[Stripes-dev] [JIRA] Created: (STS-729) automate strict binding (what you see is what you can set)

Wed, 02 Dec 2009 12:44:51 -0800 

automate strict binding (what you see is what you can set)
----------------------------------------------------------

                 Key: STS-729
                 URL: http://www.stripesframework.org/jira/browse/STS-729
             Project: Stripes
          Issue Type: New Feature
          Components: Tag Library
            Reporter: budi


first of all, I love stripes framework, and enjoy your stripes book very much 
...

just want to request a new feature


to prevent someone from injecting values, instead of doing annotating the 
properties (on action bean), why not do it this way:
stripes html tags store verification information (probably in session) what 
values are being displayed on the page, and the stripes binding & validation 
interceptor uses the information to verify if the parameters submitted are 
what's being displayed (not injected values)


for example:
a page allows the user to set the first & last name
when the stripes tag generates the form input (for first & last name), it will 
also store (probably in session) that first & last name are displayed on the 
page, therefore changeable
the user can set first & last name, but not middle initial

the html will look like this
<form action=...>
<input type=hidden name=bindingToken value=2308ugsa>
<input name=firstName>
<input name=lastName>
</form>

in http session, the stripes tags create a collection of values that's being 
displayed on the html (firstName, lastName) with key '2308ugsa'
session.setAttribute("2308ugsa", {"firstName", "lastName"});

the binding & validation interceptor will use the bindingToken value to 
validate the parameters submitted by the user


let me know what you think!

thanks for creating stripes framework

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: 
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Join us December 9, 2009 for the Red Hat Virtual Experience,
a free event focused on virtualization and cloud computing. 
Attend in-depth sessions from your desk. Your couch. Anywhere.
http://p.sf.net/sfu/redhat-sfdev2dev
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to