Intent-Code Divergence
Medium
- Confidence
- 96% confidence
- Finding
- The documentation states that hidden fields 'cannot be seen or modified by users,' which is incorrect and unsafe guidance. Hidden inputs are trivial to alter with browser developer tools, proxies, or crafted requests, so readers may wrongly trust client-supplied values such as prices, roles, or account identifiers.
