Thanks for the feedback @Paul and @Tim!
Paul Clapham wrote:
But I'm just making assumptions here. Perhaps you could clarify your question? What would be helpful would be an actual example of the generated form and a description of how and where it might be harmfully changed during the process.
An example could be, in my HTML i have a <form> element that contains my questions (totally random questions)
Question1: How likely are you to recommend us?
Answer: 1 (never) to 9 (extremely likely)
Question2: (select all that apply) How would you describe yourself?
<input type="checkbox" ...
The first question only has one answer, the second question can have many answers.
Lets for the sake of the argument say i hardcode all questions and answers by hand in my .jsp and send this page to the client.
There is nothing to stop the client from inspecting the <select> element and changing Q1 to Q8 and the values to something like "farting king".
Lets say i by chance have a Q8 question that also is a single answer question, so it would be possible to save the answer.
How would i at the server when i receive the response be able to determine
"I sent this client a Q1 question (or a series of questions Q1, Q2, Q7, Q4 ...) but got back a Q8 question, this is wrong, dont save data"
or
"I sent this client Q1 that i know has answers ... but i received an answer that Q1 does not have, this is wrong, dont save data"
Thanks for all the feedback!