Vulnerability detected - textbox with bind but disabled - chrome debugger opens backdoor

Question

asked 2023-02-15 01:20:12 +0800

holos
21 ● 4

Hi,

one of our creative tester found the following:

we have a textbox which is typically bound to a variable:

zul:

...
<textbox value="@bind(vm.input)" />
...

Sometimes we dynamically need to set this textbox to disable="true".

Java:

@Wire
private Textbox input;
...
input.setDisabled(true);

Now one can open the (Chrome) debugger and just remove the disabled from

<input id="o4hEy" class="z-textbox z-textbox-disabled" value="" type="text" disabled>

and voilà - the field takes input and the input is sent to the server.

I tried a lot to suppress the value send - but found no proper solution.

Please advise.

P.S.: Rendering a label instead or checking something on the setter side is no option as we do all of this stuff highly dynamically.

Accepted Answer

0

answered 2023-02-15 18:36:32 +0800

Comments

Thanks, hawk.

This did the trick :-)

holos ( 2023-02-16 04:27:46 +0800 )edit