Don’t Rely On A Disabled Button

Most of us have probably done it. A web page, some fields, and a button. The button is disabled until you fill-out/select the required fields.

Here is our disabled button:

But, how disabled is it?

Well, as it turns out, not very.

I’m assuming that if you’re reading this you’ll have Firefox with Firebug installed (even if you don’t use it all that much). Either that or you’ll have IE with the developer toolbar. Either way, hit F12 – this should bring it up.

However which way you can, navigate to the point in the DOM containing the ‘Click Me’ button.

You’ll then be able to delete the ‘disabled’ attribute, allowing you to click the button.

This is where some good server-side validation comes in handy. Never rely on JavaScript or HTML styles/attributes alone. They can always be circumvented. Server-side validation, broadly speaking, cannot!

Leave a Reply