Are JSF (Java Server Faces) pages isolated?

Question

Are JSF (Java Server Faces) pages isolated?

We allow our users to upload html to our servers. We need a template language so that users can insert variables into processed output, iterate over lists, etc. We are currently using JSF as our template language.

If we allow users to load xhtml with JSF tags in it, is there anything bad they can do? Or are they sandboxed?

We deliberately avoided JSP because we do not want the user to embed malicious Java code on a page that could run on the server.

+4

security jsf

ccleve Apr 9 '13 at 20:32

source share

1 answer

Freedom_ben · Answer 1 · 2013-04-09T22:02:17+0000

JSF pages are not isolated in safe mode. There are restrictions on the volume, but in reality it is not the same thing (some overlap, but they have different goals). You probably shouldn't allow JSF code to load, but you probably still screen / sanitize the input as best as possible. Use the white list of safe operations, if possible. Blacklists are almost always trivial to run away, because listing possible evil values is impossible. Be careful and try a professional review of your site when you are done to make sure that you don’t miss anything obvious.

Are JSF (Java Server Faces) pages isolated?

More articles: