[
https://issues.apache.org/jira/browse/MYFACES-1467?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel#action_12464276
]
Jeff Bischoff commented on MYFACES-1467:
----------------------------------------
I have also noticed the breakage in my code that Cristi noted. For some fields,
I have disabled bound to a bean property, but required hard-coded to "true". In
these cases, the new patch is causing me to get validation errors where I
didn't used to see them.
Of course as a user, this problem can be avoided with something like:
<h:inputText disabled="#{bean.disabled}" required="#{not bean.disabled}" />
However, for those of us with large, existing applications that depend on the
old behaviour, this would need to be changed in a LOT of places. IMHO, the old
behaviour was rather intuitive. However, after reading this thread I think that
perhaps the original way this was implemented was perhaps oversimplified.
Validation should be skipped when the component is disabled or read-only, but
not *whenever* the value is null. Is there a way we can keep the patch to fix
the security hole, but yet restore the old behaviour specifically for disabled
and read-only use cases?
Jeff Bischoff
> Validation doesn't run for required fields if submitted value is null
> ---------------------------------------------------------------------
>
> Key: MYFACES-1467
> URL: https://issues.apache.org/jira/browse/MYFACES-1467
> Project: MyFaces Core
> Issue Type: Bug
> Components: General
> Affects Versions: 1.1.5-SNAPSHOT, 1.2.0-SNAPSHOT
> Reporter: David Chandler
> Assigned To: Matthias Weßendorf
> Fix For: 1.1.5-SNAPSHOT
>
> Attachments: patch.txt
>
>
> A component with a required value will not fail validation as expected if the
> submitted value is null. This issue is not seen normally because browsers
> send the value for an empty text field as an empty string. That is, the POST
> data for an empty field1 will contain the field name but no value, like
> field1=&field2=something. However, if you use a man-in-the-middle proxy such
> as Paros to remove "fieldname=" from the POST data, the submitted value will
> be null. UIInput.validate() skips validation for null submitted values, but
> since requiredness is also part of validation, the requiredness check gets
> skipped, too.
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
https://issues.apache.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
