Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Like everyone else who develops forms, I worry about validation and preventing users from entering malicious data. Javascript validation is so much more immediate and neat, but of course there is the issue that someone can just turn off Javascript.
What I've wondering, is it a legitimate option to disable forms for users who have Javascript disabled? Does it work, or can malicious visitors get around it anyway? Is it a bad idea for other reasons?
I've seen older discussions on this general topic:
How to detect if JavaScript is disabled?
How do I know if Javascript has been turned off inside browser?
What are the current methods and thinking on this?
What I've wondering, is it a legitimate option to disable forms for users who have Javascript disabled?
It's anti-social at best. Be progressive.
Does it work, or can malicious visitors get around it anyway? Is it a bad idea for other reasons?
Attackers can get around any defences implemented on the client. Your public interface is HTTP. You need to implement any security checks behind it (i.e. server side).
You can verify the informations that visitors write on your form in PHP. It's more safer.
The best way I have found to detect Javascript is to add a class to of 'no-js'.
Then if you use Modernizr it will replace the 'no-js' class with 'js'
Or if you don't want to use Modernizr you can remove the code yourself through Javascript very easily.
Related
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
We don’t allow questions seeking recommendations for books, tools, software libraries, and more. You can edit the question so it can be answered with facts and citations.
Closed 6 years ago.
Improve this question
In our application end users are provided with a textbox where they can paste their html or javascript code to create advertisement much like Google advertisement , so I need to validate these html and js source code against malicious code and also proper syntax .
So are there any API's available in java to do the same ?
Thanks in advance
Ali.
Validating JS client-side is only useful to your nice users - since malicious users can bypass any client-side validation code anyway (by messing with the JS that is supposed to do the validation).
Validating JS server-side to look for "maliciousness" is, in the general sense, impossible unless you have a very restrictive white-list to check against. It is better to execute things in a sandbox that protects against bad things, and avoid validation (= checking for validity in advance of execution) altogether.
So, JavaScript Sandboxes. The most used is probably Google Caja - also protects against bad html/css. Sandboxing is not easy - in particular, Caja needs a server-side part to "cajole" the files and protect the host page; and any parts of the host-page outside the cajoled div need to be identified up-front.
See also some alternatives from another SO question. Note that many of them do not allow DOM access from protected code, and therefore not useful for JS that actually has to show things on screen.
You can find a lot of sources on the Internet if you search it. Here are a few: Java Encoder Project and Java HTML Sanitizer. I've never used them, but it's a starting point. You can learn a lot if you do the research yourself.
Edit: It's unclear if you're looking for a Java API or a JavaScript API. They're quite different.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Is it possible to recover if someone is visiting my website using a fake user agent? If yes, can someone please tell me how can find out this information?
Thank you very much!
You can check the user agent from PHP like from this global variable $_SERVER['HTTP_USER_AGENT']. But if someone is using a fake user agent which claims to be something else* it's going to be difficult to spot.
This shouldn't really matter unless they are a hacker who is able to find some security weaknesses in your site and use those to do something nasty like access your database, delete all your data or download your users' credit card numbers.
The solution to the hacker problem is make sure your website is secure.
This is called 'spoofing' as #JAL mentions in his comment above.
Closed. This question is off-topic. It is not currently accepting answers.
Want to improve this question? Update the question so it's on-topic for Stack Overflow.
Closed 9 years ago.
Improve this question
I want to insert a piece of javascript in the clients websites to track various statistics (like crazyegg, intercom.io), but traffic related.
I was thinking of using IronMQ but I don't know how to call it from Javascript directly and I am affraid that making a request to my server (3Gb Ram) from sites that have tens of thousands of visitors / days can cripple the server when making too many javascript requests in the same time.
You can call the IronMQ thru the HTTPS API.
See IronMQ REST/HTTPS API for more information.
Of course, you will need to provide Project ID and Token to JavaScript code. I suggest to encrypt Token before you place it into JS/HTML and decrypt on page load or before using the API.
Welcome Iron.io Live Chat even you will need more information.
Upd: For now it seems does not work. Because of Cross-Origin restrictions. But we're working on it, so, stay in touch.
You'll need to optimise as you go. If you find CPU is a problem, optimise for that. If you find memory is a problem, optimise for that, if bandwidth, etc etc etc. It all depends on
your requirements
your resources.
Optimisation is almost always the last step in the development process.
You might just have people include a 1x1 pixel image, you might have them include an iframe, or you might have them include a javascript file running off your server. Or you might have them include a javascript file on their server. More questions you need to ask yourself might be what information you want, what security issues are there, etc. If it's information for their purposes, then you don't need to worry about them forging it. Otherwise, you do.
Closed. This question does not meet Stack Overflow guidelines. It is not currently accepting answers.
Questions asking for code must demonstrate a minimal understanding of the problem being solved. Include attempted solutions, why they didn't work, and the expected results. See also: Stack Overflow question checklist
Closed 9 years ago.
Improve this question
Is it possible to append text to an existing textfile using only javaScript?
No. Browser JavaScript does not have access to the local file system for security reasons.
It does not have "arbitrary" access to the file system but it can in fact read/write local files from, eg, the browser cache directory. If you have full access to the client machine you could take advantage of this via a background script to synchronise temporary files to specific locations on the client. There are also techniques using local HTTP server daemons or modified browsers.
Of course if you wanted a "pure" JS solution the obvious question is how such a thing could be done without turning the browser into a premier malware installation system (well, assuming the browser isn't like IE that performs this task already).
As stated, not possible with pure JS. But it is possible if you use XMLHttprequest.
http://www.javascripter.net/faq/reading2.htm
Closed. This question is opinion-based. It is not currently accepting answers.
Want to improve this question? Update the question so it can be answered with facts and citations by editing this post.
Closed 8 years ago.
Improve this question
I am curious as to what, if any, security concerns other develpers have in regards to the use of JQuery plugins. I have seen very little talk about security where JQuery is concerned. Is it really a non issue?
Appreciate your thoughts!
Personally I am comfortable enough with Javascript to be able to swiff through the plugin code and understand possible misbehavior.
What I look for is the most relevant security issue with javascript, cross-domain communication, which is usually done with the creation of iframes, script/img tags etc..
Most of the times though, I trust the community, for example if it's up on http://plugins.jquery.com/ it is usually a trusted source.
jQuery can't do anything that javascript itself can't do, so all the same security standards apply. Basically - never rely on it for security. Always validate all inputs on the server side.
The best way to think of it is that from a security perspective, the client-side javascript is not actually a part of your application. Your application consists of all the possible http calls to your server. For good security, assume that hackers won't even be using a browser - they'll be making http requests directly to your server. Make sure that you aren't exposing any vulnerabilities in your http endpoints, and you should be ok.
note: I made the assumption in this reply that you're talking about data and system security. User security (preventing your users from being phished, etc) is another kettle of fish, but I'm not sure it has to do with jQuery any more than javascript in general.
The most popular ones are used all over the web on major web sites. If there is a security concern, someone else has probably already noted it. Also, a lot of the most-used jQuery plug-ins come from the same developers who are very active in the community, so it's fairly safe to trust them. (Jörn Zaefferer, the guy who did the validation plug-in, comes to mind)
Granted, it's a good idea to always test and always be skeptical, but at some point it becomes cost inefficient to worry too much.