Last Updated: 09 Mar 2022 17:05 by ADMIN

Consider the following Blazor markup:

<TelerikButton OnClick="@MyClickHandler" Enabled="false">Click me!</TelerikButton>


This will be rendered as a disabled HTML button with the class k-disabled. If a malicious user edits the DOM to remove the disabled attribute and said class, the button will become enabled. If the user then clicks the button, the registered OnClick EventCallback gets executed, even though Enabled is set to false.

Telerik-REPL link

Here is a JavaScript function that can be used to enable the disabled button (please make sure to use the correct JavaScript context when using it inside the Browsers DevTools):

function enableButton() {
    const element = document.getElementById("button_2");
    element.disabled = false;


We are not sure if this can be considered a bug or if the registered OnClick EventCallback is supposed to make sure the button is enabled. It would, however, make sense for a Blazor Server environment if the TelerikButton component would check its Enabled state before triggering the EventCallback.