0

Please help me, in my application I will have enabled and disabled fields depending on conditions but when I press f12 I am able to edit disabled fields also so I have implemented a small hack kind of implementation but not sure if it is better approach Please suggest me any better approach

<%@ taglib uri="/struts-tags" prefix="s"%>
<!DOCTYPE html>
<html lang="en">
<head>
    <meta charset="utf-8">
    <title>Profile</title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <script src="https://ajax.googleapis.com/ajax/libs/jquery/1.10.2/jquery.min.js"></script>
    <link href="http://netdna.bootstrapcdn.com/bootstrap/3.1.0/css/bootstrap.min.css" rel="stylesheet">
    <style type="text/css">                                                                    
    </style>

    <script>
    function divFunction(user){
        event.preventDefault();   
        $.ajax({
            type: 'POST',
            url:'publicProfile.action?userNbk='+user,
            dataType: 'text',
            success: function(data){
                var obj = jQuery.parseJSON(data);
                document.getElementById("userNameHeader").innerHTML = obj.articleUserName;
                document.getElementById("publicEmail").innerHTML = obj.articleUserEmail;
                document.getElementById("publicNbk").innerHTML = obj.articleUserNbk;
                document.getElementById("publicPid").innerHTML = obj.articleUserPersonId;
                document.getElementById("publicGender").innerHTML = obj.articleUserGender;
                document.getElementById("publicJob").innerHTML = obj.articleUserOccupation;
                document.getElementById("publicAddress").innerHTML = obj.articleUserAddress;
                document.getElementById("publicIntrests").innerHTML = obj.articleUserIntrests;
           }}); 
    }
    </script>
    <script type="text/javascript">

    function isConsoleOpen() {
        alert("hello");
          var startTime = new Date();
          debugger;
          var endTime = new Date();
          return endTime - startTime > 10;
        }

    $(document).ready(function() {
        alert("helo");  
        if(isConsoleOpen()) {
            /* alert("You're one sneaky dude, aren't you ?") */
            document.getElementById("aaaaaa").innerHTML="You're one sneaky dude, aren't you ?";
        }
    })

    $(document).keydown(function(event){
    if(event.keyCode==123){
    return false;
   }
    else if(event.ctrlKey && event.shiftKey && event.keyCode==73){        
      return false;  //Prevent from ctrl+shift+i
   }
});
    $(document).bind("contextmenu",function(e) {
         e.preventDefault();
    });

    </script>
</head>
<body>
<div id="aaaaaa">
    <form>
        <input type="text" disabled="disabled">
        <input type="text" disabled="disabled">
        <input type="text" disabled="disabled">
        <input type="text" disabled="disabled">
    </form>
</div>
</body>
</html>
abhishek varma
  • 45
  • 1
  • 1
  • 4
  • _“I have implemented a small hack kind of implementation”_ — Please [edit] your question and explain what your hack actually is and what it does. “Better” in what sense? You could maybe attach a `click` listener to the element which changes a local variable in some function reflecting the state of it. That variable is then used for whatever you need. If that function is inaccessible from outside, you might get close to preventing those things. – Sebastian Simon Feb 17 '17 at 02:49
  • 4
    Always use server-side validation. You can't stop users from using browser dev tools, or from bypassing the browser entirely and calling your URL from some other tool. (Also, testing whether the console is open at the moment the page loads doesn't tell you anything useful.) – nnnnnn Feb 17 '17 at 02:56

2 Answers2

14

To specifically answer your question, there is no way to keep users from editing your disabled fields. It is impossible to keep users from viewing and editing your HTML.

The only thing you can do to truly take care of this issue is to use server-side validation. If there is a field you don't want text passed into, you're just going to have to set up some kind of validation on the server side to not process the data from that field. Unfortunately, that's just a part of web development.

Creating "hacky" solutions is not a good idea. It leads to unmanageable code, and in this case, it does not even solve the issue.

In fact, (and yes this is opinion-based) I would even say it encourages people to mess with your fields, because if I were hunting around in your code and I saw you trying to keep me out, the first thing I'm going to do is try to get around your hacky block. And 100 times out of 100, I'm going to succeed.

Kyle Martin
  • 568
  • 2
  • 19
10

Preventing HTML from being seen and/or edited is impossible.

comesuccingfuccslot
  • 717
  • 7
  • 16
  • 10
    Ultimately, it does. `How to hide HTML from F12 & inspect element, sers should not be able to edit my disabled fields` - It can't be done. See: http://stackoverflow.com/a/24319844 – comesuccingfuccslot Feb 17 '17 at 02:54