When disabled is not really disabled
While working on a current project, I noticed that unlike a disabled winform TextBox, a disabled webcontrol TextBox can be enabled on the clientside. The following command when entered in the web browsers address field will cause a TextBox named “txtBox1“ enclosed inside a Form “Form1“ to be enabled.
javascript:void(document.Form1.txtBox1.disabled = false)
To fix this, I wrote custom controls that inherits from TextBox, DropDownList, etc.
When my custom TextBox is disabled, the control is not rendered but the text for that control is rendered in place. The same applies to my custom DropDownList...if it is disabled, only the selected item is displayed as text.
This combined with the Viewstate MAC, SSL, Forms Auth should prevent users from messing with disabled controls. I have also added a check incase someone tried to spoof the postback.
Here are the key methods of the control (I have stripped out other things):
protected override void Render(HtmlTextWriter writer)
{
if (base.Enabled)
{
base.Render(writer);
}
else
{
writer.Write(base.Text); //you can use HttpUtility.HtmlEncode if you want to
}
}
//incase someone tried to spoof a postback of the control
public bool LoadPostData(string postDataKey,
System.Collections.Specialized.NameValueCollection postCollection)
{
string presentValue = base.Text;
string postedValue = postCollection[postDataKey];
if (base.Enabled)
{
if (!presentValue.Equals(postedValue))
{
base.Text = postedValue;
return true;
}
return false;
}
else
{
return false;
}
}
This also gives the user a clear idea of which fields are editable.
Please feel free to post feedback on this method.