In my project, I do duplicate validation at the presentation layer as well as the persistence layer with the hope to increase security. So my question is: can standard JSF validation prevent code injections.
<h:inputText id="name" value="#{bean.customer.name}" required="true" requiredMessage="Validation Error: Value is required." title="Name" >
<f:validateLength maximum="40"/>
</h:inputText>
Here I validate if the field is empty, and validate field length. I know validate field length will make it harder to do code injection, but sometimes you need a long field length, such as textArea
. And if this is vulnerable, how will I fix it? Thank you so much in advance.
JSF by default already prevents XSS attacks by escaping user-controlled input in UIInput
and UIOutput
components. This is controllable in h:outputText
by setting escape="false"
attribute. You don't need to worry about this.
Prevention against SQL injection attacks, on the other hand, is not the responsibility of JSF. You need to handle this in the persistence layer. For example JPA and/or Hibernate, when well used (i.e. do not concatenate user-controlled input in SQL/named query strings), also by default already prevents it. In plain vanilla JDBC, you need to ensure that you're using PreparedStatement
instead of Statement
to include user-controlled input in a SQL string. When well used, you also don't need to worry about this in JSF side.
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With