I've been examining the data sent back to the client from a Blazor server-side app. Something that I noticed in the messages is that the JS.RenderBatch call includes the names and values of Razor parameters. I wasn't expecting this as I'd assumed all of that logic would be handled on the server. For example, I have a component which takes a parameter in order to decide what content to display. The value of the parameter is a string and both the parameter name and the value are included in the JS.RenderBatch call. It only seems to apply to strings as far as I can tell.
For example, I have a component that has 2 parameters, Value1 and Value2. This is included in the JS.RenderBatch call:
Value1 layoutParameterValue1 Value2 layoutParameterValue2
I consider this to be a potential security issue because somebody may pass sensitive information to a Razor parameter and believe that it will only be processed on the server. Does anyone know why this happens?