On 4/11/2010 09:45, Moritz Kammerer wrote: > Hi Bob, > > returning always false when bypass_validation is active? That would fix > the security problem, but it's a little bit strange. > > I think a better approach is to disable the bypass_validation mechanism > by default, and only enable it on demand. There must be a way to run the > validators nonetheless. , We can add a property Form#setBypassValidationAllowed(), which if enabled will render the HiddenField and allow the validation to be bypassed. Since dynamic dorms is a bit of an edge case it is probably worth disabling this feature by default.
Once this feature is enabled though, an attacker could toggle the HiddenField so as a safety measure, Form#isValid could still return false if bypass is true. > Here's the JIRA ticket: https://issues.apache.org/jira/browse/CLK-726 Thanks for that. I'll chew on this over the weekend as well. Kind regards Bob
