Re: Securing client-side javascript



Any client-side code (HTML/JavaScript) can be viewed, changed and saved
locally on the client. So yes, someone could bypass client-side validation
of data and attempt to submit incorrect data, for example. This is why (in
the case of validation), you should always do a second, server-side,
validation of the data before processing it.


<davidr@xxxxxxxxxxxxxx> wrote in message
news:1154532555.565812.257170@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I have a question. Is javascript that is ran 100% on the client-side
and never does any postback/callback to the server hack proof? A user
can open the source code look at it, but is there a way for him to
change it so it does what it isn't supose to do. For example,
you use the javascript to disable/enable buttons on an .aspx page.
Would it be easy for someone to change the javascript to decide which
buttons get enabled/disabled? I know you can use validation on
textboxes to prevent <script></script> to get ran on the client side,
is there any other way though? This is new to me so I look forward to
people's opinions on security for javascript. Thanks,

David



.



Relevant Pages

  • Re: ASP.Net Newbie Questions
    ... > validation. ... Is ASP.Net trying to pre-empt the kind of things that JavaScript ... ViewState is actually a serialized hidden field in a <form ... Now, when the guy said "client-side event on the server", that means the ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: reading from text area throwing exception with


    ... Textbox's input content at client-side. ... custom Validator's client-side validation script, ... Here are some articles discussing on peform content validation against ... Microsoft MSDN Online Support Lead ...
    (microsoft.public.dotnet.framework.aspnet)

  • Client-Side Validation and Double-Click Problem
    ... client-side and server-side validation for various fields on the form. ... I had to override the default client-side onsubmit event handler. ...
    (microsoft.public.dotnet.framework.aspnet)
  • Re: DOM-scripting -- FF problem -- SOLVED
    ... Server-side is where any necessary validation is never optional. ... I asked in a FF forum, solution was to put 'return false' after function call; have now succeeded in both validate (client-side) and connect to server w/AJAX to send email...:) ... Browsers can be configured to have javascript disabled. ... However, the validation might fail on the lcient, so you need to *revalidate* on the server. ...
    (comp.lang.javascript)
  • Re: Need help with Server-Side Email Form Validation
    ... unless the client browser has javascript disabled. ... switch to a server-side validation script to get around this limitation. ... Client-side validation can reduce roundtrips and thus ...
    (comp.lang.javascript)