• 0

HTML data-* security


Question

I have a question about the security of the data-* attributes in HTML.  Lets say we have some AJAX function that uses a product ID of an item.  I am trying to keep my javascript separate from my HTML.  So I would do something like this:

<a href="Product.aspx?id=7" class="select_product" data-productid="7">Product Name</a>

With jQuery, I would then do this:

$("a.select_product").click(function(e){
     e.preventDefault();

     var id = $(this).data("productid");

     //validate if ID is an integer
     if(isInt(id)){
          //call AJAX function
     }
});

So I validate the user input, but how can I validate that the specific product has that valid ID?  What is preventing somebody from using one of the many developer tools and changing data-productid to 8 or some other integer?

Link to comment
https://www.neowin.net/forum/topic/1218851-html-data-security/
Share on other sites

6 answers to this question

Recommended Posts

  • 0

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

  • 0

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

  • Like 1
  • 0
  On 21/06/2014 at 15:34, lunamonkey said:

Nothing is stopping them. What you could do is set the function onload and have the variable set "in memory" on the object. so that the click doesn't re-run and check the variable attribute again.

 

run this on ready.....

$("a.select_product").each(function(){
 
var id = $(this).data("productid");
 
$(this).click(function(e){     
e.preventDefault();
     
     //validate if ID is an 
integer     
if(isInt(id)){          //call 
AJAX function     }});
 
});

Would this work...?

 

Work to stop me from modifying the javascript/jQuery in the page and getting a different ID sent to the server via AJAX? No! I could always save an offline copy of the webpage to my computer, modify the code, open it in my browser and submit the form / AJAX request / whatever.

  • 0

There's no way to prevent someone from changing values clientside, you could set the id in a database server side before you sent the page and after the user clicks the href you can check that value with the server side value.

  • 0
  On 21/06/2014 at 15:35, theblazingangel said:

Nothing is preventing a user from modifying things. This is why you must always validate things as necessary server-side. Any and all client-side validation should be considered to be just a nice enhancement - it can take some of the strain off the server by catching some of the most common invalid inputs in form fields, such as mandatory forms fields being left blank, and it can also potentially enhance the usability of the page, the most obvious aspect being through cutting out unnecessary page reloading.

 

Regarding your example, where a user is clicking on a product, perhaps to purchase it, and you may be worried that they could change the ID of the product they purchase; you need to implement security checks in the server-side code to prevent them doing something they shouldn't be allowed to do. If they're only allowed to purchase products with certain ID's, check the supplied ID is on that list of allowed IDs for that user. Do not submit the price of the item they are purchasing to the server via AJAX, get it from your database, and get it based on the supplied ID of the item being purchase, don't make any assumptions if there are any to be made.

 

Be mindful to not try and take things unnecessarily too far though; if a user does have the ability to change the ID of the product they are purchasing, as long as they are allowed to purchase that item, and you retrieve the correct price for it, etc, it doesn't matter. You don't need to waste time trying to block the odd rare person from doing so.

 

With that said, you should perhaps consider implementing CSRF protection, which could significantly help bolster the security for things like this.

 

Yeah of course the AJAX function will just retrieve the price and other stats from the database.  The only thing it will send is the ID of the product, everything else will be retrieved from the server side (if it is in stock, price, ...).  I guess it really doesn't matter.  They can use developer tools to modify the href attribute too.

 

Thanks!

