[
http://www.stripesframework.org/jira/browse/STS-729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
]
Ben Gunter resolved STS-729.
----------------------------
Resolution: Won't Fix
This is a reasonable suggestion, but it would interfere with certain fairly
common uses. For example, if you are editing a list of items and you
dynamically add inputs to the form using Javascript to support adding a new
item then those new inputs would not be allowed to bind on submit since they
were not rendered by the server. Stripes also supports plain HTML forms created
without the Stripes tag library, and this would break that support.
> automate strict binding (what you see is what you can set)
> ----------------------------------------------------------
>
> Key: STS-729
> URL: http://www.stripesframework.org/jira/browse/STS-729
> Project: Stripes
> Issue Type: New Feature
> Components: Tag Library
> Reporter: budi
>
> first of all, I love stripes framework, and enjoy your stripes book very much
> ...
> just want to request a new feature
> to prevent someone from injecting values, instead of doing annotating the
> properties (on action bean), why not do it this way:
> stripes html tags store verification information (probably in session) what
> values are being displayed on the page, and the stripes binding & validation
> interceptor uses the information to verify if the parameters submitted are
> what's being displayed (not injected values)
> for example:
> a page allows the user to set the first & last name
> when the stripes tag generates the form input (for first & last name), it
> will also store (probably in session) that first & last name are displayed on
> the page, therefore changeable
> the user can set first & last name, but not middle initial
> the html will look like this
> <form action=...>
> <input type=hidden name=bindingToken value=2308ugsa>
> <input name=firstName>
> <input name=lastName>
> </form>
> in http session, the stripes tags create a collection of values that's being
> displayed on the html (firstName, lastName) with key '2308ugsa'
> session.setAttribute("2308ugsa", {"firstName", "lastName"});
> the binding & validation interceptor will use the bindingToken value to
> validate the parameters submitted by the user
> let me know what you think!
> thanks for creating stripes framework
--
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators:
http://www.stripesframework.org/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira
------------------------------------------------------------------------------
Return on Information:
Google Enterprise Search pays you back
Get the facts.
http://p.sf.net/sfu/google-dev2dev
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development
