[Seaside] #disabled: + #callback:

Sean Glazier sglazier456 at gmail.com
Mon Feb 27 18:57:45 UTC 2017 

either https and or a cookie or include a hash of what is serialised or
what you expect a an gruement. in each case you detect a change. I have
used cookies with encrypted info along with hashes along with random data
so with each ajax call I verify. setting it up takes work. so you do not
have to litter code with complicated crypto. It has passed some pretty
stringent security requirements. be sure you trust the crypto libraries and
you should be fine. The only actor you can not defeat is someone that has
the money and access to a d-wave (Quantum computing)


Kind Regards,

Sean Glazier


On Mon, Feb 27, 2017 at 11:35 AM, PAUL DEBRUICKER <pdebruic at gmail.com>
wrote:

> Hi -
>
>
> If in a Seaside form (3.2.1 but not sure it matters) you have an input
> with a callback (& e.g #onChange: handler) and set its state to 'disabled'
> a nefarious actor can remove the 'disabled' state from the form element in
> the browser and then trigger the seaside callback on the form submit.
>
>
> How do people usually handle this?
>
>
>
> Right now in critical places I have two sets of form-input-drawing code
> e.g.
>
> disable
>   ifTrue:[ html textInput
>                 disabled: true;
>                 value: self name ]
>   ifFalse:[ html textInput
>                   onChange: html jQuery ajax serializeThis;
>                   on: #name of: self].
>
> But in other places I am neglectful.
>
>
> It seems to me that if I moved the #disabled: send down to be the last
> thing sent to the input then I could modify the #disabled: method to wipe
> out the callback and any javascript handlers attached to the input,
> preventing the unlikely attack I mention above.
>
>
> Does that make sense?
>
>
> Thanks for any thoughts you care to share
>
>
> Paul
>
>
>
>
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.squeakfoundation.org/pipermail/seaside/attachments/20170227/610e561d/attachment.html>

More information about the seaside mailing list