Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?
function call
Moderator: General Moderators
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Re: function call
You can't call javascript from the address bar unless you've written an insecure application. Calling JavaScript from the address bar would require you to directly echo/print variables provided through the URL. You should use htmlentities() to prevent it because you're wide open to XSS attacks otherwise.singam wrote:Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?
http://www.php.net/htmlentities
http://shiflett.org/blog/2005/jan/xss-cheatsheet
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
Doh! You're right, I totally forgot about that. In that case, no there's no way to stop that, you just have to account for it. Anything that can be fiddled with client side should be sanitized.miro_igov wrote:d11wtq: 100% sure?
just type javascript:document.jumpbox.submit() in the address bar on this page and see how the Jump to: form submits
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm
- Chris Corbyn
- Breakbeat Nuttzer
- Posts: 13098
- Joined: Wed Mar 24, 2004 7:57 am
- Location: Melbourne, Australia
- superdezign
- DevNet Master
- Posts: 4135
- Joined: Sat Jan 20, 2007 11:06 pm