Hi,
If a disabled drop-down list is dynamically rendered to the page, it is still possible to use Firebug, or another tool, to tamper with the submitted value, and to remove the "disabled" HTML attribute. This code:
protected override void OnLoad(EventArgs e) {
var ddlTest = new DropDownList() {ID="ddlTest", Enabled = false};
ddlTest.Items.AddRange(new [] { new ListItem("Please select", ""), new ListItem("test 1", "1"), new ListItem("test 2", "2") });
Controls.Add(ddlTest);
}
results in this HTML being rendered:
<select disabled="disabled" id="Properties_ddlTest" name="Properties$ddlTest">
<option value="" selected="selected">Please select</option>
<option value="1">test 1</option>
<option value="2">test 2</option>
</select>
The problem occurs when I use Firebug to remove the "disabled" attribute, and to change the selected option.
On submission of the form, and re-creation of the field, the newly generated control has the correct value by the end of OnLoad, but by OnPreRender, it has assumed the identity of the submitted control and has been given the submitted form value.
.NET seems to have no way of detecting the fact that the field was originally created in a disabled state and that the submitted value was faked. This is understandable, as there could be legitimate, client-side functionality that would allow the disabled attribute to be removed.
Is there some way, other than a brute force approach, of detecting that this field's value should not have been changed?
I see the brute force approach as being something crap, like saving the correct value somewhere while still in OnLoad, and restoring the value in the OnPreRender. As some fields have dependencies on others, that would be unacceptable to me.