[Seaside] #disabled: + #callback:

PAUL DEBRUICKER pdebruic at gmail.com
Mon Feb 27 16:35:17 UTC 2017

Hi - 

If in a Seaside form (3.2.1 but not sure it matters) you have an input with a callback (& e.g #onChange: handler) and set its state to 'disabled' a nefarious actor can remove the 'disabled' state from the form element in the browser and then trigger the seaside callback on the form submit.   

How do people usually handle this?

Right now in critical places I have two sets of form-input-drawing code e.g.

  ifTrue:[ html textInput
		disabled: true;
		value: self name ]
  ifFalse:[ html textInput
		  onChange: html jQuery ajax serializeThis;
		  on: #name of: self].

But in other places I am neglectful.

It seems to me that if I moved the #disabled: send down to be the last thing sent to the input then I could modify the #disabled: method to wipe out the callback and any javascript handlers attached to the input, preventing the unlikely attack I mention above.  

Does that make sense?

Thanks for any thoughts you care to share


More information about the seaside mailing list