0

Is readonly bandbox considered insecure?

asked 2012-08-29 02:29:27 +0800

czynga gravatar image czynga
171

There is a chapter in documentation which explains that "inaccessible widgets (such as disabled or invisible) can be accessed easily with a debugging tool running at the browser". My question is: does the same apply to readonly bandbox? In other words is it possible for hostile user to change it's behaviour so that it accepts his input?

delete flag offensive retag edit

3 Replies

Sort by ยป oldest newest

answered 2012-09-03 03:53:38 +0800

iantsai gravatar image iantsai
2755 1

updated 2012-09-03 03:54:53 +0800

He might change the value at client side, but if there's no server side registered listener, there's nothing could happen.

And if you need to have a bandbox that is read-only by now but might be editable in the future, for better Look&feel separation, you can use Label while read-only and swap it with bandbox while edit mode.

link publish delete flag offensive edit

answered 2012-09-04 04:25:05 +0800

czynga gravatar image czynga
171

Nice idea with using a label, I like it. OK so it means that security wise the same rules apply to readonly components. That's exactly what I wanted to know, thank you. Is it not a bit of a design flaw? As far as I understand the same limitations or considerations doesn't apply in Vaadin. But anyway ZK is so much better :)

link publish delete flag offensive edit

answered 2012-09-05 08:06:51 +0800

iantsai gravatar image iantsai
2755 1

Actually, we do have feature in ZK EE to prevent such hostile access.
Block Request for Inaccessible Widgets
and this supports both readonly and disable attributes to official ZK components.

link publish delete flag offensive edit
Your reply
Please start posting your answer anonymously - your answer will be saved within the current session and published after you log in or create a new account. Please try to give a substantial answer, for discussions, please use comments and please do remember to vote (after you log in)!

[hide preview]

Question tools

Follow

RSS

Stats

Asked: 2012-08-29 02:29:27 +0800

Seen: 126 times

Last updated: Sep 05 '12

Support Options
  • Email Support
  • Training
  • Consulting
  • Outsourcing
Learn More