When disabled is not really disabled
While working on a current project, I noticed that unlike a disabled winform TextBox, a disabled webcontrol TextBox can be enabled on the clientside. The following command when entered in the web browsers address field will cause a TextBox named “txtBox1“ enclosed inside a Form “Form1“ to be enabled.
javascript:void(document.Form1.txtBox1.disabled = false)
To fix this, I wrote custom controls that inherits from
TextBox, DropDownList, etc.
When my custom TextBox is disabled, the control is not
rendered but the text for that control is rendered in
place. The same applies to my custom DropDownList...if it
is disabled, only the selected item is displayed as
text.
This combined with the Viewstate MAC,
SSL, Forms Auth should prevent users from messing with
disabled controls. I have also added a check incase
someone tried to spoof the postback.
Here are the key methods of the control (I have
stripped out other things):
protected
override
void
Render(HtmlTextWriter writer)
{
if (base.Enabled)
{
base.Render(writer);
}
else
{
writer.Write(base.Text);
//you can use HttpUtility.HtmlEncode if you want
to
}
}
//incase someone tried to spoof a postback of the control
public bool LoadPostData(string postDataKey,
System.Collections.Specialized.NameValueCollection postCollection)
{
string presentValue = base.Text;
string postedValue = postCollection[postDataKey];
if (base.Enabled)
{
if (!presentValue.Equals(postedValue))
{
base.Text = postedValue;
return true;
}
return false;
}
else
{
return false;
}
}
This also gives the user a clear idea of which fields are
editable.
Please feel free to post feedback on this
method.