h:commandLink and unsafe-inline

Question

If you look at this Mkyong example of how h:commandLink is resolved, it looks like this.

//JSF
<h:commandLink action="#{user.goLoginPage}" value="Login page + Param ">
    <f:param name="username" value="mkyong" />
</h:commandLink>

//HTML output
<script type="text/javascript"
 src="/JavaServerFaces/faces/javax.faces.resource/jsf.js?ln=javax.faces&stage=Development">
</script>

<a href="#"
    onclick="mojarra.jsfcljs(document.getElementById('j_idt6'),
    {'j_idt6:j_idt20':'j_idt6:j_idt20','username':'mkyong'},'');
    return false">
    Login page + Param
</a>

The problem with this is that if you are enforcing unsafe-inline your browser will refuse to execute this.

I've been whitelisting inline scripts with the nonce method.

Is there a way to allow the h:commandLinks to work?

Answer 1

There is in HTML no way to perform a POST request using an <a> element. JSF in this context being just a HTML code generator can't do much about that.

You have 3 options:

1. Replace by <h:commandButton>.
2. Or, replace by <h:link>.
3. Or, replace by a custom component which initializes the script externally.

See also:

• How to navigate in JSF? How to make URL reflect current page (and not previous one)
• Semantics of "?faces-redirect=true" in <commandlink action=...> and why not use it everywhere