Topic: It's possible for user to put some random values into restricted Date and Select

pavelpossiblep free asked 2 years ago

Expected behavior

When "data-mdb-toggle="datepicker"" is set on date field and user clicks it the datepicker shows up. This is relatively convenient to use to restrict user from putting in wrong kinds of data (e.g. letters instead of digits etc.) It seems to be obvious that in this case most attempts to put wrong data in should be blocked.

Actual behavior

However, if you click and hold, you will bee able to type in the field freely. Also you can paste anything to this field from clipboard using the same exploit.

Similar problem appears for Selects. If you put "data-mdb-validation="true"" on your the caret appears when you click on it. This allows you to paste any data to the field without changing the selected option value which leads the user to submitting incorrect data.

Here's a snippet I made. It also has the description of problems

UNNdev priority commented 2 years ago

You can not only paste in the Select, but using the context menu also insert emojis or delete text. :(

Grzegorz Bujański staff answered 2 years ago

Thanks for reporting this. We will fix it as soon as possible

Please insert min. 20 characters.


Hire our experts to build a dedicated project. We'll analyze your business requirements, for free.



Specification of the issue

  • ForumUser: Free
  • Premium support: No
  • Technology: MDB Standard
  • MDB Version: MDB5 3.8.0
  • Device: any
  • Browser: any
  • OS: any
  • Provided sample code: No
  • Provided link: Yes