Liveview security regarding phx-value-xxx attributes

Hello,

What is the best way to enforce security when using liveview. Right now, a user is able to modify the DOM phx-xxx attributes by simply using developer tools and as a consequence may trigger some unwanted (and potentially very dangerous) effects server side.

It seems to me right now that I must recheck (post tag generation) in every handle_event calls that the action is really permitted for the socket asking it.

Is there something I missed that I can use ? I really would like this to be enforced by the system so to be more reliable.
TIA,
SĂ©bastien

1 Like

This is always true of untrusted data. The same was true of regular forms too, users can change ids, attributes, whatever they want. This is why cast for example takes an explicit list of attributes that are allowed to be modified. There are some classic security issues when you can edit any attribute, users can just add say profile[admin] value="true" to their form or whatever.

Basically, the only trusted value on the page is the session, since that is signed and encrypted. Everything else you get should be considered untrusted and validated, just like any other HTML form or API parameter.

6 Likes

Yes I understand that forms data are untrusted content.
But I see phx-xxx attributes a bit differently as I see them more like function calls than form data.

So I think an option to encrypt in some way liveview callback attributes and events would be really cool.

I’m coming from erlang’s n2o framework where this is possible. I find the programming model of liveview risky on that part as it is really easy for a programmer to miss some fake values / checkings.

But maybe I’m trying to push it on boundaries where liveview is not really designed for.

SĂ©bastien.

1 Like