Reputation: 51
JSF f:event safe to pass parameters?
I'm new in JSF so my knowledge about some tags it is not so good. And I'd like to know how safe is to pass a parameter in this case:
<f:event listener="#{backBean.myMethod(**param**)}" type="preRenderView"/>
Because, as I'm going to pass this "param", the users can't acess this information (changing this value mean a security flaw, and this can not happen). So I'm asking this to know if using this event is it possible to break this code (passing another param)?
Thanks!
Upvotes: 2
Views: 1715
Answers (1)
Reputation: 1109625
If the param value cannot be controlled by the enduser, then you're safe. Simple as that. Anything which you directly or indirectly (through JSF or from the DB!) extract from the HttpServletRequest falls under full control of the enduser.
So if you for example hardcode it,
<f:event listener="#{backBean.myMethod('foo')}" type="preRenderView"/>
then you're safe.
But if you pass an user-controlled request parameter,
<f:event listener="#{backBean.myMethod(param.foo)}" type="preRenderView"/>
then you're only safe if you validate its value in the server side.
Upvotes: 5
Related Questions
- What values can I pass to the event attribute of the f:ajax tag?
- JSF: <f:event> with custom events
- Pass a parameter to f:event listener
- Pass a parameter inside <f:event listener="#{myBean.retrieveData(#{})">
- f:event type before actions are called
- Do i have to use f:param?
- Passing extra parameter to f:ajax onevent function
- JSF 1.1 equivalent of f:event
- When is a f:param actually sent?
- JSF 2 - passing parameters accross system events