The issue of security against actions and manipulation of malicious or accidental data in web applications goes far beyond simply inhibiting buttons or fields.

The first reference I read about security when I was learning to program was in the PHP Manual . It is a good reference even for those who develop in other languages. Consider the following excerpt from the manual:

  

You should always carefully examine your code to ensure   that any variables being sent from the web browser are being   checked correctly , and ask yourself the following questions:

     

• Will your script only affect the files you want?
  
• Unusual or unwanted data can be used?
  
• Can this script be used in unintentional ways?
  
• Can it be used in conjunction with other scripts in a negative way?
  
• Will transactions be properly recorded?
  

Anyway, All data received in your script from external sources should be considered potentially dangerous and properly validated .

This includes:

• Headers )
• URL variables (parameters GET )
• Form Content (parameters POST )
• Ajax content (Json, XML)
• Cookies
• Files ( uploads )
• Images, HTML, and other resources consumed from external URLs.

In addition to validating values, something developers often forget is checking what the user says to be ( authentication ) and can perform a certain action ( authorization ) .

As a result of this, it is possible for many systems to usurp the administrator right by enabling buttons via firebug , developer tool or having knowledge of a "secret" URL!

Answer:

You can not do anything about HTML, against someone who opens firebug and leaves modifying things.

Explanation:

You can only have security if you validate on the Server, since any method you use with javascript or html the same method o "face with firebug" can also do. That is, there is no way, you have to validate on the Server, then you will have security.

However, you should do the validation in the client (with javascript) and also in the Server, it is always safer in this way.

Tip: you can use "trickery" to make it difficult on the client side, for example:

Let's say that every field has a certain "attribute required for submission" that would be something invented by you. Here you would validate each field with its respective "required attribute for submission" for example:

<input type=text data-required="HFG2#4DF@">

This would be a valid field for having such data-required , then we would have a field disabled:

<input type=text disabled>

Even if the firebug user goes to it and removes the disabled attribute, it will not work because, you check if all fields have this date-required using:

if ($(seuInput).attr('data-required') == "HFG2#4DF@")
//submete o formulário
else
//não submete o formulário.

Then it would be impossible to send that field if you did not put the invented attribute.

Note: this HFG2#4DF@ is just an example that you can make someone's life difficult by having him browse and understand your javascript codes in order to submit this field.

There are also several ways to do these things, for example you can put a different ID for each field and use a different data-required for each one that could be the ID MD5 Code of each, or a Base64 of the ID of each.

Of course, this will affect the performance a little and is only used if you really want to make it difficult to submit the form at this point, it is not recommended to do this, it is only optional.

Yes, ideally, validation is done both on client-side and server-side. You can try to block the button from being enabled by means of a javascript code, but by Firebug itself it is possible to disable javascript execution.

In fact, ideally all validation should happen client-side and, especially, server-side.

Yes, you always have to do the processing on the server.

In fact, you do not even need a browser to make potentially hostile HTTP requests to your server. A malicious programmer ( hacker ) can use programming tools to dialogue directly with your server using HTTP or other protocols.

It does not, but it does not have a way to disable the button and not allow this submission even when modifying the disabled property of the button in Firebug ... still the vulnerability would still exist. Do you understand?