We have an Oracle ADF Faces 11.1.1.5 application which integrates Oracle SiteStudio regions through Oracle's OpenWCM tags (e.g. <wcm:placeholder>). As far as these tags are JSP tags (but not JSF components) they must be put inside <f:verbatim> tag in JSF pages:
...
<f:verbatim>
<wcm:placeholder name="content"/>
</f:verbatim>
...
Unfortunately, we realized that <f:verbatim>'s body is evaluated/executed at each request (even at postback requests and at PPR requests that have nothing to do with this section of the page) and this causes regeneration of the corresponding SiteStudio region unnecessarily, which is a huge overhead.
Could anybody explain when <f:verbatim>'s body is evaluated/executed? How could we workaround this problem?
Related
I am in the process of upgrading an old project from JSF 1.1 to JSF 2.2. Specifically, I am upgrading the JSF implementation from MyFaces 1.1 to MyFaces 2.2.12, replacing JSPs with Facelets and upgrading/replacing outdated tag libraries. I am mainly using Migrating from JSF 1.2 to JSF 2.0 as a guide.
The project used some tag library called htmLib with the namespace http://jsftutorials.net/htmLib in it's JSP pages. I can't find any documentation about this tag library anymore, neither on the jsftutorials webpage nor elsewhere, but apparently it was used to include plain HTML tags like <div> or <table> in JSP pages.
Since plain HTML tags can now be used in XML Facelets with JSF2, I am right now removing all occurences of tags from the htmLib taglib like <htm:div>...</htm:div> and replace them with plain HTML tags like <div>...</div>.
However, some of the tags used from htmLib contain the render attribute for conditional rendering, like this:
<htmLib:h4 render="someCondition">
...
</htmLib:h4>
Because plain HTML tags don't have a render attribute for this purpose, I was searching for an alternative way to conditionally render plain HTML tags and stumbled upon this answer on SO: How to conditionally render plain HTML elements like <div>s?
So, my idea is to replace a construct like the one above with something like
<ui:fragment render="someCondition">
<h4>
...
</h4>
</ui:fragment>
My questions:
Is wrapping HTML tags inside a <ui:fragment> tag with the render
attribute the recommended way to conditionally render HTML tags, or
is this method only valid and recommended for the case in the linked question?
Are there other ways to conditionally render plain HTML tags in Facelets that should be preferred?
Does the <ui:fragment> wrapping method work, no matter what kind of plain HTML is contained within it?
Can conditionally rendered <ui:fragment> blocks be nested?
There's no limitation in that. Not even for wrapping ui:fragment.
Basically:
In order just to control the inner content, with no extra HTML generation use
ui:fragment.
To generate an extra HTML span element, use h:panelGroup.
To generate an extra HTML div element, use h:panelGroup layout="block".
The HTML you have inside isn't a problem. JSF, being a server side framework, performs all the HTML building/rendering job in the server, so the JSF/facelet tags get translated to HTML before the response being sent. All the plain HTML you use inside will remain HTML.
However, beware of using tag handlers inside UI Components when migrating from 1.x. Tag handlers (ui:include, c:if, c:forEach) evaluate before the UI Components (which tipically contain rendered clauses). This has been a source of conflict in JSF 2.
I am looking for information about XSS in web applications that use JavaServer Faces.
I found paper Proofing Java EE, JSP, and JSF Applications
On page 48 (slide 36) called "Escaping in JSF" there is code snippet:
<f:verbatim value="#{foo}"/>
Also on page 50 (slide 38) there is description "Tags that don't escape enough" for <f:verbatim> and <h:outputlink>.
I can't reproduce XSS inside <f:verbatim> tag when use EL in web app with Facelets, probably because of auto escaping in JSF components:
CSRF, XSS and SQL Injection attack prevention in JSF
"JSF is designed to have builtin XSS prevention. You can safely redisplay all user-controlled input (request headers (including cookies!), request parameters (also the ones which are saved in DB!) and request bodies (uploaded text files, etc)) using any JSF component."
It seems that information in paper is for JSF before 2.0.
Also I found this:
f:verbatim tag stops working when inside a dataTable
"The <f:verbatim> tag is intented to hold plain text/HTML, not JSF components nor EL expressions."
So I don't understand how this tag could be used for XSS if it doesn't work with dynamic data from request or beans.
So I have 2 questions:
Is <f:verbatim> tag safe to XSS when use tainted input from user in web application built on JSF 2.0+ and Facelets?
In which situation <f:verbatim> tag "don't escape enough" in web applications built on JSF?
Example for JSF 2.0 and Facelets:
<h:form>
testform1#{testBean.getXSS(9)}testform1
testform2<h:outputText value="#{testBean.getXSS(10)}" escape="false" />testform2
<f:verbatim escape="false">
aaa#{testBean.getXSS(11)}bbb
ccc
<span>
#{testBean.getXSS(12)}test
<a>link#{testBean.getXSS(13)}</a>
#{testBean.getXSS(14)}
</span>
ddd
<script>alert(15)</script>
eee
<h:outputText value="#{testBean.getXSS(16)}" escape="false" />
ddd
</f:verbatim>
</h:form>
Test method in bean:
public String getXSS(Integer index) {
return ("<script>alert(" + Integer.toString(index) + ")</script>");
}
Output:
testform1<script>alert(9)</script>testform1
testform2<script>alert(10)</script>testform2
aaa<script>alert(11)</script>bbb
ccc
<span>
<script>alert(12)</script>test
<a>link<script>alert(13)</script></a>
<script>alert(14)</script>
</span>
ddd
<script>alert(15)</script>
eee
ddd
<input type="hidden" name="javax.faces.ViewState" id="j_id1:javax.faces.ViewState:1" value="-7832412971090198368:1934231343887166207" autocomplete="off" />
</form>
The referenced article/slide is from 8 june 2009. That's the era of JSF 1.2 and JSP.
