Validation

[leolorenzoluis]

How do you protect the forms data from being hijacked at runtime if the soap and rest services doesn't perform server side validation?

For example,the form is submitted and is now read only. However, someone can manipulate runtime and modify the data by just adding a breakpoint in save and change the data or by pass client side validation?

[jbonfardeci]

All input elements are removed from the DOM in read-only mode, and you can’t add an HTML element with a data-bind attribute after Knockout has applied all bindings to the DOM. However, it is possible for a hacker to alter the Knockout view model, updating the value of one or more observables. This is also a problem with InfoPath forms in the browser.

The only methods I know of to mitigate such a scenario include:

• version history on the list items, so you can see all changes and when
• trigger an on-change workflow; e.g. if the author modified the form after IsSubmitted == true and was approved by a manager, notify someone
• minify and uglify all scripts on the page, make them work hard to figure out which variables represent the view model object.
• I can conceive of at least several more solutions that could be designed but are too loose to provide steps to implementation, such as storing the checksum value of the view model after a form is submitted. There are many MD5 JS hash algorithms for creating a hash of JS objects including the state of the Knockout view model;
  • You could also stringify the KO view model on submit, store it in a separate field or list, then compare the string version of the model in a SharePoint on-change workflow.

On Jun 26, 2016, at 9:18 PM, leolorenzoluis notifications@github.com wrote:

How do you protect the forms data from being hijacked at runtime if the soap and rest services doesn't perform server side validation?

For example,the form is submitted and is now read only. However, someone can manipulate runtime and modify the data by just adding a breakpoint in save and change the data or by pass client side validation?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jbonfardeci/ShockoutForms/issues/22, or mute the thread https://github.com/notifications/unsubscribe/AGpYcMcN0x8JkCEBUMlgLfYnsHryvrYmks5qPzL7gaJpZM4I-tZ-.

[jbonfardeci]

You could also enforce check out for list items. For example, if the form is checked out to someone else, such as an approver, someone can’t modify their list items. You can also create a custom SharePoint permission level; I created one called “Read and Post” some years ago, which prevents users from deleting or editing list items. Also be sure to set up your list permissions correctly, giving non-approvers permission to only read an update their list items. Anyone with Manage Hierarchy and above can view and update all list items.

There are other ways to update list items with REST clients, as long as the user has permissions to

On Jun 26, 2016, at 9:18 PM, leolorenzoluis notifications@github.com wrote:

How do you protect the forms data from being hijacked at runtime if the soap and rest services doesn't perform server side validation?

For example,the form is submitted and is now read only. However, someone can manipulate runtime and modify the data by just adding a breakpoint in save and change the data or by pass client side validation?

— You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub https://github.com/jbonfardeci/ShockoutForms/issues/22, or mute the thread https://github.com/notifications/unsubscribe/AGpYcMcN0x8JkCEBUMlgLfYnsHryvrYmks5qPzL7gaJpZM4I-tZ-.