Web Front-endHTML TutorialWatch Your Door - Client-side Data Transmission (10) - Unsafe HTML Disabled Elements_html/css_WEB-ITnose
First of all, it needs to be stated that this article is purely the ignorant opinion of a small developer without any vision or real knowledge, and is only for reference in web system security.
1. Brief explanation
Continuing to tell the story, one day the product manager planned a plan to conduct a promotion. A user can only use the egg coupon once at most.
Developers need to make modifications and adjustments to the system.
Let us imagine the scenario of Internet e-commerce in traditional industries:
Product manager: hurry up to change, hurry up, hurry up and start activities
Operation and maintenance manager: version upgrade, submit online evaluation report, risk test Reports, system test reports, documents signed by the responsible leaders...;
Developer A: Damn, I work from 9 o'clock in the morning to 9 o'clock in the evening, and I have to write so many reports, let me think about how good it is Method...
Developer B: Set restrictions on the html form and disable it after purchasing it once;
Developer A: This is a good method, as long as the html is modified, it does not count as a version upgrade;
Development Manager: Brother Everyone, hurry up and develop;
… (use html to disable elements)
Tester: The test is done. One person can only use the egg coupon once. After using it, it will be gray. I can’t use it anymore. It has reached Target.
Development Manager: Submit for online
…
2. Use HTML to disable elements
After using the page once, the button to confirm purchase is grayed out.
<%@ page language="java" import="java.util.*" pageEncoding="UTF-8"%><!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN"><html><head><title>看好你的门-阿饭同学 </title></head><body> <form action="aShopPrice.action" method="post" name="form1" " > 商品:鸡蛋 优惠券,只能使用一次<br> 您已经使用一次<br> <input type="submit" value="确认购买" disabled="true"/> </form></body></html>
No matter how I click, this button is gray.
3. Being attacked
Oh, I accidentally got attacked again...
1. The simplest method, such as using a proxy server to intercept and then modify it, directly let disabled= false or remove this attribute;
2. For example, let’s keep this page and use the element inspection function to find: disabled=true. Modify the element attributes and remove this code. In this way, the verification will be invalid. Use the egg coupons a few more times. Have some fun. .
4. Thinking about element disabling in HTML
1. Element disabling does not seem to be used much now, but as long as the server adopts the same or even stricter confirmation mechanism as the client, this application It is more difficult to be attacked;
2. Because user input may cause various problems, this method can filter out unintentional errors by users and reduce network traffic and server burden. Therefore, this method The method should still be used.
Beyond HTML: Essential Technologies for Web DevelopmentApr 26, 2025 am 12:04 AMTo build a website with powerful functions and good user experience, HTML alone is not enough. The following technology is also required: JavaScript gives web page dynamic and interactiveness, and real-time changes are achieved by operating DOM. CSS is responsible for the style and layout of the web page to improve aesthetics and user experience. Modern frameworks and libraries such as React, Vue.js and Angular improve development efficiency and code organization structure.
What are boolean attributes in HTML? Give some examples.Apr 25, 2025 am 12:01 AMBoolean attributes are special attributes in HTML that are activated without a value. 1. The Boolean attribute controls the behavior of the element by whether it exists or not, such as disabled disable the input box. 2.Their working principle is to change element behavior according to the existence of attributes when the browser parses. 3. The basic usage is to directly add attributes, and the advanced usage can be dynamically controlled through JavaScript. 4. Common mistakes are mistakenly thinking that values need to be set, and the correct writing method should be concise. 5. The best practice is to keep the code concise and use Boolean properties reasonably to optimize web page performance and user experience.
How can you validate your HTML code?Apr 24, 2025 am 12:04 AMHTML code can be cleaner with online validators, integrated tools and automated processes. 1) Use W3CMarkupValidationService to verify HTML code online. 2) Install and configure HTMLHint extension in VisualStudioCode for real-time verification. 3) Use HTMLTidy to automatically verify and clean HTML files in the construction process.
HTML vs. CSS and JavaScript: Comparing Web TechnologiesApr 23, 2025 am 12:05 AMHTML, CSS and JavaScript are the core technologies for building modern web pages: 1. HTML defines the web page structure, 2. CSS is responsible for the appearance of the web page, 3. JavaScript provides web page dynamics and interactivity, and they work together to create a website with a good user experience.
HTML as a Markup Language: Its Function and PurposeApr 22, 2025 am 12:02 AMThe function of HTML is to define the structure and content of a web page, and its purpose is to provide a standardized way to display information. 1) HTML organizes various parts of the web page through tags and attributes, such as titles and paragraphs. 2) It supports the separation of content and performance and improves maintenance efficiency. 3) HTML is extensible, allowing custom tags to enhance SEO.
The Future of HTML, CSS, and JavaScript: Web Development TrendsApr 19, 2025 am 12:02 AMThe future trends of HTML are semantics and web components, the future trends of CSS are CSS-in-JS and CSSHoudini, and the future trends of JavaScript are WebAssembly and Serverless. 1. HTML semantics improve accessibility and SEO effects, and Web components improve development efficiency, but attention should be paid to browser compatibility. 2. CSS-in-JS enhances style management flexibility but may increase file size. CSSHoudini allows direct operation of CSS rendering. 3.WebAssembly optimizes browser application performance but has a steep learning curve, and Serverless simplifies development but requires optimization of cold start problems.
HTML: The Structure, CSS: The Style, JavaScript: The BehaviorApr 18, 2025 am 12:09 AMThe roles of HTML, CSS and JavaScript in web development are: 1. HTML defines the web page structure, 2. CSS controls the web page style, and 3. JavaScript adds dynamic behavior. Together, they build the framework, aesthetics and interactivity of modern websites.
The Future of HTML: Evolution and Trends in Web DesignApr 17, 2025 am 12:12 AMThe future of HTML is full of infinite possibilities. 1) New features and standards will include more semantic tags and the popularity of WebComponents. 2) The web design trend will continue to develop towards responsive and accessible design. 3) Performance optimization will improve the user experience through responsive image loading and lazy loading technologies.
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
Video Face Swap
Swap faces in any video effortlessly with our completely free AI face swap tool!
Hot Article
Hot Tools
WebStorm Mac version
Useful JavaScript development tools
mPDF
mPDF is a PHP library that can generate PDF files from UTF-8 encoded HTML. The original author, Ian Back, wrote mPDF to output PDF files "on the fly" from his website and handle different languages. It is slower than original scripts like HTML2FPDF and produces larger files when using Unicode fonts, but supports CSS styles etc. and has a lot of enhancements. Supports almost all languages, including RTL (Arabic and Hebrew) and CJK (Chinese, Japanese and Korean). Supports nested block-level elements (such as P, DIV),
EditPlus Chinese cracked version
Small size, syntax highlighting, does not support code prompt function
DVWA
Damn Vulnerable Web App (DVWA) is a PHP/MySQL web application that is very vulnerable. Its main goals are to be an aid for security professionals to test their skills and tools in a legal environment, to help web developers better understand the process of securing web applications, and to help teachers/students teach/learn in a classroom environment Web application security. The goal of DVWA is to practice some of the most common web vulnerabilities through a simple and straightforward interface, with varying degrees of difficulty. Please note that this software
SublimeText3 English version
Recommended: Win version, supports code prompts!
