[EMAIL PROTECTED] schrieb:
Hi!
While testing our JSF Frontends we found out, that the server sided
validation of the JSF components does not work corrrectly in some cases.
I appended an example formular which we tested and where we found this
bug.
At first we changed the http request and set the value of all fields
to “”. All server sided validators worked correctly and threw a
required error.
After this we began to remove the whole fields from the http post.
When removing the first fields, a null pointer exception was thrown –
a reasonable behaviour.
When we removed the inputText id=”contentInput” (see attachement) and
left the other fields in a correct state, no null pointer exception
and no validator exception was thrown. The workflow continued and
finally an empty string from the contentInput was written to our database.
I think this is a security problem because our developers trust in the
server side validation of the input fields – and an input field with
the required=”true” attribute mustn’t be empty.
At other forms the behaviour changed and the problems appeared at
other points (for example a modified datePicker value caused a number
format exception instead of an invalid value validator exception).
If you need further assistance to reproduce this bug feel free to
contact me. This bug is currently interrupting our production, so I
will definitely assist you in finding the bug wherever possible.
Does this happen if you use an h:inputText rather than a tr:inputText?
