Reputation: 333
JSF disabled CommandButton is clickable and could submit form after being enabled by firebug
I have a JSF page with a form and a disabled CommandButton. Now it's possible to enable the disabled button by HTML-Browser manipulation (such as Firebug) and execute the action behind the button.
Is it possible for JSF to prevent such tampering scenarios (At least for disabled input fields a submit should fail).
Is there a built-in feature of JSF to prevent such issue or should I provide custom a solution please?
Upvotes: 1
Views: 295
Answers (1)
Reputation: 333
I have found the reason. Thanks to @BalusC! the reason is in the JSF implementation apache myfaces jsf 2.0.2.
From the source code of the decode() method here, we could find that the implementation will not determine whether the button is disabled or read-only before queueEvent(). This provides the possibility to tamper that.
Upvotes: 1
Related Questions
- Action of JSF h:commandButton not invoked after setting disabled=true in JavaScript
- Re-enable disabled command button when an input field is filled
- Disable/enable commandbutton on ajax event
- h:commandButton remains disabled even after changing disabled to true and re-rendering it using a4j:commandButton
- Action of <h:commandButton> not getting invoked when "disabled=true" is set
- jsf + jquery: disable and enable h:commandButton by JQuery
- jsf commandbutton setenabled onclick
- commandButton which is enabled by f:ajax does not invoke action when form is submitted
- JSF form does not get submitted when form is disabled by JavaScript
- JSF a4j:commandButton not working when 'disabled' is set