Force JSF to process, validate and update readonly/disabled input components anyway

Question

I am creating a calculator where a user can do the various operations by clicking on virtual numpad. Now I want to restrict the user to only select the various characters by clicking on the buttons and s/he should not be able to enter the values using keyboard. I tried using readonly="true" but it is neither validating the input nor setting the values in the bean when we click on any button.

Do we have any such restrictions available in jsf?

score 20 · Accepted Answer · edited Jun 20 '20 at 09:12

20

That's the effect of JSF's safeguard against tampered/attacked requests wherein the hacker attempts to circumvent the readonly (and disabled) attribute by manipulating the HTML DOM and/or the HTTP request.

Instead of

<x:inputXxx ... readonly="true">

use

<x:inputXxx ... readonly="#{facesContext.currentPhaseId.ordinal eq 6}">

or

<x:inputXxx ... readonly="#{not facesContext.postback or facesContext.renderResponse}">

This makes sure that readonly is only effective during render response phase and not during all other JSF phases. So, when JSF is about to decode the input component during the apply request values phase, it will consider readonly="false" this way.

1

That is a ... surprising use of the FacesContext. This feels like a hack, but appears to work with both Mojarra and MyFaces. It also works for the `disabled` attribute. – sleske Jan 19 '17 at 13:41
Just out of curiosity: Is there anything in the spec that guarantees that this works, or is it just a convenient property of the current implementations? – sleske Jan 19 '17 at 13:42
1

@sleske: it's part of spec. See a.o. section 5.6.1.1 of JSF 2.2 specification. You can find here an overview of all implicit EL objects in JSF http://balusc.omnifaces.org/2011/09/communication-in-jsf-20.html#ImplicitELObjects – BalusC Jan 19 '17 at 13:46
Funny enough, currentPhaseId doesn't work for me (JSF 2.1) and the latter approach gets srewed by AJAX. Any good addition to make it work? – Thomas Apr 11 '18 at 12:51

Rachel Gallen · Answer 2 · 2015-09-04T06:16:05.757

2

The key codes for the top row of numbers are 48-57 so you could write a function to disable keypress on those characters.

Something like this

function disableEnter(event) {
    var charCode = (event.which) ? event.which : event.keyCode;
    if (charCode > 31  && (charCode > 47 || charCode < 58)) {
        return false;}
    } else return true;
}

<h:inputText onkeypress="return disableEnter(event);" />

edited Sep 04 '15 at 06:16

answered Sep 04 '15 at 04:59

Rachel Gallen

27,943
21
72
81

js may be inexact. numpad keys are 96-105. might wanna include those too. – Rachel Gallen Sep 04 '15 at 06:26
The user can still paste values using his mouse, but you can disable it using CSS - `pointer-events: none;`. Note that the user will not be able to focus the input using his mouse if you do so. Also, with this javascript the user can TAB to the disabled input, but can't TAB out of it, so you migh also want to consider allowing TAB keypress. – Kamil Bęben Apr 13 '21 at 08:42

score 1 · Answer 3 · answered Sep 04 '15 at 06:44

1

I found another workaround:

function stopEvent(event){
    event.stopPropagation();
    event.preventDefault();
}

onkeyup="stopEvent(event)" onkeydown="stopEvent(event)" onkeypress="stopEvent(event)"

answered Sep 04 '15 at 06:44

whywake

880
10
29

Force JSF to process, validate and update readonly/disabled input components anyway

3 Answers3

See also:

Linked

Related