SitePoint Sponsor

User Tag List

Results 1 to 6 of 6

Hybrid View

  1. #1
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)

    Turning off javascript and security

    Hello!

    I'm using a WYSIWIG HTML editor where users can enter html/text that will then be visible by others on my website. The editor itself converts "dangerous" html to html entities. The problem is that a user could turn off javascript and enter what they'd like. I've added the code:

    Code:
    <noscript>
        <style type="text/css">
            #javascript_detection {display:none;}
        </style>
        <div class="noscriptmsg">
       My site relies on javascript for part of its functionality, so be sure that it's enabled in your browser.<br />If you're not sure how to do this, go to Help under your browser's menu.
        </div>
    </noscript>
    And wrapped each page in a javascript_detection tag. This way, if someone does disable the javascript, they won't be able to actually get to the page (I think!).

    Is this method a sound way to secure this aspect of my site. (And, as a PS, I protect against SQL injection on the server side of things).

    Thanks so much,

    Eric

  2. #2
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,197
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    What you have is perfectly fine but if you are using PHP as a back end processor what you can do is escape and convert the inputted code using $_POST values and some PHP code to emulate what the JavaScript does.

  3. #3
    SitePoint Evangelist
    Join Date
    Mar 2011
    Location
    Bellingham, WA
    Posts
    450
    Mentioned
    1 Post(s)
    Tagged
    0 Thread(s)
    I just figured that since TinyMCE is already doing it for me..why rock the boat?

    My main concern was that if someone disables the javascript that I'd run into problems. But, it sounds like that you agree with me that if they were to do this, they'd be out of luck since no page would show.

    Thanks for the feedback,

    Eric

  4. #4
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,197
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    I agree with your logic 100% because by today's statistics only 5% of the world has JavaScript disabled which when you think about it gives everyone a 99.95% chance of never having a user visit without JavaScript enabled.

  5. #5
    Unobtrusively zen silver trophybronze trophy
    paul_wilkins's Avatar
    Join Date
    Jan 2007
    Location
    Christchurch, New Zealand
    Posts
    14,729
    Mentioned
    104 Post(s)
    Tagged
    4 Thread(s)
    Quote Originally Posted by SgtLegend View Post
    I agree with your logic 100% because by today's statistics only 5% of the world has JavaScript disabled which when you think about it gives everyone a 99.95% chance of never having a user visit without JavaScript enabled.
    Wouldn't that be 95%, since 100 minus 5 is 95?
    Programming Group Advisor
    Reference: JavaScript, Quirksmode Validate: HTML Validation, JSLint
    Car is to Carpet as Java is to JavaScript

  6. #6
    SitePoint Wizard bronze trophy chris.upjohn's Avatar
    Join Date
    Apr 2010
    Location
    Melbourne, AU
    Posts
    2,197
    Mentioned
    17 Post(s)
    Tagged
    1 Thread(s)
    Off Topic:

    well now you know i suck at math


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •