From jira-events at lists.jboss.org Wed Oct 22 09:56:24 2008 Content-Type: multipart/mixed; boundary="===============7183355983437889550==" MIME-Version: 1.0 From: Gerrit Brehmer (JIRA) To: richfaces-issues at lists.jboss.org Subject: [richfaces-issues] [JBoss JIRA] Created: (RF-4712) hidden field javax.faces.ViewState is not sanitized Date: Wed, 22 Oct 2008 09:56:23 -0400 Message-ID: <3292963.1224683783741.JavaMail.jira@cloud.prod.atl2.jboss.com> --===============7183355983437889550== Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: quoted-printable hidden field javax.faces.ViewState is not sanitized --------------------------------------------------- Key: RF-4712 URL: https://jira.jboss.org/jira/browse/RF-4712 Project: RichFaces Issue Type: Bug Affects Versions: 3.1.2 Environment: jsf-ri 1.2_06-b02-FCS, facelets 1.1.13, RichFaces 3.= 1.2SP1, WindowsXP(x86_64) Reporter: Gerrit Brehmer Assignee: Viktor Volkov Fix For: 3.2.0 Here is the sample facelets page in my application that produces the sympto= m. = The fist time rendered output like following, world When the javax.faces.ViewState hidden param injection made a Post Request l= ike below AJAXREQUEST=3D_viewRoot&j_id2=3Dj_id2&j_id2%3Aj_id4=3Dhello&javax.faces.Vie= wState=3D_id2"&j_id2%3Aj_id5=3Dj_id= 2%3Aj_id5& rendered response is = world" /> I'm not sure it's jsf-ri issue or richfaces, but if javax.faces.STATE_SAVIN= G_METHOD set to client, I couldn't reproduce the same issue. -- = This message is automatically generated by JIRA. - If you think it was sent incorrectly contact one of the administrators: htt= ps://jira.jboss.org/jira/secure/Administrators.jspa - For more information on JIRA, see: http://www.atlassian.com/software/jira =20 --===============7183355983437889550==--