Benutzereingaben vor dem Speichern überprüfen
Mit den Advanced Integration Features haben Thymeleaf und Spring einen Sicherheitsmechanismus eingebaut, der es erlaubt, Benutzereingaben zu validieren, bevor diese in ein Bean geschrieben werden.
Thymeleaf now seamlessly integrates with Spring’s RequestDataValueProcessor interface. This interface allows the interception of link URLs, form URLs and form field values before they are written to the markup result, as well as transparently adding hidden form fields that enable security features like e.g. protection agains CSRF (Cross-Site Request Forgery). An implementation of RequestDataValueProcessor can be easily configured at the Application Context:
- th:href and
th:srccallRequestDataValueProcessor.processUrl(...)before rendering the URL.th:actioncallsRequestDataValueProcessor.processAction(...)before rendering the form’s action attribute, and additionally it detects when this attribute is being applied on a<form>tag —which should be the only place, anyway—, and in such case callsRequestDataValueProcessor.getExtraHiddenFields(...)and adds the returned hidden fields just before the closing</form>tag.- th:value calls
RequestDataValueProcessor.processFormFieldValue(...)for rendering the value it refers to, unless there isa th:fieldpresent in the same tag (in which caseth:fieldwill take care).th:fieldcallsRequestDataValueProcessor.processFormFieldValue(...)for rendering the value of the field it applies to (or the tag body if it is a<textarea>).