[Seaside] #disabled: + #callback:
PAUL DEBRUICKER
pdebruic at gmail.com
Mon Feb 27 16:35:17 UTC 2017
Hi -
If in a Seaside form (3.2.1 but not sure it matters) you have an input with a callback (& e.g #onChange: handler) and set its state to 'disabled' a nefarious actor can remove the 'disabled' state from the form element in the browser and then trigger the seaside callback on the form submit.
How do people usually handle this?
Right now in critical places I have two sets of form-input-drawing code e.g.
disable
ifTrue:[ html textInput
disabled: true;
value: self name ]
ifFalse:[ html textInput
onChange: html jQuery ajax serializeThis;
on: #name of: self].
But in other places I am neglectful.
It seems to me that if I moved the #disabled: send down to be the last thing sent to the input then I could modify the #disabled: method to wipe out the callback and any javascript handlers attached to the input, preventing the unlikely attack I mention above.
Does that make sense?
Thanks for any thoughts you care to share
Paul
More information about the seaside
mailing list