Even if the block of code is commented using the HTML
comment (<!-- -->) the JSF lifecycle still
process the part of code and it is rendered in the HTML source although the
component is not rendered in the HTML page. This shall be viewed in the browser
source view option. This reveals the sensitive information to the third party
which is not intended to be known.
Example:
In the below piece of code, a part of the code is commented
using HTML based comment (
<!-- -->)
Even though the Browser doesn’t render the component in the
browser, still the code in the HTML contains this piece of information. And
also JSF processes this component.
Possible solutions:
1.
Configure web.xml to inform Facelets to skip
comment.
<context-param>
<param-name>facelets.SKIP_COMMENTS</param-name>
<param-value>true</param-value>
</context-param>
2.
Use Facelets ui:remove tag to comment the
code block.
No comments:
Post a Comment