IntroductionHow often do you have validators on your hidden fields? I recently performed a security audit of an application that did not have validators associated with the hidden fields on the page. I suspect that the out of sight, out of mind mentality prevailed. Admittedly, I have often short circuited some development and put hidden fields in a JSF page without a validator. My expectation is that the data in the field would be used to provide information that may be needed by the application. However, if these fields have setters... and the results are stored in a database... I think you get the picture.
MethodologyI decided to create a more complex than really necessary example to show how to validate a
<h:inputHidden />field. In the example, you can enter names into an
Planets. You can confirm this by entering a bogus name, or poor Pluto that was kicked out of the planetary club.
CodeThe code for this example was developed using NetBeans 8.0 IDE on GlassFish 4+ and Apache Tomcat 8+ using JSF 2.2 (Mojarra).
The code for the project can be downloaded from Bitbucket: hidden-field-validation