This topic is now closed to further replies.
  • Posts

    • New Outlook for Windows gets a major boost with June 2025 Update by Pradeep Viswanathan Despite widespread criticism, Microsoft has remained focused on replacing the classic Outlook for Windows with the new web-based Outlook app for everyone. Every month, Microsoft releases updates to the new Outlook app based on user feedback. Today, Microsoft released the June 2025 update for Outlook for Windows with several improvements, including some of the most requested features by Outlook users. With this latest update, Microsoft has improved support for .pst (Outlook Data File) files. You can now reply to and forward emails in a stored .pst file. Microsoft is also working on further improving support for .pst files in the new Outlook for Windows. If you're using the new Outlook app with your personal Microsoft account that has access to Copilot Pro or AI credits through a Microsoft 365 Personal or Family subscription, Copilot features will now be available even for other personal email accounts configured in the Outlook app. This Copilot sharing feature works with email addresses such as Outlook.com, Hotmail.com, Live.com, MSN.com, and third-party providers like Gmail, Yahoo, and iCloud. Microsoft has also added the ability to easily move emails between personal accounts. This feature is disabled by default for enterprise users, but admins can enable it if needed. With this update, Microsoft has increased the default mail sync window in offline mode from 7 days to 30 days. Additionally, you can now access search folders and cancel an email after selecting Send in offline mode. This new update also brings email coaching support through Copilot. Copilot can now suggest adjustments to tone, clarity, and reader sentiment before you hit Send. If you are annoyed with Copilot, you can now disable Copilot completely by going to the Copilot > Copilot control page in the Settings window. In this release, Microsoft has added the ability to add shared folders to your Favorites, making it easier to access content directly from the Favorites list. Finally, an "External" tag will be added to external contact suggestions that appear in the dropdown menu when entering contacts in the email compose form, helping you distinguish between your organization's and external contacts.
    • "give" I believe he will give loans and drown the countries in debt
    • Minor Problems over the years with Windows 11 Pro on my original Intel 10700 Desktop i was using and not many problems on my Newer AMD Ryzen 7 7700X. Overall Windows 11 works extremely well, if don't do too many modifications, and do the regular security updates, and keep 3rd party apps up to date, and users shouldn't have any issues, and if a user does, should be a minor little issue that is easily fixable My goal is to have the 2 remaining household systems replaced for Windows 11 Compatible machines, hopefully by early September if not sooner.
    • Bill Gates says he'll donate 99 percent of his wealth to Africa by Hamid Ganji Microsoft co-founder and tech billionaire Bill Gates has pledged to donate a significant chunk of his personal wealth to African countries. As reported by the BBC, Gates's funding will be spent on improving health and education infrastructure in Africa over the next twenty years. The Gates Foundation has played an active role in improving public health and education in Africa over the past decades. Bill Gates aims to double down on that effort by donating most of his fortune to Africa. Last month, he also said that 99% of his fortune, which could exceed $200 billion, will go to African countries by 2045. Speaking at the African Union (AU) headquarters in Ethiopia's capital, Addis Ababa, Gates said, "By unleashing human potential through health and education, every country in Africa should be on a path to prosperity." The tech billionaire also told young African innovators to start relying on AI to improve health and education in their countries and use the technology to benefit the entire continent. He introduced Rwanda as a successful example of using AI in healthcare to identify high-risk pregnancies. "Africa largely skipped traditional banking and now you have a chance, as you build your next generation healthcare systems, to think about how AI is built into that," Gates added. By donating 99 percent of his personal fortune by 2045, Bill Gates can still maintain his position as one of the richest people on earth. According to Bloomberg, Gates's current net worth is around $175 billion. Gates's decision to donate 99 percent of his wealth to Africa came after the US administration cut USAID funding to African countries following the DOGE investigations. In a recent interview with the New York Times, Bill Gates called out Elon Musk for cutting the USAID budget, saying Musk has a role in the death of the poorest children on earth.
  • Recent Achievements

    • Week One Done
      Adam Todd earned a badge
      Week One Done
    • Contributor
      Ed B went up a rank
      Contributor
    • One Month Later
      moporcho earned a badge
      One Month Later
    • One Month Later
      Parotel earned a badge
      One Month Later
    • Reacting Well
      Cryptecks earned a badge
      Reacting Well
  • Popular Contributors

    1. 1
      +primortal
      202
    2. 2
      snowy owl
      146
    3. 3
      ATLien_0
      134
    4. 4
      Xenon
      120
    5. 5
      +FloatingFatMan
      113
  • Tell a friend

    Love Neowin? Tell a friend!