Re: Javascript redundant code...

by "Srinivasan Ramakrishnan" <srinivar(at)md3.vsnl.net.in>

 Date:  Wed, 23 May 2001 20:24:42 +0530
 To:  "JOSE ADRIANO BALTIERI" <JABALTIE(at)iep-cen.unimep.br>,
<hwg-languages(at)hwg.org>
 References:  cen
  todo: View Thread, Original
Hi Jose,

Signing scripts won't be of any use here. They are usually used when the
script needs to do something outside of its security profile.

Apart from disabling JS, the user may not have a JS capable browser in the
first place. However if you are sure that your audience does have a JS
capable browser, do this.

a) Include a <noscript> tag to inform older browsers that the form won't
work on their systems
b) using JS trap the form submit by adding an onSubmit() event, though this
can be tricky on a few browsers that improperly handle this. Or don't have a
submit button, instead use a JS button that submits the form onClick.

Before submitting the form, add a value that says that the parsing has been
verified using JS.
ex: http://somedomain.com/form?val=1&otherval=2&JS=true

The JS = true will tell you that JS has been used.

However a determined person can always spoof this, so always double check
with CGI validation to be sure. Understand that JS is not meant to move some
of the computing burden to the client as is popularly percieved, but to
enhance the user experience. If JS had not been used the user would have to
do multiple form submits until she got it right.

HTH,

-Srini
--
http://www.sriniram.com
http://symonds.net/~sriniram


----- Original Message -----
From: "JOSE ADRIANO BALTIERI" <JABALTIE(at)iep-cen.unimep.br>
To: <hwg-languages(at)hwg.org>
Sent: Wednesday, May 23, 2001 6:26 PM
Subject: Javascript redundant code...


> Hello List !
>
> We have a lot of Javascripts, mostly to validate forms. These forms are
> submitted to our CGI programs. These CGI programs have to validate again
> everything that had just been validated by Javascript. That's because one
can
> edit the page and remove the scripts from it, submitting an incorrect
form.
> Or more simply, just disable Javascript and submit the form (Netscape
allows
> that).
>
> Then, if we were able to prevent or detect this situation, that is, be
sure
> that the form has been passed through our Javascript code, we would save
time
> (programming and machine) by avoiding redundant checks. Smaller CGI's also
> would be a benefit. They would have to do only the other checks that
> Javascript couldn't do, probably those against databases.
>
> Have heard about signed scripts but don't know neither what they mean nor
if
> they would solve this problem.
>
> Have thought also about delivering/receiving tokens but, they're not
secure at
> all...
>
> Thanks for any kind of help !
>
>
>                                 Obrigado/Thanks a lot,
>
>                                 Jose Adriano Baltieri
>                                 Analista de Sistemas
>                                 CPD - CENTRO
>                                 UNIMEP - Universidade Metodista de
Piracicaba
>                                 PIRACICABA - SP - BRASIL
>                                 Fone : 055 0 XX 19 430-1858 (english
spoken)
>                                 Fax  : 055 0 XX 19 430-1898 (cx postal
42778)
>

HWG: hwg-languages mailing list archives, maintained by Webmasters @ IWA