and I got a validation error. Can I be sure JSF checks the incoming data accepting only values that can be inserted in the form it produced previously ?

Filippo
  • 1,123
  • 1
  • 11
  • 28

1 Answers1

2

Can I be sure JSF checks the incoming data accepting only values that can be inserted in the form it produced previously ?

That's correct. Tampering the request with an unlisted dropdown list value would only result in "Validation Error: Value is not valid". It's not only that, JSF also re-checks all disabled and rendered attributes during postback. So even if one used JavaScript to manipulate the disabled attribute, or used browser's builtin HTML DOM editor to manipulate the HTML elements, it would still not pass as it's not valid according the JSF view state.

Your question title is by the way confusing, so I'll ignore that part for now. To the point, server side checks are absolutely necessary, no excuses, this is regardless of the server side language/framework used. However, JSF does already a lot of them, including XSS and CSRF.

Community
  • 1
  • 1
BalusC
  • 1,082,665
  • 372
  • 3,610
  • 3,555
  • I got the answer I wanted and I agree the title was confusing, but I didn't find a better way to express it. – Filippo Jun 14 '13 at 06:40