Trick a disabled <p:inputText element

[alexanderdm]

I have a web application that uses JSF 2.2, PrimeFaces 12 and Sapphire 5.1. It runs on Wildfly 17 and 21.
I would like to test now if it is possible for a user to trick a disabled <p:inputText field in that he / she opens the HTML page in a browser, navigates to the disabled field, edits it and sends a HTML request to the server with the edited element.

Initially, we have the follwoing structure of the input field:

<input id="resultsFormId:firstNameId0persDaten" name="resultsFormId:firstNameId0persDaten" type="text" value="Trio" class="ui-inputfield ui-inputtext ui-widget ui-state-default ui-corner-all ui-state-disabled ui-state-filled" disabled="disabled" autocomplete="off" role="textbox" aria-disabled="true" aria-readonly="false">

Then, the user deletes the attributes:
disabled="disabled"
aria-disabled="true"

as well as the css class ui-state-disabled.

As a result of this, the user is able to change the value of the element from "Trio" to, for example, "Trio_XYZ". This works ok, but as long as the user presses the OK button and the form is submitted to the server, no change of the value of the element happens in the back-end.
In fact, the setter method of the bean is not being called at all.
Is this a feature or a bug? Is it possible to Trick a disabled <p:inputText element at all?

Thank you and kind regards,
Alex

[mert.sincan]

Hi Alex,

It is not possible. Our server-side code;

Code: Select all

public class InputTextRenderer extends InputRenderer {

    @Override
    public void decode(FacesContext context, UIComponent component) {
        InputText inputText = (InputText) component;

        if (!shouldDecode(inputText)) {
            return;
        }
        ...

Code: Select all

...
protected boolean shouldDecode(UIInput component) {
        return !isDisabled(component) && !isReadOnly(component);
    }

Best Regards,