Re: what is the worse thing that could happen - escape=false

On 2/26/06, Dave <[EMAIL PROTECTED]> wrote: allows users to input a description including any HTML tags, then display back to client using   escape="false".   Users can type in _javascript_ and anything else. What is the security hole? client side or server side?  Can users break in server side

RE: what is the worse thing that could happen - escape=false

That kind of security is a wasp's nest... _javascript_ is not the only possible fountain of problems... SQL-Code-injection is another one...   My take is that JSF's validation might be already too far within the application's scope to deal with such attack-oportunities. I would prefer to have