Is it safe to use “readonly” elements in the form of ejs template?

Question

I would like to know if any script with readonly elements is editable through bypassing. Im practicing an ejs template where I used the below script. People suggested me not to go with this action and mentioned it might not be secure.

For instance;

              <input
              type="text"
              id="name"
              name="name"
              class="form-control"
              value=<%= name %>
              readonly/>

the name in the value will be the default value from the database. Is it possible for any malicious actors to edit the name even if it is non-editable? or if I use disabled elements, How could I make the value posted to the database?. I would like to know If there is any work around.

Could you please advice? Thanks.

Answer 1

Yes, if you send values directly from this input, user can delete the readonly part and change the value. This can lead to undesirable results. 1. You can create a short-term Session[] for the value you want to send. 2. You can call it from where that you want to post it. (So there will be no link between the input field and the value you call there. The İnput field will only be used for view. You can also delete it or change readonly to disabled if you want.

my point of view 2>1.

Answer 2

You need to check value on the backend/server side too. You can't know if attacker is submitting value via your form or specially crafted request.