Hi, These days I always think of security of t:formdata, just now I have a test to hack the t:formdata and find there is some serious damages.
1. First I change source code of Form component and store a component action in Form and build my own tapestry-core.jar. static final ComponentAction<Form> TEST_ACTION = new ComponentAction<Form>() { private static final long serialVersionUID = 0L; public void execute(Form component) { for (int i = 0; i < 1000; i++) { System.out.println("-----run " + i); } } @Override public String toString() { return "TEST_ACTION"; } }; 2. Jetty:run the application with my own jar and access one page (/login) that contains form, then get the t:formdata from html source code. 3. Revert offical jar, and new a AbstractIntegrationTestSuite test case: open("login"); type("t:formdata", copy the form data from 2nd); clickAndWait(submit); Test result: I can see "-----run 0" to "-----run 1000" loged. So in my understanding, doesn't it mean that website based on tapestry5 is not very secured and can be attacked by any experienced t5 programmer? Thanks, DH