function call

XML, Perl, Python, and other languages can be discussed here, even if it isn't PHP (We might forgive you).

Moderator: General Moderators

Post Reply
singam
Forum Newbie
Posts: 2
Joined: Sun Jul 15, 2007 11:32 pm

function call

Post by singam »

Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Re: function call

Post by Chris Corbyn »

singam wrote:Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?
You can't call javascript from the address bar unless you've written an insecure application. Calling JavaScript from the address bar would require you to directly echo/print variables provided through the URL. You should use htmlentities() to prevent it because you're wide open to XSS attacks otherwise.

http://www.php.net/htmlentities
http://shiflett.org/blog/2005/jan/xss-cheatsheet
miro_igov
Forum Contributor
Posts: 485
Joined: Fri Mar 31, 2006 5:06 am
Location: Bulgaria

Post by miro_igov »

d11wtq: 100% sure?

just type javascript:document.jumpbox.submit() in the address bar on this page and see how the Jump to: form submits :)
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

miro_igov wrote:d11wtq: 100% sure?

just type javascript:document.jumpbox.submit() in the address bar on this page and see how the Jump to: form submits :)
Doh! You're right, I totally forgot about that. In that case, no there's no way to stop that, you just have to account for it. Anything that can be fiddled with client side should be sanitized.

:oops:
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

d11wtq wrote:Anything that can be fiddled with client side should be sanitized.
Correction: Anything that is handled client-side CAN be fiddled with and should be sanitized.

I don't believe there is anything controlled client-side that cannot be altered by the user.
User avatar
Chris Corbyn
Breakbeat Nuttzer
Posts: 13098
Joined: Wed Mar 24, 2004 7:57 am
Location: Melbourne, Australia

Post by Chris Corbyn »

Ok smart alec ;)
User avatar
superdezign
DevNet Master
Posts: 4135
Joined: Sat Jan 20, 2007 11:06 pm

Post by superdezign »

d11wtq wrote:Ok smart alec ;)
Hehe. Now if only feyd would slip up, then I could add him to my "people I've been able to correct" list. I'm also waiting on volka, stereofrog, Mordred, and Everah. Your day will come... :twisted:
User avatar
volka
DevNet Evangelist
Posts: 8391
Joined: Tue May 07, 2002 9:48 am
Location: Berlin, ger

Post by volka »

superdezign wrote:I'm also waiting on volka
That shouldn't be a problem ;)
Post Reply