[
https://issues.apache.org/jira/browse/SLING-2803?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=13618706#comment-13618706
]
Alexander Klimetschek edited comment on SLING-2803 at 4/1/13 9:03 AM:
----------------------------------------------------------------------
@Radu: You can't put them into the request parameters - that way an attacker
could modify them. That's why I mentioned request attributes above - to pass
them from some custom servlet (that handles the form / reads the validation
configuration from whatever the application has) to the sling post servlet, to
which it includes/forwards via the request dispatcher.
@Eric: I don't rule out that certain cases might require a preprocessor, i.e.
need to work based on the input vectors such as request parameters before they
are applied. I just like the simplicity of validation running purely on the
resource / JCR API, on a transient un-saved session. Validation would work in
terms of the content structure or data model, not in terms of request
attributes. This way the reuse is much larger, you could use the same
validation for different servlets (with different request parameter options) or
other application parts modifying the JCR. So I'd say let's try this for now
and see how far you get with it.
was (Author: alexander.klimetschek):
@Radu: You can't put them into the request parameters - that way an
attacker could modify them. That's why I mentioned request attributes above -
to pass them from some custom servlet (that handles the form / reads the
validation configuration from whatever the application has) to the sling post
servlet, to which it includes/forwards via the request dispatcher.
@Eric: I don't rule out that certain cases might require a preprocessor, i.e.
need to work based on the input vectors such as request processors before they
are applied. I just like the simplicity of validation running purely on the
resource / JCR API, on a transient un-saved session. Validation would work in
terms of the content structure or data model, not in terms of request
attributes. This way the reuse is much larger, you could use the same
validation for different servlets (with different request parameter options) or
other application parts modifying the JCR. So I'd say let's try this for now
and see how far you get with it.
> Create a Validation module capable of validating POST requests or Resources
> ---------------------------------------------------------------------------
>
> Key: SLING-2803
> URL: https://issues.apache.org/jira/browse/SLING-2803
> Project: Sling
> Issue Type: New Feature
> Reporter: Radu Cotescu
>
> Several Sling users have asked in the past [1] about a Validation mechanism
> in Sling that's able to validate data coming from the user. However, such a
> module is still missing.
> This issue is meant to track the work progress on such a module.
> Ideally the module should be able to validate both request parameters and
> Resources, by obtaining their properties via a ValueMap and provide feedback
> in case of a validation error.
> [1] - http://sling.markmail.org/search/?q=validation
--
This message is automatically generated by JIRA.
If you think it was sent incorrectly, please contact your JIRA administrators
For more information on JIRA, see: http://www.atlassian.com/software/jira
