Is it legit to pass "hidden" data to server actions throught readOnly and "display: none" inputs?
Answered
Northern Shoveler posted this in #help-forum
Northern ShovelerOP
Hi, I'm working on a renaming feature on my app, but to find the old project on the DB I need its old name. I couldn't find any way other than pass it via a hidden (display:none) and readOnly input. Then I manage the case of a user that changes the source code to modify that input, so I should be fine. Is there any other better way to do so?
Answered by B33fb0n3
you can do it like that, yea. Keep in mind, that the user can still change the input even if it's read only and invisible.
Another thing you might want to think about is if you have the data already somewhere, you can safely fetch it in your server action so you can trust that data
Another thing you might want to think about is if you have the data already somewhere, you can safely fetch it in your server action so you can trust that data
9 Replies
@Northern Shoveler Hi, I'm working on a renaming feature on my app, but to find the old project on the DB I need its old name. I couldn't find any way other than pass it via a hidden (display:none) and readOnly input. Then I manage the case of a user that changes the source code to modify that input, so I should be fine. Is there any other better way to do so?
you can do it like that, yea. Keep in mind, that the user can still change the input even if it's read only and invisible.
Another thing you might want to think about is if you have the data already somewhere, you can safely fetch it in your server action so you can trust that data
Another thing you might want to think about is if you have the data already somewhere, you can safely fetch it in your server action so you can trust that data
Answer
@Northern Shoveler Oh thanks!
Keep in mind, that there are still the mentioned security vulnerabilities
@B33fb0n3 Keep in mind, that there are still the mentioned security vulnerabilities
Northern ShovelerOP
Of using bind?
@Northern Shoveler Of using bind?
yea, even when you use .bind the value can still be changed by the client
@B33fb0n3 yea, even when you use .bind the value can still be changed by the client
Northern ShovelerOP
Okay, I think I'll opt to use a hidden input and handle the case of a user changing its value on the server action. Cause .bind doesn't seem to work in a simple way with useFormState either. Thanks a lot
@Northern Shoveler Okay, I think I'll opt to use a hidden input and handle the case of a user changing its value on the server action. Cause .bind doesn't seem to work in a simple way with useFormState either. Thanks a lot
yes, just keep that in mind, that the user is still able to change the stuff. If you initial issue is solved like that, please mark the most helpful message[:](https://cdn.discordapp.com/attachments/1043615796787683408/1117191182133501962/image.png?ex=66cf8ade&is=66ce395e&hm=0aed5c9a96d0e3a97c75664fd18d16389eaffb2bbc9abf983982ec2a2bd41c2d&)