Is validation in Blazor Editform secure, For example if a required attribute applied to an InputText field, A hacker can't bypass this and send an invalid text to the server, And what about InputSelect or select Items? Do all items in a select list validated so that an out of range value can't be sent to the server? Mostly in Blazor server side.
Add a comment
|
1 Answer
I don't think validation has got anything to do with security ? It's all about UI fluidity and efficiency. Security checks should be performed on the server not on the client side ( of WebAssembly Blazor App or Server Blazor App).
By using the Required attribute you "force" a user to enter a value, we may also force the user to provide a given kind of value, such as a value made of numeric characters; and a hacker might alter these values, just as he might do in JavaScript, which is why security validation is performed on the server, not on the client...
Should I validate again in the HandleValidSubmit (Edit form's submit event), Even in Blazor Server side?
No, you shouldn't. If the HandleValidSubmit method is executed, that means that your specific model passed validation. Why validate it once more ? But, I know where this question stems from... and you are right in asking that: Though your model has passed validation, it may be altered by a hacker in the way to the database, whether you use client-side Blazor or Server-side Blazor. The difference between client-side Blazor and server-side Blazor in this regard is that when you use the first, validation of the model is performed, as I've mentioned before, for fluidity's shake only, as for instance, not allowing the user to enter text as sixty for his age, but 60. Now, without using and enforcing this constraint, code somewhere on the server may raise an exception. To be sure, your database is supposed to throw an error because it expects to get numeric value, not string value. To prevent this shuddle from server to client, we use model validation, just like in Razor Pages Apps, and MVC Apps, in which validation is performed both on the client and on the server. Incidentally, when you add a WebAssembly Blazor App hosted, a solution with three folder is created for you. One is named Shared, and it should contain your model. It is called Shared because it is used by both the client and the server side of WebAssembly Blazor App.
When you use the second (I'm talking about the difference), however, your code is always executed on the server, and only Html diffs are passed to client Signlr of your server-side Blazor app, and it, the client Signlr, apply the Html diffs data to the Html element.
Generally speaking, there is not really any difference between Razor Pages App and MVC Apps to the two flavors of Blazor. Client side validation is for ease of use and efficiency, server side validation is for enforcing that validation rules are adhered to.
Should I validate again in the HandleValidSubmit
Incidentally, sometimes you may need to use, say validation that should be performed on the server, in addition to the validation performed by the validation attributes... in that case, you can implement this additional validation in a handler method you you'll have to add to the OnSubmit attribute of the EditForm component
Hope this helps...
