Hidden Mines

Introduction

Methodology

<h:inputHidden />

<h:inputText />

enum

Planets

Code

Planets.java

PlanetValidator.java

IndexBean.java

index.xhtml

How often do you have validators on your hidden fields? I recently performed a security audit of an application that did not have validators associated with the hidden fields on the page. I suspect that the out of sight, out of mind mentality prevailed. Admittedly, I have often short circuited some development and put hidden fields in a JSF page without a validator. My expectation is that the data in the field would be used to provide information that may be needed by the application. However, if these fields have setters... and the results are stored in a database... I think you get the picture.I decided to create a more complex thannecessary example to show how to validate afield. In the example, you can enter names into anwhich will use JavaScript to update the hidden field. The validation will be activated on form submission. Additionally, a value change listener will update the planet name, and update the planet to the new planet. The validation will prevent putting in planets that don't exist in thefor current. You can confirm this by entering a bogus name, or poorthat was kicked out of the planetary club.The code for this example was developed using NetBeans 8.0 IDE on GlassFish 4+ and Apache Tomcat 8+ using JSF 2.2 (Mojarra) The code for the project can be downloaded from Bitbucket