We use cookies to give you the best experience on our website. If you continue to browse, then you agree to our privacy policy and cookie policy.
BoldDeskWe are launching BoldDesk on Product Hunt soon. Learn more & follow us.
On Blazor server I can create a simple demo as follows with a readonly and disabled textbox:
============
<SfTextBox Readonly="true" Enabled="false" @bind-Value="@text"></SfTextBox>
This is my text on the server: @text
============
This renders the following on the page
====================
<span class="e-input-group e-control-container e-control-wrapper e-disabled" style="width:;" _bl_303761b3-39d0-4a0c-a639-4e65e57ee88c="">
<input id="textbox-cad49a11-8ad1-4711-a577-adb50f5827a4" autocomplete="on" type="text" class="e-control e-textbox e-lib e-input e-disabled" name="textbox-cad49a11-8ad1-4711-a577-adb50f5827a4" role="textbox" tabindex="-1" readonly="" aria-readonly="true" disabled="disabled" aria-disabled="true" _bl_879a1ba9-cc99-4812-afdd-115adc458227="">
</span>
Simply deleting the above bolded words through browser page inspection causes the textbox to be editable and start firing server side events such as value change.
My questions:
Bumping this up as this seems like a major security issue and no response for a week on this.
Hi Ahmed,
|
Query 1: Isn't this a security issue for server side components that should keep state? I would assume that a server side control with a parameter marked disabled and read-only would not cause the value change event to fire.
We have considered the reported issue “If the user removed disabled / readonly attributes in DOM, the user can change the component value” as a bug from our end, and the fix for the issue will be included in our upcoming patch release by mid-February 2023.
You can now track the status of the feedback through the below link, https://www.syncfusion.com/feedback/40810
Disclaimer: “Inclusion of this solution in the weekly release may change due to other factors including but not limited to QA checks and works reprioritization.”
|
|
Query 2: Do other syncfusion blazor server components work the same way? Are the disabled/read-only terms purely decorative as well or prevent value change events and databinding?
We have created a separate Forum for the above query. Please follow the below shared Forum for further updates.
|
|
Query 3: Are controls validated? Can users for example inject data into dropdownlist and grids that are not in the two-way bound datasource and cause event firing with data that was not in the datasource?
We have created a separate Forum for the above query. Please follow the below shared Forum for further updates.
|
Regards,
Udhaya Kumar D
Hi Ahmed,
|
Query 1: Isn't this a security issue for server side components that should keep state? I would assume that a server side control with a parameter marked disabled and read-only would not cause the value change event to fire.
We have fixed the reported issue “If the user removed disabled / readonly attributes in DOM, the user can change the component value” from our end in the latest 20.4.50 version. So, we suggest you upgrade to our latest version to resolve the current issue.
Release Notes: https://blazor.syncfusion.com/documentation/release-notes/20.4.50?type=all#textbox
|
