Razor component parameter names and values sent to client in Blazor server-side

Gareth Wynn 21 Reputation points
2022-05-16T13:09:00.57+00:00

I've been examining the data sent back to the client from a Blazor server-side app. Something that I noticed in the messages is that the JS.RenderBatch call includes the names and values of Razor parameters. I wasn't expecting this as I'd assumed all of that logic would be handled on the server. For example, I have a component which takes a parameter in order to decide what content to display. The value of the parameter is a string and both the parameter name and the value are included in the JS.RenderBatch call. It only seems to apply to strings as far as I can tell.

For example, I have a component that has 2 parameters, Value1 and Value2. This is included in the JS.RenderBatch call:
Value1 layoutParameterValue1 Value2 layoutParameterValue2

I consider this to be a potential security issue because somebody may pass sensitive information to a Razor parameter and believe that it will only be processed on the server. Does anyone know why this happens?

Blazor
Blazor
A free and open-source web framework that enables developers to create web apps using C# and HTML being developed by Microsoft.
1,349 questions
{count} votes

Accepted answer
  1. Bruce (SqlWork.com) 53,426 Reputation points
    2022-05-18T20:49:28.44+00:00

    Razor Components (and their attributes) are added to the razor render tree. as a copy of render tree is keep at the client, it also gets a copy. The client render tree is used to produce the actual html updates to the Dom.

    in your sample code, in MainLayout.razor, it renders the markup:

    <TestComponent TestParameter="this should not be sent to the client" />

    this markup will added to render tree as a component node. any markup generated by this component will be added as children of this component.

    note: server version of blazor builds the same render tree as the WASM version would build.


1 additional answer

Sort by: Most helpful
  1. AgaveJoe 25,866 Reputation points
    2022-05-16T16:46:24.703+00:00

    Just to be clear, what I'm saying is that elements of Razor markup from the server are being sent to the client.

    If you are looking for a dynamic response based on the user's role the you can take advantage of Role-based and policy-based authorization. Otherwise, share the entire AuthorizedUserOnly component so we can see what you're doing. Also, explain how your security works.

    Otherwise, if you code is returning <AuthorizedUserOnly Roles="PowerUser"> then that's how your code works.