Alert events

When developing content, you may also need to use alerts that are sent back and forth between the client and the server. Alerts that originate on the client cannot be trusted, because the alert and the data in the alert could have been manually generated on the client. By default, any alert created on the client is not trusted, so alert handlers registered in the server-side scripting are not automatically run when the alert is sent from the client.

When an application needs to accept a client-generated alert, you can add a call to context.RegisterClientAlertsFor() in the server-side script in OnScriptInitializing(). This allows the client-generated alert to flow to the server for processing in the server-side alert handler.

context.RegisterClientAlertsFor(list of alert names): This call is made in the OnScriptinInitializing() method in the server-side handler.

Note: Care must be taken in the server side to appropriately process this data. For example, if the server has a change to the user’s name, it is probably okay to get this in a client alert. The logged in user is allowed to change their name, so the server side can accept this data. However a potential bad design would be to put the price of an item in the client alert and use that price when adding to the cart. The client could manually generate this event and add an item to the cart with a low price. Similarly, sensitive data that the user must not see should never be put into an alert, even if it is sent from the server, because all alerts pass through the client so that the data can be viewed. Portal alerts are used as a notification system, not a secure data channel.
When an alert is sent from the client that matches a name in the registered list, the registered server side OnAlert() handler is called. If the name does not match, the serve- side handler is not run. If the alert was sent from the server, the OnAlert() handler is run regardless of whether or not it is in the list of client alert names.
Note: The server-side alert handler will still honor the parms.StopServerSideHandler() API call from the client. However regardless of this StopServerSideHandler setting, if the alert did not come from the server and it is not in the list of accepted client alerts, the alert will not be processed by the server.

OnAlert() handlers in the server-side scripting also will not fire for a specific alert if the alert was altered by a client script. Alerts are considered altered by client script that passes along an alert in one of these methods:

context.Alert...(context.GetEvent().GetName());
context.Alert...("eventname"); 

Alerts should instead be passed along in this fashion to not be considered altered:

context.Alert....(context.GetEvent())