使用 includeViewParams 进行 JSF2 重定向允许用户输入解析为文本字段的 EL 表达式
我有一个定义视图参数的 JSF2 XHTML 页面,这允许拥有可添加书签的 URL。 XHTML 页面包含参数:
<f:metadata>
<f:viewParam name="searchName" value="#{nbsearchpage.searchName}" />
<!-- More view parameters omitted here for brevity -->
<f:event listener="#{nbsearchpage.searchPreRender}" type="javax.faces.event.PreRenderViewEvent" />
</f:metadata>
在同一页面上,我有一个文本字段和一个按钮,允许用户更改 searchName:
<h:form id="some-id">
<h:inputText value="#{nbsearchpage.searchName}" />
<h:commandButton value="search" action="#{nbsearchpage.search}" />
</h:form>
最后, nbsearchpage bean 中的操作方法 search() 返回到同一页面,但包括参数:
?faces-redirect=true&includeViewParams=true
为用户提供一个漂亮的 URL。当用户在搜索字段中输入“IBM”时,URL 会重定向到
?searchName=IBM
它,效果非常好。但现在用户可以在 searchName 文本字段中输入 EL 表达式,并计算 EL 表达式。例如,当用户在文本字段中输入“#{2+2}”时,URL 会被重定向到
?searchName=4
,这是我认为我们不应该做的事情,出于安全原因允许用户输入 EL 表达式。我正在使用 Glassfish 3.1.1。
有什么想法可以防止这种自动 EL 解析吗?我认为 JSF2 中的视图参数概念和重定向存在根本缺陷?我遇到了同样的问题,视图作用域无法在重定向中生存,为此我必须创建一个自己的作用域。 (我本来可以使用闪光瞄准镜)。
I have a JSF2 XHTML page that defines view parameters, this allows one to have bookmarkable URLs. The XHTML page includes the parameters:
<f:metadata>
<f:viewParam name="searchName" value="#{nbsearchpage.searchName}" />
<!-- More view parameters omitted here for brevity -->
<f:event listener="#{nbsearchpage.searchPreRender}" type="javax.faces.event.PreRenderViewEvent" />
</f:metadata>
On the same page, I have a text field and a button that allows the user to change the searchName:
<h:form id="some-id">
<h:inputText value="#{nbsearchpage.searchName}" />
<h:commandButton value="search" action="#{nbsearchpage.search}" />
</h:form>
and finally, the action method search() in the nbsearchpage bean returns to the same page, but including the parameters:
?faces-redirect=true&includeViewParams=true
which provides the user with a nice URL. When the user enters "IBM" in the search field, the URL is redirected to
?searchName=IBM
It works perfectly good. But now the user can enter an EL expression in the searchName textfield, and the EL expression is evaluated. E.g. when the user enters "#{2+2}" in the textfield, the URL is redirected to
?searchName=4
and this is what I think we should not be doing, allowing the user to enter EL expression due to security reasons. I am using Glassfish 3.1.1.
Any ideas how to prevent this automatic EL resolving? I think there is a fundamental flaw with the view parameter concept in JSF2 and with redirecting? I had the same problem with the view scope that does not survive redirects, and for this I had to create an own scope. (I could have used the flash scope).
如果你对这篇内容有疑问,欢迎到本站社区发帖提问 参与讨论,获取更多帮助,或者扫码二维码加入 Web 技术交流群。
绑定邮箱获取回复消息
由于您还没有绑定你的真实邮箱,如果其他用户或者作者回复了您的评论,将不能在第一时间通知您!
发布评论
评论(2)
我可以在 Mojarra 2.1.4 上重现这一点。这绝对是不可取的。我已将其作为 问题 2247 报告给 Mojarra 人员(如果可以的话请投票)。顺便说一下,MyFaces 2.1.3 也暴露了同样的问题。
对于这个特定问题,我没有想到任何简单的解决方法,因为根本原因在于 JSF 实现特定的实用程序类。您可以轻松地在
/WEB-INF/classes中修改副本,但要独立于实现,您必须完全重新实现ViewHandlerImpl或ExternalContextImpl< /code> 并将其作为自定义的提供,但这需要大量工作。但是,由于您已经在使用
并在预渲染视图事件侦听器中执行操作方法。这也是在 JSF 中使用 GET 表单的更正确方法,因为
与具体问题无关:
生存重定向从来都不是视图的意图范围。只要您与同一视图交互(尤其是通过 Ajax 和有条件地重新渲染内容),视图范围就会一直存在。您基本上是在寻找对话范围。您可能已经查看了 CDI 的
@ConversationScoped或 MyFaces CODI。I can reproduce this on Mojarra 2.1.4. This is definitely undesireable. I have reported it to the Mojarra guys as issue 2247 (vote for it if you can). MyFaces 2.1.3 by the way also exposes the same problem.
No simple workaround for this particular issue comes to mind so far as the root cause is in an JSF implementation specific utility class. You could easily have a modified copy in your
/WEB-INF/classes, but to be implementation independent you'd have to completely reimplementViewHandlerImplor maybeExternalContextImpland supply it as a custom one, but that's a lot of work.However, as you're already using
<f:viewParam>, you can also just use<form>instead of<h:form>and<input type="submit">instead of<h:commandButton>:and do the action method in pre render view event listener instead. That's also a more proper way of using GET forms in JSF as
<h:form>is intended for POST only.Unrelated to the concrete problem:
Surviving redirects has never been the intent of the view scope. The view scope is intented to live as long as you're interacting with the same view (especially by Ajax and conditionally re-rendering of content). You're basically looking for the conversation scope instead. You'd have looked at CDI's
@ConversationScopedor MyFaces CODI.此问题已在 MyFaces Core 版本 2.0.11 的 MYFACES-3405 中得到解决, 2.1.5 和 JAVASERVERFACES-2247 适用于 Mojarra 版本 2.0.7、2.1.5、2.1.6。
只需使用更新版本即可。
This issue has been solved in MYFACES-3405 for MyFaces Core versions 2.0.11, 2.1.5 and in JAVASERVERFACES-2247 for Mojarra versions 2.0.7, 2.1.5, 2.1.6.
Just use an updated version.