[Seaside] #disabled: + #callback:

Sven Van Caekenberghe sven at stfx.eu
Mon Feb 27 19:15:19 UTC 2017 

Hi Paul,

> On 27 Feb 2017, at 17:35, PAUL DEBRUICKER <pdebruic at gmail.com> wrote:
> 
> Hi - 
> 
> 
> If in a Seaside form (3.2.1 but not sure it matters) you have an input with a callback (& e.g #onChange: handler) and set its state to 'disabled' a nefarious actor can remove the 'disabled' state from the form element in the browser and then trigger the seaside callback on the form submit.   

Well, I had a problem very close to that, that actually cost me real money !

In a shopping cart I used <A> tags that rendered as buttons (Bootstrap), disabling them when the user was not supposed to continue (as in not order for free from a far away country ;-). The continue button looked disabled, but it wasn't.

So I ended up doing

renderContinueOn: html
  | anchor |
  html space.
  (anchor := html anchor)
    class: 'btn btn-primary';
    disabled: self canContinue not.
  "since <A> cannot really be disabled, do not add a callback !"
  self canContinue ifTrue: [ anchor callback: [ ... ] ].
  anchor with: [ .. ]

It was of course my own fault, but it would be nice if calling disabled: false on a Seaside component had the effect of disabling callbacks as well.

Sven

> How do people usually handle this?
> 
> 
> 
> Right now in critical places I have two sets of form-input-drawing code e.g.
> 
> disable 
>  ifTrue:[ html textInput
> 		disabled: true;
> 		value: self name ]
>  ifFalse:[ html textInput
> 		  onChange: html jQuery ajax serializeThis;
> 		  on: #name of: self].
> 
> But in other places I am neglectful.
> 
> 
> It seems to me that if I moved the #disabled: send down to be the last thing sent to the input then I could modify the #disabled: method to wipe out the callback and any javascript handlers attached to the input, preventing the unlikely attack I mention above.  
> 
> 
> Does that make sense?
> 
> 
> Thanks for any thoughts you care to share
> 
> 
> Paul
> 
> 
> 
> 
> _______________________________________________
> seaside mailing list
> seaside at lists.squeakfoundation.org
> http://lists.squeakfoundation.org/cgi-bin/mailman/listinfo/seaside

More information about the seaside mailing list