[Stripes-dev] [JIRA] Closed: (STS-729) automate strict binding (what you see is what you can set)

Tue, 04 Jan 2011 11:32:27 -0800 

     [ 
http://www.stripesframework.org/jira/browse/STS-729?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Ben Gunter closed STS-729.
--------------------------


> automate strict binding (what you see is what you can set)
> ----------------------------------------------------------
>
>                 Key: STS-729
>                 URL: http://www.stripesframework.org/jira/browse/STS-729
>             Project: Stripes
>          Issue Type: New Feature
>          Components: Tag Library
>            Reporter: budi
>
> first of all, I love stripes framework, and enjoy your stripes book very much 
> ...
> just want to request a new feature
> to prevent someone from injecting values, instead of doing annotating the 
> properties (on action bean), why not do it this way:
> stripes html tags store verification information (probably in session) what 
> values are being displayed on the page, and the stripes binding & validation 
> interceptor uses the information to verify if the parameters submitted are 
> what's being displayed (not injected values)
> for example:
> a page allows the user to set the first & last name
> when the stripes tag generates the form input (for first & last name), it 
> will also store (probably in session) that first & last name are displayed on 
> the page, therefore changeable
> the user can set first & last name, but not middle initial
> the html will look like this
> <form action=...>
> <input type=hidden name=bindingToken value=2308ugsa>
> <input name=firstName>
> <input name=lastName>
> </form>
> in http session, the stripes tags create a collection of values that's being 
> displayed on the html (firstName, lastName) with key '2308ugsa'
> session.setAttribute("2308ugsa", {"firstName", "lastName"});
> the binding & validation interceptor will use the bindingToken value to 
> validate the parameters submitted by the user
> let me know what you think!
> thanks for creating stripes framework

-- 
This message is automatically generated by JIRA.
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

        

------------------------------------------------------------------------------
Learn how Oracle Real Application Clusters (RAC) One Node allows customers
to consolidate database storage, standardize their database environment, and, 
should the need arise, upgrade to a full multi-node Oracle RAC database 
without downtime or disruption
http://p.sf.net/sfu/oracle-sfdevnl
_______________________________________________
Stripes-development mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/stripes-development

Reply via email to