Sign Up to our social questions and Answers Engine to ask questions, answer people’s questions, and connect with other people.
Login to our social questions & Answers Engine to ask questions answer people’s questions & connect with other people.
Lost your password? Please enter your email address. You will receive a link and will create a new password via email.
Please briefly explain why you feel this question should be reported.
Please briefly explain why you feel this answer should be reported.
Please briefly explain why you feel this user should be reported.
I have designed a website which has many JavaScript blocks:
<script type='text/javascript'></script>
Users can post to my page and a malicious user could post a script block as a post. What I want is for the script block in user’s posts to be treated as text rather than as code.
I know I can validate the input and filter out the <script> blocks, but for the satiation of my curiosity, is there a way to block specific <script> tags from running after the page is loaded?
There’s no surefire way to control JS on the client. Even if your logic prevents certain blocks of code from executing, there’s nothing stopping a user from modifying the code and running it in the Javascript console.
As a general rule, everything happening on the browser end is in control of the user and shouldn’t be trusted; you should probably rethink your validation.