The DAFDropletEventServlet calls the setX/handleX methods of a bean when a form is submitted from a dynamic page or when serving a request from an anchor tag with bean attributes. You can configure how this servlet handles errors encountered in processing a page. By default, errors are set as an element of the DropletExceptions set in the request attribute DropletConstants.DROPLET_EXCEPTIONS_ATTRIBUTE. Setting the following property returns errors to the requesting page:


Preventing Cross-Site Scripting Attacks

Cross-site scripting attacks take advantage of a vulnerability that makes it possible for a malicious site you access to use your browser to submit form requests to another site (such as an Oracle ATG Web Commerce-based site). To prevent processing of these requests, the Oracle ATG Web Commerce platform can use a request parameter _dynSessConf, containing a session-confirmation number, to verify that a request is legitimate. This randomly generated long number is associated with the session of the submitted form. On submission of a form or activation of a property-setting dsp:a tag, DAFDropletEventServlet checks the value of _dynSessConf against the current session’s confirmation number. If it detects a mismatch or missing number, it can block form processing and return an error.

You can configure this behavior through two properties in the component /atg/dynamo/Configuration:

You can also control session confirmation for individual requests by setting the attribute requiresSessionConfirmation to true or false on the applicable dsp:form or dsp:a tag. If this attribute is set to false, the _dynSessConf parameter is not included in the HTTP request, and the DAFDropletEventServlet skips validation of this request’s session-confirmation number.