Consider the following Blazor markup:
This will be rendered as a disabled HTML button with the class k-disabled. If a malicious user edits the DOM to remove the disabled attribute and said class, the button will become enabled. If the user then clicks the button, the registered OnClick EventCallback gets executed, even though Enabled is set to false.
Telerik-REPL link https://blazorrepl.telerik.com/QcumwJPA47xzAake54
Here is a JavaScript function that can be used to enable the disabled button (please make sure to use the correct JavaScript context when using it inside the Browsers DevTools):
}
We are not sure if this can be considered a bug or if the registered OnClick EventCallback is supposed to make sure the button is enabled. It would, however, make sense for a Blazor Server environment if the TelerikButton component would check its Enabled state before triggering the EventCallback.