apache - How to prevent users from using javascript links -
this question has answer here:
- security risk in using jquery ajax 5 answers
i have website makes ajax calls server-side script when button pressed. problem user type following address bar:
javascript:callajaxroutine();
how prevent happening?
the people in comments right in saying you'll never able out of code 100%, can couple of things ward off less serious:
- encapsulate function in object, it's not in global namespace,
- obfuscate code
no 1
is case of doing this: (i'm going use jquery here, it's not essential, shortens code)
instead of:
<script> var callajaxroutine = function () { // ajax ajax(); } $('#button').on('click', callajaxroutine); </script>
you take function out of global namespace , put inside object:
<script> // sets object containing self-executing function (function () { var callajaxroutine = function () { // ajax ajax(); } $('#button').on('click', function () { callajaxroutine.apply(this); }); }()); </script>
the second lot of code same first, code still called when event fired, typing callajaxroutine
console show undefined
because of closure of function exists declare , assign callajaxroutine
event handler #button.click()
javascript:callajaxroutine();
nothing, there no accessible callajaxroutine
defined anymore.
no. 2
put code through minified/obfuscator http://jscompress.com -- second lot of code above becomes:
(function(){var e=function(){ajax()};$("#button").on("click",function(){e.apply(this)})})();
the bigger function, more difficult read , understand. if have tool firebug can pull apart, it's real pain do, you'll dissuade most.
Comments
Post a Comment