Can JSF standard validation prevent code injection?

Thang Pham picture Thang Pham · Aug 25, 2010 · Viewed 9.1k times · Source

In my project, I do duplicate validation at the presentation layer as well as the persistence layer with the hope to increase security. So my question is: can standard JSF validation prevent code injections.

<h:inputText id="name" value="#{bean.customer.name}" required="true" requiredMessage="Validation Error: Value is required." title="Name" >
      <f:validateLength maximum="40"/>
</h:inputText>

Here I validate if the field is empty, and validate field length. I know validate field length will make it harder to do code injection, but sometimes you need a long field length, such as textArea. And if this is vulnerable, how will I fix it? Thank you so much in advance.

Answer

BalusC picture BalusC · Aug 25, 2010

JSF by default already prevents XSS attacks by escaping user-controlled input in UIInput and UIOutput components. This is controllable in h:outputText by setting escape="false" attribute. You don't need to worry about this.

Prevention against SQL injection attacks, on the other hand, is not the responsibility of JSF. You need to handle this in the persistence layer. For example JPA and/or Hibernate, when well used (i.e. do not concatenate user-controlled input in SQL/named query strings), also by default already prevents it. In plain vanilla JDBC, you need to ensure that you're using PreparedStatement instead of Statement to include user-controlled input in a SQL string. When well used, you also don't need to worry about this in JSF side.

Related questions: