JSF security notes
Dissertations about JSF saving state also imply some aspects regarding JSF security. It appears that saving the JSF state on the client is less secure than saving the JSF state on the server. For the most common security concerns (for example, XSS, CSRF, SQL injection, and phishing), JSF provides implicit protection.
Cross-site request forgery (CSRF)
CSRF and phishing attacks can be prevented by saving state on the server. JSF 2.0 comes with implicit protection against CSRF attacks based on the value of the javax.faces.ViewState
hidden field. Starting with JSF 2.2, this protection was seriously fortified by creating a powerful and robust value for this field.
Cross-site scripting (XSS)
XSS attacks are implicitly prevented by JSF through the escape
attribute, which is set to true
by default (<h:outputText/>, <h:outputLabel/>
). The following are the examples:
<p>Hi, <h:outputText value="#{loginbean.name}" /></p> <p>Hi, #{loginbean.name}<...