For example I have a Javascript-powered form creation tool. You use links to add

Question

0

Asked: June 2, 20262026-06-02T23:21:14+00:00 2026-06-02T23:21:14+00:00

For example I have a Javascript-powered form creation tool. You use links to add

0

For example I have a Javascript-powered form creation tool. You use links to add html blocks of elements (like input fields) and TinyMCE to edit the text. These are saved via an autosave function that does an AJAX call in the background on specific events.

The save function being called does the database protection, but I’m wondering if a user can manipulate the DOM to add anything he wants(like custom HTML, or an unwanted script).

How safe is this, if at all?

First thing that comes to mind is that I should probably search for, and remove any inline javascript from the received html code.

Using PHP, JQuery, Ajax.

Report

Leave an answer
Cancel reply

You must login to add an answer.

Need An Account,

1 Answer

Editorial Team · Answer 1 · 2026-06-02T23:21:17+00:00

Editorial Team

2026-06-02T23:21:17+00:00Added an answer on June 2, 2026 at 11:21 pm

Not safe at all. You can never trust the client. It’s easy even for a novice to modify DOM on the client side (just install Firebug for Firefox, for example).

While it’s fine to accept HTML from the client, make sure you validate and sanitize it properly with PHP on the server side.

0

Reply
Share
Share

- Report

Sign Up

Sign In

Forgot Password

The Archive Base Latest Questions

For example I have a Javascript-powered form creation tool. You use links to add

Leave an answerCancel reply

1 Answer

Leave an answer
Cancel reply