How to prevent running javascript code from address bar

Christian Graus

You should NEVER rely on javascript for anything. You CANNOT disable it. Anything that is selected via javascript, MUST be validated on the server side before performing any actions.

Christian Graus - Microsoft MVP - C++ Metal Musings - Rex and my new metal blog "I am working on a project that will convert a FORTRAN code to corresponding C++ code.I am not aware of FORTRAN syntax" ( spotted in the C++/CLI forum )

N a v a n e e t h

Christian Graus wrote:

You CANNOT disable it. Anything that is selected via javascript, MUST be validated on the server side before performing any actions.

Then what will be the use of javascript if we are rechecking everything in server before processing ? Or is it possible to identify javascript is supported by the browser or not ? If not supported then validate it on server. What do you say ? Please make me clear

---

Sincerly Navaneeth My Website

badgrs

Navaneeth. wrote:

Or is it possible to identify javascript is supported by the browser or not ? If not supported then validate it on server

Thats not the point that was made. The point is that the client (and any javascript methods) cannot be trusted. As was the original question, a user with some javascript know-how can manipulate the form. The point of javascript is to make things easier for the user, like disabling the check boxes so its obvious they can't use them, rather than waiting for a postback only to be told they did something wrong. Javascript should be used to enhance the users experience of an site/application, but should never be relied upon for security.

Russell Jones

I tend to check data at every boundary of the application. I check that what the user put into my page is good. I then check that what the page submitted to ASP.Net is good. my ASP code then uses my Business Logic Layer which checks that the data it receives is good. I don't specifically check that the data entering the database is good but i do have rigorous constraints set up on all databases and I make sure that only objects written by my team have direct writeable access to the DB. I also know that those objects have been repeatedly unit tested before they are released. You can never check data enough in my opinion especially if those data may have been submitted by an external actor beyond your control. eg web user, public webservice, contract developer. This approach may be bordering on the paranoid but it makes applications far more stable especially as the type of checking that occurs at each level is likely to be different and therefore catches a different set of errors that may occur. Russ

Ahmad Safwat

Hey people, I think you didn't understand me I have a button - for example - on my web form In some cases I disable this button by server side code, no problem Now my question is: Can any user openning this page execute javascript code from browser's address bar to enable that button?? And if yes, how can I prevent user from doing that??

badgrs

We understood you perfectly.

Ahmad Safwat wrote:

Can any user openning this page execute javascript code from browser's address bar to enable that button??

Yes.

Ahmad Safwat wrote:

And if yes, how can I prevent user from doing that??

You can't, which is the point we were trying to make. Go ahead and disable the button, but don't make that the only means to stop users doing whatever function is attached to it in the code-behind. You could always set its Visible property instead so it won't even be rendered to the client.

Ahmad Safwat

hi badgrs, thanx my dear, I already hide controls instead of disabling them, but I thought there may be a better solution that I don't know I don't want to check user's javascript code, I need to block scripting I need to prevent users from run any javascript code on my page Is this possible because hiding controls sometimes make the page looks bad :( thanx again

badgrs

Ahmad Safwat wrote:

I need to prevent users from run any javascript code on my page Is this possible

No.

Ahmad Safwat

:((:((:((:(( thanx my dear :)

badgrs

Ahmad Safwat wrote:

thanx my dear

Hmm, thats usually a phrase my ganny says to me... Let me elaborate a bit, no isn't a very explanatory answer: Ultimately you have no control what-so-ever over the browser. You can (and should) do everything possible to make things easier for the user, but you should never try to stop them doing anything. If they want to screw things up thats their problem, let them do it, just make sure you have sufficient validation in place server-side.

Ahmad Safwat

Hmmmm, thanx my dear ;P This is really a good advice thank u