JSF 2.0 was introduced december 2009. JSP was since then deprecated and replaced by Facelets. <f:verbatim> was deprecated because it's entirely useless in Facelets. JSF 2.0 on Facelets is designed to have implicit XSS prevention over all place (except of one Mojarra specific bug which is already fixed in 2.2.6, see 1st "See also" link below for detail).
In other words, ignore that article/slide. It doesn't apply on JSF 2.x at all. In future resources, doublecheck the publish date and whether the versions being treated match yours.
See also:
CSRF, XSS and SQL Injection attack prevention in JSF
Iterate <f:verbatim> within <ui:repeat>
Why Facelets is preferred over JSP as the view definition language from JSF2.0 onwards?
In my app I have tutor and student as roles of user. And I decide that main page for both will be the same. But menu will be different for tutors and users. I made to .xhtml page tutorMenu.xhtml and student.xhtml. And want in dependecy from role include menu. For whole page I use layout and just in every page change content "content part" in ui:composition.
In menu.xhtml
<h:body>
<ui:composition>
<div class="menu_header">
<h2>
<h:outputText value="#{msg['menu.title']}" />
</h2>
</div>
<div class="menu_content">
<с:if test="#{authenticationBean.user.role.roleId eq '2'}">
<ui:include src="/pages/content/body/student/studentMenu.xhtml"/>
</с:if>
<с:if test= "#{authenticationBean.user.role.roleId eq '1'}">
<ui:include src="/pages/content/body/tutor/tutorMenu.xhtml" />
</с:if>
</div>
</ui:composition>
I know that using jstl my be not better solution but I can't find other. What is the best decision of my problem?
Using jstl-tags in this case is perfectly fine, since Facelets has a corresponding tag handlers (that are processed in the time of view tree creation) for the jstl tags and handles them perfectly. In this case c:if could prevent processing (and adding the components located in the included xhtml file) of the ui:include which leads to reduced component tree and better performance of the form.
One downside of using this approach is that you cannot update these form parts using ajax, i.e. you change the user role and refresh the form using ajax, because the ui:include for the other role is not part of the view anymore. In such case you have to perform a full page refresh.
I have DIV element with a header style enclosing a h:outputText but when the page renders i see the HTML is formed in such a way that my div doesnot contain the label generated by the h:outputText instead i see the label above my DIV . Am i doing it wrong? i tried f:verbatim but didn't help either
Based on your question history you're using the ancient JSF 1.1. The <f:verbatim> way should work. Perhaps you've enclosed JSF components inside <f:verbatim>. You should not do that. It should only contain raw HTML.
<f:verbatim><div></f:verbatim>
<h:outputText value="Some text." />
<f:verbatim></div></f:verbatim>
Since JSF 1.2 the <f:verbatim> is not necessary anymore. JSF 1.2 should work on all environments where JSF 1.1 is been used. I strongly recommend to upgrade.
See also:
Mix HTML and JSF in a JSF subview
What are the main disadvantages of Java Server Faces 2.0? (a bit of history)
When the Apache My Faces JSF 1.2 Implementation renders an HTML page behind the scenes , is it even possible to set/code something which will display a pure HTML Table / DIV (NOT the jsf component ) conditionally. When I searched , I saw that , using h:panelGroup is a solution, but I haven't tried yet, posting here for any better methods or approaches.
Its almost like wanting to say - writing a javascript code in java and inject it when the HTML is rendered - is it possible?
Thanks,
Several ways.
Use <h:panelGroup layout="block">. It renders a HTML <div> element.
<h:panelGroup layout="block" rendered="#{bean.condition}">
content
</h:panelGroup>
Wrap the HTML <div> element inside a <h:panelGroup>. Without any client-side attributes like id, styleClass, onclick, etc, the <h:panelGroup> won't render anything. With them it would however render a <span> element (or <div> if layout is set to block).
<h:panelGroup rendered="#{bean.condition}">
<div>content</div>
</h:panelGroup>
Wrap the HTML <div> element inside a <f:verbatim>.
<f:verbatim rendered="#{bean.condition}">
<div>content</div>
</f:verbatim>
It's by the way not so special that MyFaces generates HTML. The Mojarra JSF implementation also does that. The competitors Struts2, Spring MVC, Wicket, Tapestry, etc..etc.. also. Microsoft ASP.NET MVC also. PHP also. All server side languages in fact. Simply because of the fact that the webbrowser doesn't understand them. It only understands HTML/CSS/JS ;)
As to mixing JavaScript with Java/JSP/JSF, you may find this article useful.