Ajax Driven Dropdown Lists for ProcessWire made easy


Dynamic Selects fetch (using ajax) and display data in the dropdowns based on the ID of the item selected in the trigger dropdown. For frontend use, this is a potential security issue. However, the visibility of the ID itself does not present any security issue. ProcessWire itself references page IDs when returning assets such as files and images. In addition, the IDs of various core ProcessWire pages (admin, setup, trash pages, etc) are public knowledge. Of concern to us is the potential manipulation of markup (e.g. using a browser's dev tools) generated by Dynamic Selects by a malicious user in an attempt to trick the module to fetch and return data (pages, users, fields or templates) that that user is not authorised to view. To guard against such manipulation, Dynamic Selects ships with a number of security features. These are noted below as well as best-practices which you need to follow when setting up the module for frontend use.

In-built Security Features

Best-practices: Using Dynamic Selects in the Frontend

Please note that the above (security features and best-practices) apply to the columns/selects in a Dynamic Selects whether it is a trigger or dependent select or both. This means that the module cannot be tricked into accepting an invalid trigger in order to return its data (so-called trigger select manipulation). It also means that for valid triggers, it will also only return data that the user is allowed to view (so-called dependent select fidelity).

In summary, given the above in-built security features, when it comes to pages and templates, frontend users (including guests) will only ever see pages that they are authorised to view. Since unpublished, hidden and template-access-controlled pages are never returned, any other pages you may not want them to see will be because of convenience and not security. Beyond these though, you have the powerful include/exclude settings at your disposal. For selects that return fields, it is imperative that you limit the fields to be displayed (if necessary) by using include/exclude fields settings.