Unfortunately, ZK 3.6 lack any CSRF protection. I mean the malicious user may easily send events of disabled or invisible components from the browser to the server and the ZK engine process them normally. ZK 5 has the possibility how to block such malicious events, see Security Tip. For the ZK 3.6, i have implemented a very basic event filter. You have to switch it on in zk.xml:

<listener>
    <description>CSRF protection</description>
    <listener-class>cz.prins.tiger.web.sys.CSRFEventInterceptor</listener-class>
</listener>

It is not possible to block update of an disabled or invisible InputElement this way. I will try to find a solution for this issue later.

Update 15th Sep 2010: Improved protection and logging.

Released under the Poetic License. Post a comment here or under my blog post, if you have some suggestion. Thanks.