Page 1 of 1

function call

Posted: Wed Jul 25, 2007 2:20 am
by singam
Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?

Re: function call

Posted: Wed Jul 25, 2007 9:13 am
by Chris Corbyn
singam wrote:Hi,
A javascript function can be called from the address bar,
Is there is any option or way to stop it,
What i need is, the user must not able to call javascript function
from the address bar.
I sthere is any option to do it?
You can't call javascript from the address bar unless you've written an insecure application. Calling JavaScript from the address bar would require you to directly echo/print variables provided through the URL. You should use htmlentities() to prevent it because you're wide open to XSS attacks otherwise.

http://www.php.net/htmlentities
http://shiflett.org/blog/2005/jan/xss-cheatsheet

Posted: Wed Jul 25, 2007 10:43 am
by miro_igov
d11wtq: 100% sure?

just type javascript:document.jumpbox.submit() in the address bar on this page and see how the Jump to: form submits :)

Posted: Thu Jul 26, 2007 8:38 am
by Chris Corbyn
miro_igov wrote:d11wtq: 100% sure?

just type javascript:document.jumpbox.submit() in the address bar on this page and see how the Jump to: form submits :)
Doh! You're right, I totally forgot about that. In that case, no there's no way to stop that, you just have to account for it. Anything that can be fiddled with client side should be sanitized.

:oops:

Posted: Thu Jul 26, 2007 9:25 am
by superdezign
d11wtq wrote:Anything that can be fiddled with client side should be sanitized.
Correction: Anything that is handled client-side CAN be fiddled with and should be sanitized.

I don't believe there is anything controlled client-side that cannot be altered by the user.

Posted: Thu Jul 26, 2007 11:43 am
by Chris Corbyn
Ok smart alec ;)

Posted: Thu Jul 26, 2007 12:10 pm
by superdezign
d11wtq wrote:Ok smart alec ;)
Hehe. Now if only feyd would slip up, then I could add him to my "people I've been able to correct" list. I'm also waiting on volka, stereofrog, Mordred, and Everah. Your day will come... :twisted:

Posted: Fri Jul 27, 2007 6:28 am
by volka
superdezign wrote:I'm also waiting on volka
That shouldn't be a problem ;)