Friday, December 7, 2012

Handling the comment block in Facelets/JSF2



Even if the block of code is commented using the HTML comment (<!--     -->) the JSF lifecycle still process the part of code and it is rendered in the HTML source although the component is not rendered in the HTML page. This shall be viewed in the browser source view option. This reveals the sensitive information to the third party which is not intended to be known.

Example:

In the below piece of code, a part of the code is commented using HTML based comment (<!-- -->)




Even though the Browser doesn’t render the component in the browser, still the code in the HTML contains this piece of information. And also JSF processes this component.

HTML Source viewed from the Browser.












Possible solutions:
1.      
      Configure web.xml to inform Facelets to skip comment.
<context-param>
    <param-name>facelets.SKIP_COMMENTS</param-name>
    <param-value>true</param-value>
</context-param>

2.       Use Facelets ui:remove tag to comment the code block. 

No comments:

Post a Comment

Post a Comment